diff --git a/packages/akamai/1.0.1/changelog.yml b/packages/akamai/1.0.1/changelog.yml deleted file mode 100755 index 82d3a19ef2..0000000000 --- a/packages/akamai/1.0.1/changelog.yml +++ /dev/null @@ -1,36 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: improve the English in the readme file - type: enhancement - link: https://github.com/elastic/integrations/pull/3532 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.1.3" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "0.1.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.1" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2369 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1643 diff --git a/packages/akamai/1.0.1/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/1.0.1/data_stream/siem/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 4efc3cf8ea..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,80 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: "{{api_host}}/siem/v1/configs/{{config_ids}}" -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -request.transforms: - - set: - target: url.params.from - value: "[[.cursor.last_execution_datetime]]" - default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' - - set: - target: url.params.to - value: '[[ (now (parseDuration "-1m")).Unix ]]' - - set: - target: header.XTimestamp - value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]' - - set: - target: header.XSignatureBase - value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "{{client_token}}" "{{access_token}}" (.header.Get "XTimestamp") uuid ]]' - - set: - target: header.XSignatureKey - value: '[[ hmacBase64 "sha256" "{{client_secret}}" (.header.Get "XTimestamp") ]]' - - set: - target: header.XSignature - value: '[[ hmacBase64 "sha256" (.header.Get "XSignatureKey") "GET\t" .url.Scheme "\t" .url.Host "\t" .url.Path "?" .url.RawQuery "\t\t\t" (.header.Get "XSignatureBase") ]]' - - set: - target: header.Authorization - value: '[[ sprintf "%ssignature=%s" (.header.Get "XSignatureBase") (.header.Get "XSignature") ]]' - - delete: - target: header.XSignature - - delete: - target: header.XSignatureKey - - delete: - target: header.XSignatureBase - - delete: - target: header.XTimestamp - -response.decode_as: application/x-ndjson - -response.pagination: - - set: - target: url.params.offset - value: '[[ .last_event.offset ]]' - fail_on_template_error: true - - delete: - target: url.params.from - - delete: - target: url.params.to - -cursor: - last_execution_datetime: - value: '[[ (now (parseDuration "-1m")).Unix ]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/akamai/1.0.1/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/1.0.1/data_stream/siem/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 004f5fcf3f..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Pipeline for parsing Akamai logs -processors: -- set: - field: ecs.version - value: '8.2.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- drop: - if: 'ctx?.json?.offset != null' -- set: - field: observer.vendor - value: akamai -- set: - field: observer.type - value: proxy -- date: - field: json.httpMessage.start - formats: - - UNIX - timezone: UTC - target_field: "@timestamp" -- set: - field: "event.start" - copy_from: "@timestamp" -- rename: - field: json.httpMessage.status - target_field: http.response.status_code - ignore_missing: true -- convert: - field: http.response.status_code - type: long - ignore_missing: true -- rename: - field: json.httpMessage.bytes - target_field: http.response.bytes - ignore_missing: true -- convert: - field: http.response.bytes - type: long - ignore_missing: true -- rename: - field: json.httpMessage.requestId - target_field: http.request.id - ignore_missing: true -- set: - field: event.id - copy_from: http.request.id - ignore_empty_value: true -- fingerprint: - fields: - - http.request.id - target_field: "_id" - ignore_missing: true -- rename: - field: json.httpMessage.method - target_field: http.request.method - ignore_missing: true -- rename: - field: json.httpMessage.host - target_field: url.domain - ignore_missing: true -- urldecode: - field: json.httpMessage.path - target_field: url.path - ignore_missing: true -- urldecode: - field: json.httpMessage.query - target_field: url.query - ignore_missing: true -- rename: - field: json.httpMessage.port - target_field: url.port - ignore_missing: true -- convert: - field: url.port - type: long - ignore_missing: true -- urldecode: - field: json.httpMessage.responseHeaders - target_field: _tmp.response.headers - ignore_missing: true -- kv: - field: _tmp.response.headers - target_field: akamai.siem.response.headers - field_split: '\r\n' - value_split: ': ' - ignore_missing: true -- urldecode: - field: json.httpMessage.requestHeaders - target_field: _tmp.request.headers - ignore_missing: true -- kv: - field: _tmp.request.headers - target_field: akamai.siem.request.headers - field_split: '\r\n' - value_split: ': ' - ignore_missing: true -- script: - lang: painless - description: This script builds the `url.full` field out of the available `url.*` parts. - source: | - def full = ""; - if(ctx.url.scheme != null && ctx.url.scheme != "") { - full += ctx.url.scheme+"://"; - } - if(ctx.url.domain != null && ctx.url.domain != "") { - full += ctx.url.domain; - } - if(ctx.json.httpMessage.path != null && ctx.json.httpMessage.path != "") { - full += ctx.json.httpMessage.path; - } - if(ctx.json.httpMessage.query != null && ctx.json.httpMessage.query != "") { - full += "?"+ctx.json.httpMessage.query; - } - if(full != "") { - ctx.url.full = full - } -- dissect: - field: json.httpMessage.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true -- lowercase: - field: network.protocol - ignore_missing: true -- set: - field: network.transport - value: tcp - if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http' -- dissect: - field: json.httpMessage.tls - pattern: "%{tls.version_protocol}v%{tls.version}" - ignore_failure: true - ignore_missing: true -- lowercase: - field: tls.version_protocol - ignore_missing: true -- rename: - field: json.attackData.clientIP - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- rename: - field: json.geo.country - target_field: source.geo.country_iso_code - ignore_missing: true - if: ctx?.source?.geo?.country_iso_code == null -- set: - field: source.geo.region_iso_code - value: "{{json.geo.country}}-{{json.geo.regionCode}}" - ignore_empty_value: true - if: ctx?.source?.geo?.region_iso_code == null -- rename: - field: json.geo.city - target_field: source.geo.city_name - ignore_missing: true - if: ctx?.source?.geo?.city_name == null -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- convert: - field: json.geo.asn - target_field: source.as.number - type: long - ignore_missing: true - if: ctx?.source?.as?.number == null -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -## Attack Data -- urldecode: - field: json.attackData.ruleActions - target_field: json.attackData.ruleActions - ignore_missing: true -- split: - field: json.attackData.ruleActions - target_field: json.attackData.ruleActions - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleData - target_field: json.attackData.ruleData - ignore_missing: true -- split: - field: json.attackData.ruleData - target_field: json.attackData.ruleData - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleMessages - target_field: json.attackData.ruleMessages - ignore_missing: true -- split: - field: json.attackData.ruleMessages - target_field: json.attackData.ruleMessages - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleSelectors - target_field: json.attackData.ruleSelectors - ignore_missing: true -- split: - field: json.attackData.ruleSelectors - target_field: json.attackData.ruleSelectors - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleTags - target_field: json.attackData.ruleTags - ignore_missing: true -- split: - field: json.attackData.ruleTags - target_field: json.attackData.ruleTags - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleVersions - target_field: json.attackData.ruleVersions - ignore_missing: true -- split: - field: json.attackData.ruleVersions - target_field: json.attackData.ruleVersions - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.rules - target_field: json.attackData.rules - ignore_missing: true -- split: - field: json.attackData.rules - target_field: json.attackData.rules - separator: ';' - preserve_trailing: true -- script: - lang: painless - description: Base64 Decode the json.attackData.rule* fields - source: | - ArrayList items = new ArrayList(["rules", "ruleActions", "ruleData", "ruleMessages", "ruleTags", "ruleSelectors", "ruleVersions"]); - ArrayList rules_array = new ArrayList(); - for (def i = 0; i < ctx.json.attackData.rules.length; i++) { - HashMap map = new HashMap(); - for (def j = 0; j < items.length; j++) { - String key = items[j]; - if (i < ctx.json.attackData[key].length ) { - String value = ctx.json.attackData[key][i].replace(" ", "").decodeBase64(); - map.put(key, value); - } - } - rules_array.add(map); - } - ctx.akamai.siem.rules = rules_array; -- rename: - field: json.attackData.configId - target_field: akamai.siem.config_id - ignore_missing: true -- rename: - field: json.attackData.policyId - target_field: akamai.siem.policy_id - ignore_missing: true -- rename: - field: json.attackData.policyId - target_field: akamai.siem.policy_id - ignore_missing: true -- rename: - field: json.attackData.slowPostAction - target_field: akamai.siem.slow_post_action - ignore_missing: true -- convert: - field: json.attackData.slowPostRate - target_field: akamai.siem.slow_post_rate - type: long - ignore_missing: true -- rename: - field: json.attackData.clientReputation - target_field: akamai.siem.client_reputation - ignore_missing: true -- rename: - field: json.attackData.clientReputation - target_field: akamai.siem.client_reputation - ignore_missing: true -## Bot Data -- convert: - field: json.botData.botScore - target_field: akamai.siem.bot.score - type: long - ignore_missing: true -- convert: - field: json.botData.responseSegment - target_field: akamai.siem.bot.response_segment - type: long - ignore_missing: true -## Client Data -- rename: - field: json.clientData.appBundleId - target_field: akamai.siem.client_data.app_bundle_id - ignore_missing: true -- rename: - field: json.clientData.appVersion - target_field: akamai.siem.client_data.app_version - ignore_missing: true -- convert: - field: json.clientData.telemetryType - target_field: akamai.siem.client_data.telemetry_type - type: long - ignore_missing: true -- rename: - field: json.clientData.sdkVersion - target_field: akamai.siem.client_data.sdk_version - ignore_missing: true -## User Risk Data -- rename: - field: json.userRiskData.uuid - target_field: akamai.siem.user_risk.uuid - ignore_missing: true -- convert: - field: json.userRiskData.status - target_field: akamai.siem.user_risk.status - type: long - ignore_missing: true -- convert: - field: json.userRiskData.score - target_field: akamai.siem.user_risk.score - type: long - ignore_missing: true -- convert: - field: json.userRiskData.allow - target_field: akamai.siem.user_risk.allow - type: long - ignore_missing: true -- kv: - field: json.userRiskData.risk - target_field: akamai.siem.user_risk.risk - field_split: '\|' - value_split: ':' - ignore_missing: true -- kv: - field: json.userRiskData.trust - target_field: akamai.siem.user_risk.trust - field_split: '\|' - value_split: ':' - ignore_missing: true -- kv: - field: json.userRiskData.general - target_field: akamai.siem.user_risk.general - field_split: '\|' - value_split: ':' - ignore_missing: true -## -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false -- set: - field: client - copy_from: source -- set: - field: event.category - value: network -- set: - field: event.kind - value: event -- remove: - field: - - json - - _tmp - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/akamai/1.0.1/data_stream/siem/fields/agent.yml b/packages/akamai/1.0.1/data_stream/siem/fields/agent.yml deleted file mode 100755 index 4d9a6f7b36..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/fields/agent.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/akamai/1.0.1/data_stream/siem/fields/base-fields.yml b/packages/akamai/1.0.1/data_stream/siem/fields/base-fields.yml deleted file mode 100755 index 90bd5c6753..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: akamai -- name: event.dataset - type: constant_keyword - description: Event dataset - value: akamai.siem -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/akamai/1.0.1/data_stream/siem/fields/beats.yml b/packages/akamai/1.0.1/data_stream/siem/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/akamai/1.0.1/data_stream/siem/fields/ecs.yml b/packages/akamai/1.0.1/data_stream/siem/fields/ecs.yml deleted file mode 100755 index 61cbacbed0..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/fields/ecs.yml +++ /dev/null @@ -1,264 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Password of the request. - name: url.password - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Username of the request. - name: url.username - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. - The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. - name: http.request.id - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword diff --git a/packages/akamai/1.0.1/data_stream/siem/fields/fields.yml b/packages/akamai/1.0.1/data_stream/siem/fields/fields.yml deleted file mode 100755 index faa4f435cb..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/fields/fields.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: akamai.siem - type: group - release: beta - default_field: false - description: > - Fields for Akamai SIEM Logs - - fields: - - name: response.headers - type: flattened - description: > - HTTP response headers - - - name: request.headers - type: flattened - description: > - HTTP Request headers - - - name: rules - type: nested - description: > - Rules triggered by this request - - - name: config_id - type: keyword - description: > - ID of the Security Configuration applied to the request. - - - name: policy_id - type: keyword - description: > - ID of the Firewall policy applied to the request. - - - name: slow_post_action - type: keyword - description: > - Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). - - - name: slow_post_rate - type: long - description: > - Recorded rate of a detected Slow POST attack. - - - name: client_reputation - type: keyword - description: > - Client IP scores for Client Reputation. - - - name: bot.score - type: long - description: > - Score assigned to the request by Botman Manager. - - - name: bot.response_segment - type: long - description: > - Numeric response segment indicator. Segments are used to group and categorize bot scores. - - - name: client_data.app_bundle_id - type: keyword - description: > - Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. - - - name: client_data.app_version - type: keyword - description: > - Version number of the app. - - - name: client_data.telemetry_type - type: long - description: > - Specifies the telemetry type in use. - - - name: client_data.sdk_version - type: keyword - description: > - SDK version - - - name: user_risk.uuid - type: keyword - description: > - Unique identifier of the user whose risk data is being provided. - - - name: user_risk.status - type: long - description: "Status code indicating any errors that might have occurred when calculating the risk score. \n" - - name: user_risk.score - type: long - description: > - Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). - - - name: user_risk.risk - type: flattened - description: > - Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. - - - name: user_risk.trust - type: flattened - description: > - Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. - - - name: user_risk.general - type: flattened - description: > - Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. - - - name: user_risk.allow - type: long - description: >- - Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. diff --git a/packages/akamai/1.0.1/data_stream/siem/manifest.yml b/packages/akamai/1.0.1/data_stream/siem/manifest.yml deleted file mode 100755 index 9d00eada89..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -type: logs -title: Akamai SIEM Logs -release: experimental -streams: - - input: httpjson - vars: - - name: api_host - type: text - title: API Host - description: API Hostname in the form of http(s)://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net without path - multi: false - required: true - show_user: true - default: https://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net - - name: client_token - type: text - title: Client Token - description: Client token provided by "Credentials" ui - multi: false - required: true - show_user: true - - name: client_secret - type: password - title: Client Secret - description: Client secret provided by "Credentials" ui - multi: false - required: true - show_user: true - - name: access_token - type: password - title: Access Token - description: Access token provided by "Authorizations" ui - multi: false - required: true - show_user: true - - name: config_ids - type: text - title: Zone ID - multi: false - required: true - show_user: true - description: Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons. ex. 12892;29182;82912 - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - description: Initial interval to poll for events. Default is 24 hours. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - akamai-siem - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Akamai SIEM logs - description: Collect Akamai logs via the SIEM API diff --git a/packages/akamai/1.0.1/data_stream/siem/sample_event.json b/packages/akamai/1.0.1/data_stream/siem/sample_event.json deleted file mode 100755 index 3a25038b37..0000000000 --- a/packages/akamai/1.0.1/data_stream/siem/sample_event.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "@timestamp": "2016-08-11T13:45:33.026Z", - "agent": { - "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "akamai": { - "siem": { - "bot": { - "response_segment": 3, - "score": 100 - }, - "client_data": { - "app_bundle_id": "com.mydomain.myapp", - "app_version": "1.23", - "sdk_version": "4.7.1", - "telemetry_type": 2 - }, - "config_id": "6724", - "policy_id": "scoe_5426", - "request": { - "headers": { - "Accept": "text/html,application/xhtml xml", - "User-Agent": "BOT/0.1 (BOT for JCE)" - } - }, - "response": { - "headers": { - "Content-Type": "text/html", - "Mime-Version": "1.0", - "Server": "AkamaiGHost" - } - }, - "rules": [ - { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" - }, - { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" - } - ], - "user_risk": { - "allow": 0, - "general": { - "duc_1d": "30", - "duc_1h": "10" - }, - "risk": { - "udfp": "1325gdg4g4343g/M", - "unp": "74256/H" - }, - "score": 75, - "status": 0, - "trust": { - "ugp": "US" - }, - "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" - } - } - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "akamai.siem", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-24T00:19:04.410Z", - "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2021-12-24T00:19:05Z", - "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" - }, - "host": { - "name": "docker-fleet-agent" - }, - "http": { - "request": { - "id": "2ab418ac8515f33", - "method": "POST" - }, - "response": { - "bytes": 34523, - "status_code": 301 - }, - "version": "2" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "akamai" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "akamai-siem", - "forwarded", - "preserve_original_event" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", - "port": 80, - "query": "a=../../../etc/passwd" - } -} \ No newline at end of file diff --git a/packages/akamai/1.0.1/docs/README.md b/packages/akamai/1.0.1/docs/README.md deleted file mode 100755 index fa269fa08e..0000000000 --- a/packages/akamai/1.0.1/docs/README.md +++ /dev/null @@ -1,326 +0,0 @@ -# Akamai Integration - -The Akamai integration collects events from the Akamai API, specifically reading from the [Akamai SIEM API](https://techdocs.akamai.com/siem-integration/reference/api). - -## Logs - -### SIEM - -The Security Information and Event Management API allows you to capture security events generated on the ​Akamai​ platform in your SIEM application. - -Use this API to get security event data generated on the ​Akamai​ platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly. - -See [Akamai API get started](https://techdocs.akamai.com/siem-integration/reference/api-get-started) to set up your Akamai account and get your credentials. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| akamai.siem.bot.response_segment | Numeric response segment indicator. Segments are used to group and categorize bot scores. | long | -| akamai.siem.bot.score | Score assigned to the request by Botman Manager. | long | -| akamai.siem.client_data.app_bundle_id | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. | keyword | -| akamai.siem.client_data.app_version | Version number of the app. | keyword | -| akamai.siem.client_data.sdk_version | SDK version | keyword | -| akamai.siem.client_data.telemetry_type | Specifies the telemetry type in use. | long | -| akamai.siem.client_reputation | Client IP scores for Client Reputation. | keyword | -| akamai.siem.config_id | ID of the Security Configuration applied to the request. | keyword | -| akamai.siem.policy_id | ID of the Firewall policy applied to the request. | keyword | -| akamai.siem.request.headers | HTTP Request headers | flattened | -| akamai.siem.response.headers | HTTP response headers | flattened | -| akamai.siem.rules | Rules triggered by this request | nested | -| akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword | -| akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long | -| akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long | -| akamai.siem.user_risk.general | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. | flattened | -| akamai.siem.user_risk.risk | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. | flattened | -| akamai.siem.user_risk.score | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). | long | -| akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long | -| akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened | -| akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | - - -An example event for `siem` looks as following: - -```json -{ - "@timestamp": "2016-08-11T13:45:33.026Z", - "agent": { - "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "akamai": { - "siem": { - "bot": { - "response_segment": 3, - "score": 100 - }, - "client_data": { - "app_bundle_id": "com.mydomain.myapp", - "app_version": "1.23", - "sdk_version": "4.7.1", - "telemetry_type": 2 - }, - "config_id": "6724", - "policy_id": "scoe_5426", - "request": { - "headers": { - "Accept": "text/html,application/xhtml xml", - "User-Agent": "BOT/0.1 (BOT for JCE)" - } - }, - "response": { - "headers": { - "Content-Type": "text/html", - "Mime-Version": "1.0", - "Server": "AkamaiGHost" - } - }, - "rules": [ - { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" - }, - { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" - } - ], - "user_risk": { - "allow": 0, - "general": { - "duc_1d": "30", - "duc_1h": "10" - }, - "risk": { - "udfp": "1325gdg4g4343g/M", - "unp": "74256/H" - }, - "score": 75, - "status": 0, - "trust": { - "ugp": "US" - }, - "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" - } - } - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "akamai.siem", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-24T00:19:04.410Z", - "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2021-12-24T00:19:05Z", - "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" - }, - "host": { - "name": "docker-fleet-agent" - }, - "http": { - "request": { - "id": "2ab418ac8515f33", - "method": "POST" - }, - "response": { - "bytes": 34523, - "status_code": 301 - }, - "version": "2" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "akamai" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "akamai-siem", - "forwarded", - "preserve_original_event" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", - "port": 80, - "query": "a=../../../etc/passwd" - } -} -``` \ No newline at end of file diff --git a/packages/akamai/1.0.1/img/akamai_logo.svg b/packages/akamai/1.0.1/img/akamai_logo.svg deleted file mode 100755 index 78cf6ad7e3..0000000000 --- a/packages/akamai/1.0.1/img/akamai_logo.svg +++ /dev/null @@ -1,151 +0,0 @@ - - - -image/svg+xml \ No newline at end of file diff --git a/packages/akamai/1.0.1/manifest.yml b/packages/akamai/1.0.1/manifest.yml deleted file mode 100755 index 4a387753fc..0000000000 --- a/packages/akamai/1.0.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: akamai -title: Akamai -version: 1.0.1 -release: ga -description: Akamai Integration -type: integration -format_version: 1.0.0 -license: basic -categories: [security, network, web, cloud] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/akamai_logo.svg - title: Akamai - size: 409×167 - type: image/svg+xml -policy_templates: - - name: akamai - title: Akamai logs - description: Collect SIEM logs from Akamai - inputs: - - type: httpjson - title: "Collect Akamai SIEM logs via API" - description: "Collecting SIEM logs from Akamai via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/carbonblack_edr/1.3.0/changelog.yml b/packages/carbonblack_edr/1.3.0/changelog.yml deleted file mode 100755 index 8372f08f37..0000000000 --- a/packages/carbonblack_edr/1.3.0/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on top -- version: "1.3.0" - changes: - - description: Add JA3/JA3S parsing - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2385 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2232 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1949 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1801 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1651 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1527 diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/http_endpoint.yml.hbs b/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index f9eb3c784c..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -listen_address: "{{listen_address}}" -listen_port: {{listen_port}} -preserve_original_event: {{preserve_original_event}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/log.yml.hbs b/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index 4e5f4d4718..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -- decode_json_fields: - fields: [message] - target: json -{{#if preserve_original_event}} -- convert: - fields: - - from: message - to: event.original - mode: rename -{{else}} -- drop_fields: - fields: - - message - ignore_missing: true -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/tcpudp.yml.hbs b/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/tcpudp.yml.hbs deleted file mode 100755 index 7013021da2..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/agent/stream/tcpudp.yml.hbs +++ /dev/null @@ -1,35 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- decode_json_fields: - fields: [message] - target: json -{{#if preserve_original_event}} -- convert: - fields: - - from: message - to: event.original - mode: rename -{{else}} -- drop_fields: - fields: - - message - ignore_missing: true -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a415c18f14..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,872 +0,0 @@ ---- -description: Pipeline for parsing CarbonBlack EDR logs -processors: -- set: - field: ecs.version - value: 8.2.0 - -# Validate that the input document conforms to the expected format -# to avoid repetitive checks. -- fail: - description: 'Validates input document format' - message: 'json object is missing from event' - if: 'ctx.json == null' - -# Fail if `docs` fields is an array with more than one element. -# This is possible according to the documentation, but fortunately for us -# CB Event Forwarded splits an input event with multiple docs into multiple -# output events with a single doc each. -- fail: - description: 'Validates that docs field contains a single document' - message: 'docs array has more than one entry, this is unsupported. Use CB Event Forwarder as source of events' - if: 'ctx.json.docs != null && ctx.json.docs instanceof List && ctx.json.docs.size() > 1' - -- script: - description: 'Selects a single document from docs input field' - lang: painless - if: 'ctx.json.docs != null' - source: |- - def docs = ctx.json.docs; - if (docs instanceof List && docs.size() > 0) { - ctx.json["doc"] = docs[0]; - } else if (docs instanceof Map) { - ctx.json["doc"] = docs; - } else { - throw new Exception("Unexpected type"); - } - ctx.json.remove("docs"); - on_failure: - - append: - field: error.message - value: 'Failed extracting docs field: {{{ _ingest.on_failure_message }}}' - -# -# Convert some fields to their expected types. -# These can be string if using the http_endpoint input due to -# https://github.com/elastic/beats/issues/27382 -# -- convert: - field: json.compressed_size - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.emet_timestamp - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.event_timestamp - type: double - ignore_missing: true - ignore_failure: true - -- convert: - field: json.feed_id - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.local_port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.parent_create_time - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.process_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.parent_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.remote_port - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.requested_access - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.size - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.doc.orig_mod_len - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.scores.alliance_score_virustotal - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.target_create_time - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.target_pid - type: long - ignore_missing: true - ignore_failure: true - -- convert: - field: json.timestamp - type: double - ignore_missing: true - ignore_failure: true - -# -# This flag is used to signal that it can write to host.* fields. -# -- set: - field: _tmp.forwarded - value: true - if: 'ctx.host?.name == null' - -- script: - description: 'Removes empty string fields' - lang: painless - source: |- - void removeEmptyStr(Map m) { - if (m != null) m.entrySet().removeIf( e -> e.value == ""); - } - removeEmptyStr(ctx.json); - removeEmptyStr(ctx.json.doc); - -- rename: - description: 'Renames type field to ECS event action' - field: json.type - target_field: event.action - on_failure: - # This happens in cb_edr.log only. - # is this real or just an artifact in our samples? - # - #- append: - # field: error.message - # value: 'type field not present in document' - - set: - field: event.action - value: unknown - -- script: - description: 'Sets ECS categorisation fields from EDR Event ID.' - lang: painless - params: - "alert.watchlist.hit.ingress.host": - kind: alert - category: [ host ] - type: [ info ] - - "alert.watchlist.hit.ingress.binary": - kind: alert - category: [ file ] - type: [ info ] - - "alert.watchlist.hit.ingress.process": - kind: alert - category: [ process ] - type: [ info ] - - "alert.watchlist.hit.query.binary": - kind: alert - category: [ file ] - type: [ info ] - - "alert.watchlist.hit.query.process": - kind: alert - category: [ process ] - type: [ info ] - - "binaryinfo.host.observed": - kind: event - category: [ host ] - type: [ info ] - - "binaryinfo.group.observed": - kind: event - category: [ file ] - type: [ info ] - - "binaryinfo.observed": - kind: event - category: [ file ] - type: [ info ] - - "binarystore.file.added": - kind: event - category: [ file ] - type: [ creation ] - - "feed.ingress.hit.host": - kind: event - category: [ host ] - type: [ info ] - - "feed.ingress.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.ingress.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "feed.query.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.query.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "feed.storage.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "feed.storage.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "watchlist.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "watchlist.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "watchlist.storage.hit.binary": - kind: event - category: [ file ] - type: [ info ] - - "watchlist.storage.hit.process": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.regmod": - kind: event - category: [ registry ] - type: [ change ] - - "ingress.event.filemod": - kind: event - category: [ file ] - type: [ change ] - - "ingress.event.netconn": - kind: event - category: [ network ] - type: [ connection, start ] - - "ingress.event.module": - kind: event - category: [ process ] - type: [ start, info ] - - "ingress.event.childproc": - kind: event - category: [ process ] - type: [ start, info ] - - "ingress.event.process": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.crossprocopen": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.remotethread": - kind: event - category: [ process ] - type: [ info ] - - "ingress.event.emetmitigation": - kind: event - category: [ process ] - type: [ info, end ] - - "ingress.event.processblock": - kind: event - category: [ process ] - type: [ info, end ] - - "ingress.event.tamper": - kind: event - category: [ process, driver ] - type: [ info ] - - "unknown": - kind: event - source: |- - def clone(def ref) { - if (ref == null) return ref; - if (ref instanceof Map) { - ref = ref.entrySet().stream().collect( - Collectors.toMap( - e -> e.getKey(), - e -> clone(e.getValue()) - ) - ); - } else if (ref instanceof List) { - ref = ref.stream().map(e -> clone(e)).collect( - Collectors.toList() - ); - } - return ref; - } - def event = ctx.event; - if (event == null) { - event = new HashMap(); - ctx["event"] = event; - } - def type = ctx.event.action; - def fields = params[type] != null? params[type] : params["unknown"]; - fields.forEach( (k, v) -> { - event[k] = clone(v); - }); - -# -# Set observer fields. -# -- set: - field: observer.vendor - value: 'VMWare' - -- set: - field: observer.product - value: 'Carbon Black EDR' - -- set: - field: observer.type - value: 'edr' - -- rename: - field: json.cb_version - target_field: observer.version - ignore_missing: true - -- rename: - field: json.cb_server - target_field: observer.name - ignore_missing: true - -- rename: - field: json.server_name - target_field: observer.name - ignore_missing: true - if: 'ctx.observer.name == null' - -# -# Some events use ioc_attrs instead of ioc_attr. -# -- rename: - field: json.ioc_attrs - target_field: json.ioc_attr - ignore_missing: true - -# -# A few events have ioc_attr as a JSON string -# instead of an object. -# -- json: - field: json.ioc_attr - if: 'ctx.json.ioc_attr != null && ctx.json.ioc_attr instanceof String' - on_failure: - - append: - field: error.message - value: 'Failed to parse string field ioc_attr as JSON (value:{{{ json.ioc_attr }}}): {{{ _ingest.on_failure_message }}}' - # Remove field to prevent ingest failure. - - remove: - field: json.ioc_attr -# -# Parse @timestamp from a few possible timestamp fields. -# -- convert: - field: json.timestamp - target_field: _tmp.timestamp - type: double - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'failed to convert numeric timestamp (value: {{{json.timestamp}}}): {{{_ingest.on_failure_message}}}' - -- convert: - field: json.event_timestamp - target_field: _tmp.timestamp - type: double - ignore_missing: true - if: 'ctx._tmp?.timestamp == null' - on_failure: - - append: - field: error.message - value: 'failed to convert numeric event_timestamp (value: {{{json.event_timestamp}}}): {{{_ingest.on_failure_message}}}' - -- set: - field: _tmp.timestamp - value: '{{{ json.doc.timestamp }}}' - ignore_empty_value: true - if: 'ctx._tmp?.timestamp == null' - -- date: - field: _tmp.timestamp - formats: - - UNIX - - ISO8601 - if: 'ctx._tmp?.timestamp != null' - on_failure: - - append: - field: error.message - value: 'failed to parse timestamp (value: {{{ _tmp.timestamp }}}): {{{_ingest.on_failure_message}}}' - -# -# Rule fields -# -- convert: - field: json.watchlist_id - target_field: rule.id - ignore_missing: true - type: string - -- rename: - field: json.watchlist_name - target_field: rule.name - ignore_missing: true - -# Most of the time doc.endpoint is an array. Convert it to array otherwise. -- script: - description: 'Converts doc.endpoint to an array' - lang: painless - source: |- - def ep = ctx.json.doc?.endpoint; - if (ep != null && !(ep instanceof List)) { - ctx.json.doc.endpoint = [ ep ]; - } - -# -# Set host.name when unset from Filebeat (forwarded events). -# -- rename: - field: json.doc.hostname - target_field: host.name - ignore_missing: true - if: 'ctx.host?.name == null' - -- rename: - field: json.hostname - target_field: host.name - ignore_missing: true - if: 'ctx.host?.name == null' - -- foreach: - description: 'Sets host.name from docs.endpoint field' - field: json.doc.endpoint - ignore_missing: true - if: 'ctx.host?.name == null && ctx.json.doc?.hostname == null && ctx.json.doc?.endpoint != null' - processor: - grok: - field: '_ingest._value' - patterns: - # endpoint field format is "HOSTNAME|ID" - # This extracts the HOSTNAME part. - - '^%{NOT_SEPARATOR:host.name}%{SEPARATOR}' - pattern_definitions: - SEPARATOR: '|' - NOT_SEPARATOR: '[^|]*' - -# -# Digital signature fields -# -- rename: - field: json.doc.digsig_subject - target_field: file.code_signature.subject_name - ignore_missing: true - -- rename: - field: json.doc.digsig_status - target_field: file.code_signature.status - ignore_missing: true - -- set: - field: file.code_signature.exists - value: true - if: 'ctx.file_signature != null' - -# -# Source os_type can be Windows, Linux or Osx -# -- lowercase: - field: json.doc.os_type - target_field: host.os.type - ignore_missing: true - if: 'ctx._tmp?.forwarded != null' - -- set: - field: host.os.type - value: macos - if: 'ctx._tmp?.forwarded != null && ctx.host?.os?.type == "osx"' - -# Ensures that only accepted values are introduced in os.type. -- remove: - field: host.os.type - if: 'ctx._tmp?.forwarded != null && ctx.json.doc?.os_type != null && !["windows","linux","macos"].contains(ctx.host.os.type)' - -- rename: - field: json.doc.os_name - target_field: host.os.name - ignore_missing: true - if: 'ctx._tmp?.forwarded != null' - -# -# Assorted fields -# -- append: - field: file.attributes - value: 'executable' - if: 'ctx.json.doc?.is_executable_image == true || ctx.json.doc?.is_executable_image == "true"' - -- lowercase: - field: json.doc.md5 - target_field: file.hash.md5 - ignore_missing: true - -- foreach: - field: json.doc.observed_filename - ignore_missing: true - processor: - set: - field: file.path - value: '{{{ _ingest._value }}}' - -- rename: - field: json.file_path - target_field: file.path - ignore_missing: true - -- grok: - description: 'Extract registry path' - field: json.path - patterns: - - '(?i)\\registry\\%{GREEDYDATA:registry.path}' - ignore_failure: true - ignore_missing: true - if: 'ctx.event?.action == "ingress.event.regmod"' - -- rename: - field: json.doc.orig_mod_len - target_field: file.size - ignore_missing: true - -- rename: - field: json.size - target_field: file.size - ignore_missing: true - if: 'ctx.file?.size == null' - -- rename: - field: json.doc.cmdline - target_field: process.command_line - ignore_missing: true - -- rename: - field: json.doc.path - target_field: process.executable - ignore_missing: true - -- lowercase: - field: json.doc.process_md5 - target_field: process.hash.md5 - ignore_missing: true - -- rename: - field: json.doc.process_name - target_field: process.name - ignore_missing: true - -- rename: - field: json.doc.process_pid - target_field: process.pid - ignore_missing: true - -- rename: - field: json.doc.unique_id - target_field: process.entity_id - ignore_missing: true - -- date: - field: json.doc.start - target_field: process.start - formats: - - ISO8601 - - UNIX - if: 'ctx.json.doc?.start != null' - on_failure: - - append: - field: error.message - value: 'failed to parse process start timestamp (value: {{{ doc.start }}}): {{{_ingest.on_failure_message}}}' - -- rename: - field: json.doc.parent_name - target_field: process.parent.name - ignore_missing: true - -- rename: - field: json.doc.parent_pid - target_field: process.parent.pid - ignore_missing: true - -- rename: - field: json.doc.parent_unique_id - target_field: process.parent.entity_id - ignore_missing: true - -- lowercase: - field: json.doc.parent_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - -- convert: - field: json.doc.is_64bit - type: boolean - ignore_missing: true - on_failure: - - remove: - field: json.doc.is_64bit - -- set: - field: file.pe.architecture - value: x64 - if: 'ctx.json.doc?.is_64bit == true' - -- set: - field: file.pe.architecture - value: x86 - if: 'ctx.json.doc?.is_64bit == false' - -- rename: - field: json.utf8_file_description - target_field: file.pe.description - ignore_missing: true - -- rename: - field: json.utf8_company_name - target_field: file.pe.company - ignore_missing: true - -- rename: - field: json.utf8_product - target_field: file.pe.product_name - ignore_missing: true - -- rename: - field: json.utf8_product_name - target_field: file.pe.product - ignore_missing: true - -- rename: - field: json.utf8_original_file_name - target_field: file.pe.original_file_name - ignore_missing: true - -- rename: - field: json.utf8_file_version - target_field: file.pe.file_version - ignore_missing: true - -# -# Map ioc_type field to STIX 2.0 Cyber Observable values (threat.indicator.type). -# -- script: - lang: painless - if: 'ctx.json.ioc_type != null' - description: > - Maps ioc_type field to STIX 2.0 Cyber Observable values (threat.indicator.type). - params: - dns: - type: domain-name - target: threat.indicator.url.domain - ipv4: - type: ipv4-addr - target: threat.indicator.ip - ipv6: - type: ipv6-addr - target: threat.indicator.ip - md5: - type: file - target: threat.indicator.file.hash.md5 - - source: > - void _set(Map base, def path, def value) { - if (path.length == 0) return; - for (int i=0; i - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/base-fields.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 6100281fc6..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: carbonblack_edr -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbonblack_edr.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/beats.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/ecs.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index 6d39e67b18..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,288 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Boolean to capture if a signature is present. - name: file.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: file.code_signature.status - type: keyword -- description: Subject name of the code signer - name: file.code_signature.subject_name - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: CPU architecture target for the file. - name: file.pe.architecture - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: Identifies a threat indicator as a port number (irrespective of direction). - name: threat.indicator.port - type: long -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/fields.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/fields/fields.yml deleted file mode 100755 index dfe35699bf..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,308 +0,0 @@ -- name: carbonblack.edr - type: group - release: experimental - description: > - Fields for VMware Carbon Black EDR Logs - - fields: - - name: cb_version - type: keyword - - name: doc - type: flattened - - name: event_timestamp - type: double - - name: server_name - type: keyword - - name: watchlist_id - type: keyword - - name: watchlist_name - type: keyword - - name: feed_id - type: keyword - - name: feed_name - type: keyword - - name: hostname - type: keyword - - name: ioc_attr - type: flattened - - name: ioc_type - type: keyword - - name: ioc_value - type: keyword - - name: process_id - type: keyword - - name: report_id - type: keyword - - name: sensor_id - type: keyword - - name: md5 - type: keyword - - name: segment_id - type: keyword - - name: scores - type: group - fields: - - name: alliance_score_virustotal - type: long - - name: alliance_score_srstrust - type: long - - name: watchlists - type: group - fields: - - name: watchlist_7 - type: keyword - - name: watchlist_9 - type: keyword - - name: watchlist_1 - type: keyword - - name: compressed_size - type: long - - name: file_path - type: keyword - - name: size - type: long - - name: action - type: keyword - - name: actiontype - type: keyword - - name: cb_server - type: keyword - - name: computer_name - type: keyword - - name: event_type - type: keyword - - name: link_process - type: keyword - - name: link_sensor - type: keyword - - name: path - type: keyword - - name: pid - type: long - - name: process_guid - type: keyword - - name: timestamp - type: double - - name: type - type: keyword - - name: filetype - type: keyword - - name: filetype_name - type: keyword - - name: direction - type: keyword - - name: domain - type: keyword - - name: ipv4 - type: keyword - - name: local_ip - type: keyword - - name: local_port - type: long - - name: port - type: long - - name: protocol - type: keyword - - name: remote_ip - type: keyword - - name: remote_port - type: long - - name: child_process_guid - type: keyword - - name: created - type: boolean - - name: link_child - type: keyword - - name: command_line - type: keyword - - name: expect_followon_w_md5 - type: boolean - - name: link_parent - type: keyword - - name: parent_create_time - type: long - - name: parent_md5 - type: keyword - - name: parent_path - type: keyword - - name: parent_process_guid - type: keyword - - name: username - type: keyword - - name: cross_process_type - type: keyword - - name: is_target - type: boolean - - name: link_target - type: keyword - - name: requested_access - type: long - - name: target_create_time - type: long - - name: target_md5 - type: keyword - - name: target_path - type: keyword - - name: target_pid - type: long - - name: target_process_guid - type: keyword - - name: blocked - type: boolean - - name: emet_timestamp - type: long - - name: log_id - type: keyword - - name: log_message - type: keyword - - name: mitigation - type: keyword - - name: blocked_event - type: keyword - - name: blocked_reason - type: keyword - - name: blocked_result - type: keyword - - name: uid - type: keyword - - name: tamper_type - type: keyword - - name: alert_severity - type: double - - name: alert_type - type: keyword - - name: childproc_count - type: long - - name: comms_ip - type: keyword - - name: created_time - type: keyword - - name: crossproc_count - type: long - - name: feed_rating - type: double - - name: filemod_count - type: long - - name: group - type: keyword - - name: host - type: keyword - - name: interface_ip - type: keyword - - name: ioc_confidence - type: double - - name: link_md5 - type: keyword - - name: modload_count - type: long - - name: netconn_count - type: long - - name: os_type - type: keyword - - name: process_name - type: keyword - - name: process_path - type: keyword - - name: process_unique_id - type: keyword - - name: regmod_count - type: long - - name: report_score - type: long - - name: sensor_criticality - type: double - - name: sha256 - type: keyword - - name: status - type: keyword - - name: unique_id - type: keyword - - name: child_pid - type: long - - name: child_suppressed - type: boolean - - name: childproc_type - type: keyword - - name: parent_guid - type: keyword - - name: tamper - type: boolean - - name: tamper_sent - type: boolean - - name: child_command_line - type: keyword - - name: child_username - type: keyword - - name: target_sha256 - type: keyword - - name: script - type: keyword - - name: script_sha256 - type: keyword - - name: file_md5 - type: keyword - - name: file_sha256 - type: keyword - - name: proxy - type: boolean - - name: ja3 - type: keyword - - name: ja3s - type: keyword - - name: filtering_known_dlls - type: boolean - - name: parent_pid - type: long - - name: parent_sha256 - type: keyword - - name: digsig - type: group - fields: - - name: result - type: keyword - - name: program_name - type: keyword - - name: result_code - type: keyword - - name: publisher - type: keyword - - name: subject_name - type: keyword - - name: sign_time - type: keyword - - name: issuer_name - type: keyword - - name: icon - type: keyword - - name: image_file_header - type: keyword - - name: utf8_comments - type: keyword - - name: utf8_company_name - type: keyword - - name: utf8_copied_module_length - type: long - - name: utf8_file_description - type: keyword - - name: utf8_file_version - type: keyword - - name: utf8_internal_name - type: keyword - - name: utf8_legal_copyright - type: keyword - - name: utf8_legal_trademark - type: keyword - - name: utf8_on_disk_filename - type: keyword - - name: utf8_original_file_name - type: keyword - - name: utf8_private_build - type: keyword - - name: utf8_product_description - type: keyword - - name: utf8_product_name - type: keyword - - name: utf8_product_version - type: keyword - - name: utf8_special_build - type: keyword diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/manifest.yml b/packages/carbonblack_edr/1.3.0/data_stream/log/manifest.yml deleted file mode 100755 index 21303f9bb5..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,178 +0,0 @@ -type: logs -title: Carbon Black EDR logs -streams: - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via HTTP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for the HTTP server. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number for the HTTP server. - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: tcp - enabled: false - template_path: tcpudp.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via TCP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for receiving TCP connections. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number to listen for TCP connections. - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: udp - enabled: false - template_path: tcpudp.yml.hbs - title: Carbon Black EDR logs - description: Receive Carbon Black EDR logs via UDP. - vars: - - name: listen_address - type: text - title: Listen address - description: The bind address for receiving UDP packets. - multi: false - required: true - show_user: true - - name: listen_port - type: integer - title: Listen port - description: Port number to listen for UDP packets. - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - - input: logfile - enabled: false - template_path: log.yml.hbs - title: Carbon Black EDR logs - description: Read Carbon Black EDR logs from a file. - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/cb/data/event_bridge_output.json - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - carbonblack_edr-log - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/carbonblack_edr/1.3.0/data_stream/log/sample_event.json b/packages/carbonblack_edr/1.3.0/data_stream/log/sample_event.json deleted file mode 100755 index 5afdcc33ab..0000000000 --- a/packages/carbonblack_edr/1.3.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2014-04-11T19:21:33.682Z", - "agent": { - "ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8", - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "carbonblack": { - "edr": { - "event_timestamp": 1397244093.682, - "feed_id": 7, - "feed_name": "dxmtest1", - "ioc_attr": {}, - "md5": "506708142BC63DABA64F2D3AD1DCD5BF", - "report_id": "dxmtest1_04", - "sensor_id": 3321 - } - }, - "data_stream": { - "dataset": "carbonblack_edr.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "unknown", - "agent_id_status": "verified", - "dataset": "carbonblack_edr.log", - "ingested": "2022-01-25T07:45:03Z", - "kind": "event", - "original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n" - }, - "host": { - "name": "FS-SEA-529" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:46263" - } - }, - "observer": { - "name": "localhost.localdomain", - "product": "Carbon Black EDR", - "type": "edr", - "vendor": "VMWare", - "version": "4.2.1.140808.1059" - }, - "tags": [ - "carbonblack_edr-log", - "forwarded", - "preserve_original_event" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "md5": "506708142bc63daba64f2d3ad1dcd5bf" - } - }, - "type": "file" - } - } -} \ No newline at end of file diff --git a/packages/carbonblack_edr/1.3.0/docs/README.md b/packages/carbonblack_edr/1.3.0/docs/README.md deleted file mode 100755 index ede9799204..0000000000 --- a/packages/carbonblack_edr/1.3.0/docs/README.md +++ /dev/null @@ -1,351 +0,0 @@ -# VMware Carbon Black EDR Integration - -The VMware Carbon Black EDR integration collects EDR Server and raw Endpoint events exported by [Carbon Black EDR Event Forwarder.](https://github.com/carbonblack/cb-event-forwarder) The following output methods are supported: `http`, `tcp`, `udp` and `file`. - -## Compatibility - -This integration has been tested with the 3.7.4 version of EDR Event Forwarder. - -## Configuration - -The following configuration is necessary in `cb-event-forwarder.conf`: - -- `output_format=json` (default) - -For `http` output: - - `output_type=http` - - `http_post_template=[{{range .Events}}{{.EventText}}{{end}}]` - - `content_type=application/json` (default) - -For `tcp` output: - - `output_type=tcp` - - `tcpout=
:` - -For `udp` output: -- `output_type=tcp` -- `tcpout=
:` - -For `file` output: -- `output_type=file` -- `outfile=` - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2014-04-11T19:21:33.682Z", - "agent": { - "ephemeral_id": "7bb86a18-d262-4348-b206-131e38d2d1c8", - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "carbonblack": { - "edr": { - "event_timestamp": 1397244093.682, - "feed_id": 7, - "feed_name": "dxmtest1", - "ioc_attr": {}, - "md5": "506708142BC63DABA64F2D3AD1DCD5BF", - "report_id": "dxmtest1_04", - "sensor_id": 3321 - } - }, - "data_stream": { - "dataset": "carbonblack_edr.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "9cb9fa70-f3e9-45d8-b1cb-61425bd93e1a", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "unknown", - "agent_id_status": "verified", - "dataset": "carbonblack_edr.log", - "ingested": "2022-01-25T07:45:03Z", - "kind": "event", - "original": "{\"md5\":\"506708142BC63DABA64F2D3AD1DCD5BF\",\"report_id\":\"dxmtest1_04\",\"ioc_type\":\"md5\",\"ioc_value\":\"506708142bc63daba64f2d3ad1dcd5bf\",\"ioc_attr\":{},\"feed_id\":7,\"hostname\":\"FS-SEA-529\",\"sensor_id\":3321,\"cb_version\":\"4.2.1.140808.1059\",\"server_name\":\"localhost.localdomain\",\"feed_name\":\"dxmtest1\",\"event_timestamp\":1397244093.682}\n" - }, - "host": { - "name": "FS-SEA-529" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.4:46263" - } - }, - "observer": { - "name": "localhost.localdomain", - "product": "Carbon Black EDR", - "type": "edr", - "vendor": "VMWare", - "version": "4.2.1.140808.1059" - }, - "tags": [ - "carbonblack_edr-log", - "forwarded", - "preserve_original_event" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "md5": "506708142bc63daba64f2d3ad1dcd5bf" - } - }, - "type": "file" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbonblack.edr.action | | keyword | -| carbonblack.edr.actiontype | | keyword | -| carbonblack.edr.alert_severity | | double | -| carbonblack.edr.alert_type | | keyword | -| carbonblack.edr.blocked | | boolean | -| carbonblack.edr.blocked_event | | keyword | -| carbonblack.edr.blocked_reason | | keyword | -| carbonblack.edr.blocked_result | | keyword | -| carbonblack.edr.cb_server | | keyword | -| carbonblack.edr.cb_version | | keyword | -| carbonblack.edr.child_command_line | | keyword | -| carbonblack.edr.child_pid | | long | -| carbonblack.edr.child_process_guid | | keyword | -| carbonblack.edr.child_suppressed | | boolean | -| carbonblack.edr.child_username | | keyword | -| carbonblack.edr.childproc_count | | long | -| carbonblack.edr.childproc_type | | keyword | -| carbonblack.edr.command_line | | keyword | -| carbonblack.edr.comms_ip | | keyword | -| carbonblack.edr.compressed_size | | long | -| carbonblack.edr.computer_name | | keyword | -| carbonblack.edr.created | | boolean | -| carbonblack.edr.created_time | | keyword | -| carbonblack.edr.cross_process_type | | keyword | -| carbonblack.edr.crossproc_count | | long | -| carbonblack.edr.digsig.issuer_name | | keyword | -| carbonblack.edr.digsig.program_name | | keyword | -| carbonblack.edr.digsig.publisher | | keyword | -| carbonblack.edr.digsig.result | | keyword | -| carbonblack.edr.digsig.result_code | | keyword | -| carbonblack.edr.digsig.sign_time | | keyword | -| carbonblack.edr.digsig.subject_name | | keyword | -| carbonblack.edr.direction | | keyword | -| carbonblack.edr.doc | | flattened | -| carbonblack.edr.domain | | keyword | -| carbonblack.edr.emet_timestamp | | long | -| carbonblack.edr.event_timestamp | | double | -| carbonblack.edr.event_type | | keyword | -| carbonblack.edr.expect_followon_w_md5 | | boolean | -| carbonblack.edr.feed_id | | keyword | -| carbonblack.edr.feed_name | | keyword | -| carbonblack.edr.feed_rating | | double | -| carbonblack.edr.file_md5 | | keyword | -| carbonblack.edr.file_path | | keyword | -| carbonblack.edr.file_sha256 | | keyword | -| carbonblack.edr.filemod_count | | long | -| carbonblack.edr.filetype | | keyword | -| carbonblack.edr.filetype_name | | keyword | -| carbonblack.edr.filtering_known_dlls | | boolean | -| carbonblack.edr.group | | keyword | -| carbonblack.edr.host | | keyword | -| carbonblack.edr.hostname | | keyword | -| carbonblack.edr.icon | | keyword | -| carbonblack.edr.image_file_header | | keyword | -| carbonblack.edr.interface_ip | | keyword | -| carbonblack.edr.ioc_attr | | flattened | -| carbonblack.edr.ioc_confidence | | double | -| carbonblack.edr.ioc_type | | keyword | -| carbonblack.edr.ioc_value | | keyword | -| carbonblack.edr.ipv4 | | keyword | -| carbonblack.edr.is_target | | boolean | -| carbonblack.edr.ja3 | | keyword | -| carbonblack.edr.ja3s | | keyword | -| carbonblack.edr.link_child | | keyword | -| carbonblack.edr.link_md5 | | keyword | -| carbonblack.edr.link_parent | | keyword | -| carbonblack.edr.link_process | | keyword | -| carbonblack.edr.link_sensor | | keyword | -| carbonblack.edr.link_target | | keyword | -| carbonblack.edr.local_ip | | keyword | -| carbonblack.edr.local_port | | long | -| carbonblack.edr.log_id | | keyword | -| carbonblack.edr.log_message | | keyword | -| carbonblack.edr.md5 | | keyword | -| carbonblack.edr.mitigation | | keyword | -| carbonblack.edr.modload_count | | long | -| carbonblack.edr.netconn_count | | long | -| carbonblack.edr.os_type | | keyword | -| carbonblack.edr.parent_create_time | | long | -| carbonblack.edr.parent_guid | | keyword | -| carbonblack.edr.parent_md5 | | keyword | -| carbonblack.edr.parent_path | | keyword | -| carbonblack.edr.parent_pid | | long | -| carbonblack.edr.parent_process_guid | | keyword | -| carbonblack.edr.parent_sha256 | | keyword | -| carbonblack.edr.path | | keyword | -| carbonblack.edr.pid | | long | -| carbonblack.edr.port | | long | -| carbonblack.edr.process_guid | | keyword | -| carbonblack.edr.process_id | | keyword | -| carbonblack.edr.process_name | | keyword | -| carbonblack.edr.process_path | | keyword | -| carbonblack.edr.process_unique_id | | keyword | -| carbonblack.edr.protocol | | keyword | -| carbonblack.edr.proxy | | boolean | -| carbonblack.edr.regmod_count | | long | -| carbonblack.edr.remote_ip | | keyword | -| carbonblack.edr.remote_port | | long | -| carbonblack.edr.report_id | | keyword | -| carbonblack.edr.report_score | | long | -| carbonblack.edr.requested_access | | long | -| carbonblack.edr.scores.alliance_score_srstrust | | long | -| carbonblack.edr.scores.alliance_score_virustotal | | long | -| carbonblack.edr.script | | keyword | -| carbonblack.edr.script_sha256 | | keyword | -| carbonblack.edr.segment_id | | keyword | -| carbonblack.edr.sensor_criticality | | double | -| carbonblack.edr.sensor_id | | keyword | -| carbonblack.edr.server_name | | keyword | -| carbonblack.edr.sha256 | | keyword | -| carbonblack.edr.size | | long | -| carbonblack.edr.status | | keyword | -| carbonblack.edr.tamper | | boolean | -| carbonblack.edr.tamper_sent | | boolean | -| carbonblack.edr.tamper_type | | keyword | -| carbonblack.edr.target_create_time | | long | -| carbonblack.edr.target_md5 | | keyword | -| carbonblack.edr.target_path | | keyword | -| carbonblack.edr.target_pid | | long | -| carbonblack.edr.target_process_guid | | keyword | -| carbonblack.edr.target_sha256 | | keyword | -| carbonblack.edr.timestamp | | double | -| carbonblack.edr.type | | keyword | -| carbonblack.edr.uid | | keyword | -| carbonblack.edr.unique_id | | keyword | -| carbonblack.edr.username | | keyword | -| carbonblack.edr.utf8_comments | | keyword | -| carbonblack.edr.utf8_company_name | | keyword | -| carbonblack.edr.utf8_copied_module_length | | long | -| carbonblack.edr.utf8_file_description | | keyword | -| carbonblack.edr.utf8_file_version | | keyword | -| carbonblack.edr.utf8_internal_name | | keyword | -| carbonblack.edr.utf8_legal_copyright | | keyword | -| carbonblack.edr.utf8_legal_trademark | | keyword | -| carbonblack.edr.utf8_on_disk_filename | | keyword | -| carbonblack.edr.utf8_original_file_name | | keyword | -| carbonblack.edr.utf8_private_build | | keyword | -| carbonblack.edr.utf8_product_description | | keyword | -| carbonblack.edr.utf8_product_name | | keyword | -| carbonblack.edr.utf8_product_version | | keyword | -| carbonblack.edr.utf8_special_build | | keyword | -| carbonblack.edr.watchlist_id | | keyword | -| carbonblack.edr.watchlist_name | | keyword | -| carbonblack.edr.watchlists.watchlist_1 | | keyword | -| carbonblack.edr.watchlists.watchlist_7 | | keyword | -| carbonblack.edr.watchlists.watchlist_9 | | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | - - diff --git a/packages/carbonblack_edr/1.3.0/img/carbon-black-logo.svg b/packages/carbonblack_edr/1.3.0/img/carbon-black-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbonblack_edr/1.3.0/img/carbon-black-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbonblack_edr/1.3.0/manifest.yml b/packages/carbonblack_edr/1.3.0/manifest.yml deleted file mode 100755 index 44f0d8a86e..0000000000 --- a/packages/carbonblack_edr/1.3.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: carbonblack_edr -title: VMware Carbon Black EDR -version: 1.3.0 -release: ga -description: Collect logs from VMware Carbon Black EDR with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -policy_templates: - - name: log - title: Carbon Black EDR logs - description: Collect logs from Carbon Black EDR - inputs: - - type: http_endpoint - title: "Collect Carbon Black EDR via HTTP" - description: "Collect logs from Carbon Black EDR via HTTP" - - type: tcp - title: "Collect Carbon Black EDR via TCP" - description: "Collect logs from Carbon Black EDR via TCP" - - type: udp - title: "Collect Carbon Black EDR via UDP" - description: "Collect logs from Carbon Black EDR via UDP" - - type: logfile - title: "Collect Carbon Black EDR from a file" - description: "Collect logs from Carbon Black EDR from a file" -icons: - - src: /img/carbon-black-logo.svg - title: VMWare Carbon Black - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/cef/2.0.1/changelog.yml b/packages/cef/2.0.1/changelog.yml deleted file mode 100755 index 75a823f779..0000000000 --- a/packages/cef/2.0.1/changelog.yml +++ /dev/null @@ -1,119 +0,0 @@ -# newer versions go on top -- version: "2.0.1" - changes: - - description: Clarify scope of dashboards - type: bugfix - link: https://github.com/elastic/integrations/pull/3470 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2804 -- version: "1.4.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.2" - changes: - - description: Add field mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2808 -- version: "1.4.1" - changes: - - description: Append pipeline errors to error.message instead of overwriting existing errors. - type: bugfix - link: https://github.com/elastic/integrations/pull/2789 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2386 -- version: "1.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.0" - changes: - - description: Change test IPs to the supported set for GeoIP - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1950 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1802 -- version: "1.2.0" - changes: - - description: Add CEF time zone config option. - type: enhancement - link: https://github.com/elastic/integrations/pull/1723 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1652 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1604 -- version: "0.5.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1469 -- version: '0.5.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1375 -- version: "0.5.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1255 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options. - type: enhancement - link: https://github.com/elastic/integrations/pull/1032 -- version: "0.1.0" - changes: - - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/898 -- version: "0.0.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/838 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/418 diff --git a/packages/cef/2.0.1/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.0.1/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index c9f24092e8..0000000000 --- a/packages/cef/2.0.1/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cef/2.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.0.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 4d71aa0234..0000000000 --- a/packages/cef/2.0.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml deleted file mode 100755 index ddca091211..0000000000 --- a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml +++ /dev/null @@ -1,375 +0,0 @@ ---- -description: Pipeline for Check Point CEF - -processors: - # This script is mapping CEF extensions to ECS when possible. Otherwise - # it maps them to fields under the `checkpoint` group using Check Point log - # field names. - # - # [1] Description of Check Point CEF extensions: - # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060 - # [2] Description of Check Point log field names (sk144192): - # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192 - # - # Note that in some cases the CEF extension name doesn't accurately describe - # its contents. For example sntdom/sourceNtDomain, which is used to store - # Check Point's domain_name, documented as "Domain name sent to DNS request". - # - # This script processes the `params.extensions` list below. This list consists - # of two different kinds of mappings, the simpler has a source ext `name` - # and a `to` field. It copies the given extension field to the target `to`. - # - # When the `labels` dict is defined, the target field depends on the value of - # the accompanying label field. For example, the field deviceCustomIPv6Address2 - # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label - # exists and its value is "Source IPv6 Address". - # - # Also it can convert the destination value by simple mapping when the - # convert key exists. Values without an entry in the convert dict are not - # copied and the target field remains unset. - # - # The output of this processor is a single field, `_tmp_copy`, that contains - # a list of actions `{"to": "target_field", "value":"field value"}` that is - # later executed using a foreach processor. This is done to avoid complex - # de-dotting and other gotchas of setting arbitrary fields in Painless. - - script: - lang: painless - params: - extensions: - - name: cp_app_risk - to: checkpoint.app_risk - - - name: cp_app_risk - to: event.risk_score - # This mapping is a mix of [1] and [2] above. - convert: - unknown: 0 - informational: 0 - very-low: 1 - low: 2 - medium: 3 - high: 4 - very-high: 5 - critical: 5 - - - name: cp_severity - to: checkpoint.severity - - - name: cp_severity - to: event.severity - convert: - # This mapping is a mix of [1] and [2] above. - unknown: 0 - informational: 0 - very-low: 1 - low: 1 - medium: 2 - high: 3 - very-high: 4 - critical: 4 - - # Number of events associated with the log - - name: baseEventCount - to: checkpoint.event_count - - # Log type - - name: deviceExternalId - to: observer.type - - # Product Family (override deviceExternalId if present). - - name: deviceFacility - to: observer.type - convert: - '0': Network - '1': Endpoint - '2': Access - '3': Threat - '4': Mobile - - # Gateway interface, where the connection is received from in case of an outbound connection - - name: deviceInboundInterface - to: observer.ingress.interface.name - - # Gateway interface, where the connection is sent from, in case of an inbound connection - - name: deviceOutboundInterface - to: observer.egress.interface.name - - - name: externalId - to: checkpoint.uuid - - - name: fileHash - to: checkpoint.file_hash - - - name: reason - to: checkpoint.termination_reason - - # Possibly an IKE cookie - - name: requestCookies - to: checkpoint.cookie - - # Probably a typo in CP's CEF docs - - name: checkrequestCookies - to: checkpoint.cookie - - # Domain name sent to DNS request - - name: sourceNtDomain - to: dns.question.name - - # CVE registry entry - - name: Signature - to: vulnerability.id - - - name: Recipient - to: destination.user.email - - - name: Sender - to: source.user.email - - - name: deviceCustomFloatingPoint1 - labels: - update version: observer.version - - - name: deviceCustomIPv6Address2 - labels: - source ipv6 address: source.ip - - - name: deviceCustomIPv6Address3 - labels: - destination ipv6 address: destination.ip - - - name: deviceCustomNumber1 - labels: - payload: network.bytes - elapsed time in seconds: event.duration - email recipients number: checkpoint.email_recipients_num - - - name: deviceCustomNumber2 - labels: - duration in seconds: event.duration - icmp type: checkpoint.icmp_type - - - name: deviceCustomNumber3 - labels: - icmp code: checkpoint.icmp_code - - - name: deviceCustomString1 - labels: - application rule name: rule.name - dlp rule name: rule.name - threat prevention rule name: rule.name - connectivity state: checkpoint.connectivity_state - email id: checkpoint.email_id - voip log type: checkpoint.voip_log_type - - - name: deviceCustomString2 - labels: - # Protection malware id - protection id: checkpoint.protection_id - update status: checkpoint.update_status - email subject: checkpoint.email_subject - sensor mode: checkpoint.sensor_mode - scan invoke type: checkpoint.integrity_av_invoke_type - category: checkpoint.category - # Matched categories - categories: rule.category - peer gateway: checkpoint.peer_gateway - - - name: deviceCustomString6 - labels: - application name: network.application - virus name: checkpoint.virus_name - malware name: checkpoint.spyware_name - malware family: checkpoint.malware_family - - - name: deviceCustomString3 - labels: - user group: group.name - # Format of original data. - incident extension: checkpoint.incident_extension - identity type: checkpoint.identity_type - email spool id: checkpoint.email_spool_id - # Type of protection used to detect the attack - protection type: checkpoint.protection_type - - - name: deviceCustomString4 - labels: - malware status: checkpoint.spyware_status - destination os: os.name - scan result: checkpoint.scan_result - frequency: checkpoint.frequency - protection name: checkpoint.protection_name - user response: checkpoint.user_status - email control: checkpoint.email_control - tcp flags: checkpoint.tcp_flags - threat prevention rule id: rule.id - - - name: deviceCustomString5 - labels: - matched category: rule.category - authentication method: checkpoint.auth_method - email session id: checkpoint.email_session_id - vlan id: network.vlan.id - - - name: deviceCustomDate2 - labels: - subscription expiration: checkpoint.subs_exp - - - name: deviceFlexNumber1 - labels: - confidence: checkpoint.confidence_level - - - name: deviceFlexNumber2 - labels: - destination phone number: checkpoint.dst_phone_number - performance impact: checkpoint.performance_impact - - - name: flexString1 - labels: - application signature id: checkpoint.app_sig_id - - - name: flexString2 - labels: - malware action: rule.description - attack information: event.action - - - name: rule_uid - to: rule.uuid - - - name: ifname - to: observer.ingress.interface.name - - - name: inzone - to: observer.ingress.zone - - - name: outzone - to: observer.egress.zone - - - name: product - to: observer.product - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: _tmp_copy - - - set: - field: email.to.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - set: - field: email.from.address - value: ["{{{source.user.email}}}"] - if: "ctx?.source?.user?.email != null" - - set: - field: email.subject - copy_from: checkpoint.email_subject - if: "ctx?.checkpoint?.email_subject != null" - - set: - field: email.message_id - copy_from: checkpoint.email_session_id - if: "ctx?.checkpoint?.email_session_id != null" - - convert: - field: event.risk_score - type: float - ignore_missing: true - on_failure: - - remove: - field: event.risk_score - - convert: - field: event.severity - type: long - ignore_missing: true - on_failure: - - remove: - field: event.severity - - # event.duration is a string and contains seconds. Convert to long nanos. - - script: - params: - second_to_nanos: 1000000000 - lang: painless - source: | - def duration = ctx.event?.duration; - if (duration == null) return; - ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos; - on_failure: - - remove: - field: event.duration - ignore_missing: true - - # checkpoint.file_hash can be either MD5, SHA1 or SHA256. - - rename: - field: checkpoint.file_hash - target_field: file.hash.md5 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha1 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha256 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' - - # Event kind is 'event' by default. 'alert' when a risk score and rule info - # is present. - - set: - field: event.kind - value: event - - set: - field: event.kind - value: alert - if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null' - - # Set event.category to network/malware/intrusion_detection depending on which - # fields have been populated. - - set: - field: event.category - value: network - if: 'ctx.source?.ip != null && ctx.destination?.ip != null' - - set: - field: event.category - value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - - set: - field: event.category - value: intrusion_detection - if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")' - - - convert: - field: checkpoint.event_count - type: long - ignore_missing: true diff --git a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 61a64b5cfd..0000000000 --- a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- -description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations. - -processors: - - set: - field: ecs.version - value: '8.2.0' - - - convert: - field: event.id - type: string - ignore_missing: true - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hash - value: "{{cef.extensions.fileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - - append: - field: related.hash - value: "{{cef.extensions.oldFileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" - - append: - field: related.hosts - value: "{{observer.hostname}}" - allow_duplicates: false - if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - - pipeline: - name: '{{ IngestPipeline "fp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" - - pipeline: - name: '{{ IngestPipeline "cp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'Check Point'" - - community_id: {} - - # - # Timestamp parsing. - # - - grok: - # decode_cef sets @timestamp when deviceReceiptTime is provided. - description: Extract timestamp from log header when deviceReceiptTime not given. - if: ctx?.cef?.extensions?.deviceReceiptTime == null - field: event.original - patterns: - - '^%{SYSLOG_TIMESTAMP} ' - - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164 - - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224 - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' - ignore_failure: true - - date: - if: ctx?._tmp?.timestamp8601 != null - field: _tmp.timestamp8601 - formats: - - ISO8601 - - date: - if: ctx?._tmp?.timestamp != null - field: _tmp.timestamp - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - remove: - field: - - _tmp - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml deleted file mode 100755 index f87d217328..0000000000 --- a/packages/cef/2.0.1/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Forcepoint CEF - -processors: - # cs1 is ruleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString1}}" - ignore_empty_value: true - - # cs2 is natRuleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString2}}" - ignore_empty_value: true - - # cs3 is VulnerabilityReference - - set: - field: vulnerability.reference - value: "{{cef.extensions.deviceCustomString3}}" - ignore_empty_value: true - - # cs4 is virusID - - set: - field: cef.forcepoint.virus_id - value: "{{cef.extensions.deviceCustomString4}}" - ignore_empty_value: true diff --git a/packages/cef/2.0.1/data_stream/log/fields/agent.yml b/packages/cef/2.0.1/data_stream/log/fields/agent.yml deleted file mode 100755 index d03a5f0211..0000000000 --- a/packages/cef/2.0.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cef/2.0.1/data_stream/log/fields/base-fields.yml b/packages/cef/2.0.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 88e15e9046..0000000000 --- a/packages/cef/2.0.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cef -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cef.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cef/2.0.1/data_stream/log/fields/ecs.yml b/packages/cef/2.0.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index ef39445ca3..0000000000 --- a/packages/cef/2.0.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,348 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long diff --git a/packages/cef/2.0.1/data_stream/log/fields/fields.yml b/packages/cef/2.0.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 0d1a9f79ec..0000000000 --- a/packages/cef/2.0.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,331 +0,0 @@ -- name: cef.name - type: keyword -- name: cef.severity - type: keyword -- name: cef.version - type: keyword -- name: destination.service.name - type: keyword -- name: source.service.name - type: keyword -- name: cef.forcepoint - type: group - fields: - - name: virus_id - type: keyword - description: | - Virus ID -- name: checkpoint - type: group - fields: - - name: app_risk - type: keyword - description: Application risk. - - name: app_severity - type: keyword - description: Application threat severity. - - name: app_sig_id - type: keyword - description: The signature ID which the application was detected by. - - name: auth_method - type: keyword - description: Password authentication protocol used. - - name: category - type: keyword - description: Category. - - name: confidence_level - type: integer - description: Confidence level determined. - - name: connectivity_state - type: keyword - description: Connectivity state. - - name: cookie - type: keyword - description: IKE cookie. - - name: dst_phone_number - type: keyword - description: Destination IP-Phone. - - name: email_control - type: keyword - description: Engine name. - - name: email_id - type: keyword - description: Internal email ID. - - name: email_recipients_num - type: long - description: Number of recipients. - - name: email_session_id - type: keyword - description: Internal email session ID. - - name: email_spool_id - type: keyword - description: Internal email spool ID. - - name: email_subject - type: keyword - description: Email subject. - - name: event_count - type: long - description: Number of events associated with the log. - - name: frequency - type: keyword - description: Scan frequency. - - name: icmp_type - type: long - description: ICMP type. - - name: icmp_code - type: long - description: ICMP code. - - name: identity_type - type: keyword - description: Identity type. - - name: incident_extension - type: keyword - description: Format of original data. - - name: integrity_av_invoke_type - type: keyword - description: Scan invoke type. - - name: malware_family - type: keyword - description: Malware family. - - name: peer_gateway - type: ip - description: Main IP of the peer Security Gateway. - - name: performance_impact - type: integer - description: Protection performance impact. - - name: protection_id - type: keyword - description: Protection malware ID. - - name: protection_name - type: keyword - description: Specific signature name of the attack. - - name: protection_type - type: keyword - description: Type of protection used to detect the attack. - - name: scan_result - type: keyword - description: Scan result. - - name: sensor_mode - type: keyword - description: Sensor mode. - - name: severity - type: keyword - description: Threat severity. - - name: spyware_name - type: keyword - description: Spyware name. - - name: spyware_status - type: keyword - description: Spyware status. - - name: subs_exp - type: date - description: The expiration date of the subscription. - - name: tcp_flags - type: keyword - description: TCP packet flags. - - name: termination_reason - type: keyword - description: Termination reason. - - name: update_status - type: keyword - description: Update status. - - name: user_status - type: keyword - description: User response. - - name: uuid - type: keyword - description: External ID. - - name: virus_name - type: keyword - description: Virus name. - - name: voip_log_type - type: keyword - description: VoIP log types. -- name: cef.device - type: group - fields: - - name: event_class_id - type: keyword - - name: product - type: keyword - - name: vendor - type: keyword - - name: version - type: keyword -- name: cef.extensions - type: group - fields: - - name: cp_app_risk - type: keyword - - name: cp_severity - type: keyword - - name: ifname - type: keyword - - name: inzone - type: keyword - - name: layer_uuid - type: keyword - - name: layer_name - type: keyword - - name: logid - type: keyword - - name: loguid - type: keyword - - name: match_id - type: keyword - - name: nat_addtnl_rulenum - type: keyword - - name: nat_rulenum - type: keyword - - name: origin - type: keyword - - name: originsicname - type: keyword - - name: outzone - type: keyword - - name: parent_rule - type: keyword - - name: product - type: keyword - - name: rule_action - type: keyword - - name: rule_uid - type: keyword - - name: sequencenum - type: keyword - - name: service_id - type: keyword - - name: version - type: keyword - - name: applicationProtocol - type: keyword - - name: categoryDeviceGroup - type: keyword - - name: categoryTechnique - type: keyword - - name: deviceEventCategory - type: keyword - - name: sourceNtDomain - type: keyword - - name: destinationNtDomain - type: keyword - - name: categoryOutcome - type: keyword - - name: categorySignificance - type: keyword - - name: categoryObject - type: keyword - - name: categoryBehavior - type: keyword - - name: categoryDeviceType - type: keyword - - name: baseEventCount - type: keyword - - name: bytesIn - type: long - - name: bytesOut - type: long - - name: destinationAddress - type: ip - - name: destinationPort - type: long - - name: destinationServiceName - type: keyword - - name: destinationTranslatedAddress - type: ip - - name: destinationTranslatedPort - type: long - - name: destinationUserName - type: keyword - - name: destinationUserPrivileges - type: keyword - - name: deviceAction - type: keyword - - name: deviceAddress - type: ip - - name: deviceCustomDate2 - type: keyword - - name: deviceCustomDate2Label - type: keyword - - name: deviceCustomIPv6Address2 - type: ip - - name: deviceCustomIPv6Address2Label - type: keyword - - name: deviceCustomIPv6Address3 - type: ip - - name: deviceCustomIPv6Address3Label - type: keyword - - name: deviceCustomNumber1 - type: long - - name: deviceCustomNumber1Label - type: keyword - - name: deviceCustomNumber2 - type: long - - name: deviceCustomNumber2Label - type: keyword - - name: deviceCustomString1 - type: keyword - - name: deviceCustomString1Label - type: keyword - - name: deviceCustomString2 - type: keyword - - name: deviceCustomString2Label - type: keyword - - name: deviceCustomString3 - type: keyword - - name: deviceCustomString3Label - type: keyword - - name: deviceCustomString4 - type: keyword - - name: deviceCustomString4Label - type: keyword - - name: deviceCustomString5 - type: keyword - - name: deviceCustomString5Label - type: keyword - - name: deviceDirection - type: long - - name: deviceExternalId - type: keyword - - name: deviceFacility - type: keyword - - name: deviceHostName - type: keyword - - name: deviceOutboundInterface - type: keyword - - name: deviceReceiptTime - type: keyword - - name: eventId - type: long - - name: fileHash - type: keyword - - name: message - type: keyword - - name: oldFileHash - type: keyword - - name: requestContext - type: keyword - - name: requestMethod - type: keyword - - name: requestUrl - type: keyword - - name: sourceAddress - type: ip - - name: sourceGeoLatitude - type: long - - name: sourceGeoLongitude - type: long - - name: sourcePort - type: long - - name: sourceServiceName - type: keyword - - name: sourceTranslatedAddress - type: ip - - name: sourceTranslatedPort - type: long - - name: sourceUserName - type: keyword - - name: sourceUserPrivileges - type: keyword - - name: transportProtocol - type: keyword diff --git a/packages/cef/2.0.1/data_stream/log/manifest.yml b/packages/cef/2.0.1/data_stream/log/manifest.yml deleted file mode 100755 index 8383dac3ad..0000000000 --- a/packages/cef/2.0.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -type: logs -title: CEF log logs -streams: - - input: logfile - template_path: log.yml.hbs - title: CEF logs - description: Collect CEF logs using log input - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cef.log - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - template_path: udp.yml.hbs - title: CEF logs - description: Collect CEF logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. - multi: false - required: true - show_user: true - default: 9003 - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cef/2.0.1/data_stream/log/sample_event.json b/packages/cef/2.0.1/data_stream/log/sample_event.json deleted file mode 100755 index 646c57c770..0000000000 --- a/packages/cef/2.0.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "@timestamp": "2021-04-01T05:14:15.000Z", - "agent": { - "ephemeral_id": "bf532e11-e38a-4c2a-9454-3250f8c4a13a", - "id": "4ef3d20e-66f0-4723-b86d-512327135b90", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "message": "rfc3164" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4ef3d20e-66f0-4723-b86d-512327135b90", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "ingested": "2021-12-25T05:51:11Z", - "severity": 0 - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.29.0.5:50445" - }, - "syslog": { - "priority": 163 - } - }, - "message": "rfc3164", - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "tags": [ - "cef", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/cef/2.0.1/docs/README.md b/packages/cef/2.0.1/docs/README.md deleted file mode 100755 index d5d17a86d4..0000000000 --- a/packages/cef/2.0.1/docs/README.md +++ /dev/null @@ -1,474 +0,0 @@ -# Common Event Format (CEF) Integration - -This is an integration for parsing Common Event Format (CEF) data. It can accept -data over syslog or read it from a file. - -CEF data is a format like - -`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -When syslog is used as the transport the CEF data becomes the message that is -contained in the syslog envelope. This integration will parse the syslog -timestamp if it is present. Depending on the syslog RFC used the message will -have a format like one of these: - -`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -In both cases the integration will use the syslog timestamp as the `@timestamp` -unless the CEF data contains a device receipt timestamp. - -The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded -data. The decoded data is written into a `cef` object field. Lastly any Elastic -Common Schema (ECS) fields that can be populated with the CEF data are -populated. - -## Compatibility - -### Forcepoint NGFW Security Management Center - -This module will process CEF data from Forcepoint NGFW Security Management -Center (SMC). In the SMC configure the logs to be forwarded to the address set -in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. -Instructions can be found in [KB -15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring -the SMC. - -Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings -were taken from 'CEF Connector Configuration Guide' dated December 5, 2011. - -### Check Point devices - -This module will parse CEF data from Check Point devices as documented in [Log -Exporter CEF Field -Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060). - -Check Point CEF extensions are mapped as follows: - - -| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field | -|----------------------------|-----------------------------|--------------------------|--------------------------------| -| cp_app_risk | - | event.risk_score | checkpoint.app_risk | -| cp_severity | - | event.severity | checkpoint.severity | -| baseEventCount | - | - | checkpoint.event_count | -| deviceExternalId | - | observer.type | - | -| deviceFacility | - | observer.type | - | -| deviceInboundInterface | - | observer.ingress.interface.name | - | -| deviceOutboundInterface | - | observer.egress.interface.name | - | -| externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.\{md5,sha1\} | - | -| reason | - | - | checkpoint.termination_reason | -| requestCookies | - | - | checkpoint.cookie | -| sourceNtDomain | - | dns.question.name | - | -| Signature | - | vulnerability.id | - | -| Recipient | - | email.to.address | - | -| Sender | - | email.from.address | - | -| deviceCustomFloatingPoint1 | update version | observer.version | - | -| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | -| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | -| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num | -| deviceCustomNumber1 | payload | network.bytes | - | -| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | -| deviceCustomNumber2 | duration in seconds | event.duration | - | -| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code | -| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state | -| deviceCustomString1 | application rule name | rule.name | - | -| deviceCustomString1 | threat prevention rule name | rule.name | - | -| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type | -| deviceCustomString1 | dlp rule name | rule.name | - | -| deviceCustomString1 | email id | - | checkpoint.email_id | -| deviceCustomString2 | category | - | checkpoint.category | -| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject | -| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode | -| deviceCustomString2 | protection id | - | checkpoint.protection_id | -| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type | -| deviceCustomString2 | update status | - | checkpoint.update_status | -| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway | -| deviceCustomString2 | categories | rule.category | - | -| deviceCustomString6 | application name | network.application | - | -| deviceCustomString6 | virus name | - | checkpoint.virus_name | -| deviceCustomString6 | malware name | - | checkpoint.spyware_name | -| deviceCustomString6 | malware family | - | checkpoint.malware_family | -| deviceCustomString3 | user group | group.name | - | -| deviceCustomString3 | incident extension | - | checkpoint.incident_extension | -| deviceCustomString3 | protection type | - | checkpoint.protection_type | -| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id | -| deviceCustomString3 | identity type | - | checkpoint.identity_type | -| deviceCustomString4 | malware status | - | checkpoint.spyware_status | -| deviceCustomString4 | threat prevention rule id | rule.id | - | -| deviceCustomString4 | scan result | - | checkpoint.scan_result | -| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags | -| deviceCustomString4 | destination os | os.name | - | -| deviceCustomString4 | protection name | - | checkpoint.protection_name | -| deviceCustomString4 | email control | - | checkpoint.email_control | -| deviceCustomString4 | frequency | - | checkpoint.frequency | -| deviceCustomString4 | user response | - | checkpoint.user_status | -| deviceCustomString5 | matched category | rule.category | - | -| deviceCustomString5 | vlan id | network.vlan.id | - | -| deviceCustomString5 | authentication method | - | checkpoint.auth_method | -| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | -| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | -| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | -| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number | -| flexString1 | application signature id | - | checkpoint.app_sig_id | -| flexString2 | malware action | rule.description | - | -| flexString2 | attack information | event.action | - | -| rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | -| inzone | - | observer.ingress.zone | - | -| outzone | - | observer.egress.zone | - | -| product | - | observer.product | - | - -## Logs - -### CEF log - -This is the CEF `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-04-01T05:14:15.000Z", - "agent": { - "ephemeral_id": "bf532e11-e38a-4c2a-9454-3250f8c4a13a", - "id": "4ef3d20e-66f0-4723-b86d-512327135b90", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "message": "rfc3164" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4ef3d20e-66f0-4723-b86d-512327135b90", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "ingested": "2021-12-25T05:51:11Z", - "severity": 0 - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.29.0.5:50445" - }, - "syslog": { - "priority": 163 - } - }, - "message": "rfc3164", - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "tags": [ - "cef", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cef.device.event_class_id | | keyword | -| cef.device.product | | keyword | -| cef.device.vendor | | keyword | -| cef.device.version | | keyword | -| cef.extensions.applicationProtocol | | keyword | -| cef.extensions.baseEventCount | | keyword | -| cef.extensions.bytesIn | | long | -| cef.extensions.bytesOut | | long | -| cef.extensions.categoryBehavior | | keyword | -| cef.extensions.categoryDeviceGroup | | keyword | -| cef.extensions.categoryDeviceType | | keyword | -| cef.extensions.categoryObject | | keyword | -| cef.extensions.categoryOutcome | | keyword | -| cef.extensions.categorySignificance | | keyword | -| cef.extensions.categoryTechnique | | keyword | -| cef.extensions.cp_app_risk | | keyword | -| cef.extensions.cp_severity | | keyword | -| cef.extensions.destinationAddress | | ip | -| cef.extensions.destinationNtDomain | | keyword | -| cef.extensions.destinationPort | | long | -| cef.extensions.destinationServiceName | | keyword | -| cef.extensions.destinationTranslatedAddress | | ip | -| cef.extensions.destinationTranslatedPort | | long | -| cef.extensions.destinationUserName | | keyword | -| cef.extensions.destinationUserPrivileges | | keyword | -| cef.extensions.deviceAction | | keyword | -| cef.extensions.deviceAddress | | ip | -| cef.extensions.deviceCustomDate2 | | keyword | -| cef.extensions.deviceCustomDate2Label | | keyword | -| cef.extensions.deviceCustomIPv6Address2 | | ip | -| cef.extensions.deviceCustomIPv6Address2Label | | keyword | -| cef.extensions.deviceCustomIPv6Address3 | | ip | -| cef.extensions.deviceCustomIPv6Address3Label | | keyword | -| cef.extensions.deviceCustomNumber1 | | long | -| cef.extensions.deviceCustomNumber1Label | | keyword | -| cef.extensions.deviceCustomNumber2 | | long | -| cef.extensions.deviceCustomNumber2Label | | keyword | -| cef.extensions.deviceCustomString1 | | keyword | -| cef.extensions.deviceCustomString1Label | | keyword | -| cef.extensions.deviceCustomString2 | | keyword | -| cef.extensions.deviceCustomString2Label | | keyword | -| cef.extensions.deviceCustomString3 | | keyword | -| cef.extensions.deviceCustomString3Label | | keyword | -| cef.extensions.deviceCustomString4 | | keyword | -| cef.extensions.deviceCustomString4Label | | keyword | -| cef.extensions.deviceCustomString5 | | keyword | -| cef.extensions.deviceCustomString5Label | | keyword | -| cef.extensions.deviceDirection | | long | -| cef.extensions.deviceEventCategory | | keyword | -| cef.extensions.deviceExternalId | | keyword | -| cef.extensions.deviceFacility | | keyword | -| cef.extensions.deviceHostName | | keyword | -| cef.extensions.deviceOutboundInterface | | keyword | -| cef.extensions.deviceReceiptTime | | keyword | -| cef.extensions.eventId | | long | -| cef.extensions.fileHash | | keyword | -| cef.extensions.ifname | | keyword | -| cef.extensions.inzone | | keyword | -| cef.extensions.layer_name | | keyword | -| cef.extensions.layer_uuid | | keyword | -| cef.extensions.logid | | keyword | -| cef.extensions.loguid | | keyword | -| cef.extensions.match_id | | keyword | -| cef.extensions.message | | keyword | -| cef.extensions.nat_addtnl_rulenum | | keyword | -| cef.extensions.nat_rulenum | | keyword | -| cef.extensions.oldFileHash | | keyword | -| cef.extensions.origin | | keyword | -| cef.extensions.originsicname | | keyword | -| cef.extensions.outzone | | keyword | -| cef.extensions.parent_rule | | keyword | -| cef.extensions.product | | keyword | -| cef.extensions.requestContext | | keyword | -| cef.extensions.requestMethod | | keyword | -| cef.extensions.requestUrl | | keyword | -| cef.extensions.rule_action | | keyword | -| cef.extensions.rule_uid | | keyword | -| cef.extensions.sequencenum | | keyword | -| cef.extensions.service_id | | keyword | -| cef.extensions.sourceAddress | | ip | -| cef.extensions.sourceGeoLatitude | | long | -| cef.extensions.sourceGeoLongitude | | long | -| cef.extensions.sourceNtDomain | | keyword | -| cef.extensions.sourcePort | | long | -| cef.extensions.sourceServiceName | | keyword | -| cef.extensions.sourceTranslatedAddress | | ip | -| cef.extensions.sourceTranslatedPort | | long | -| cef.extensions.sourceUserName | | keyword | -| cef.extensions.sourceUserPrivileges | | keyword | -| cef.extensions.transportProtocol | | keyword | -| cef.extensions.version | | keyword | -| cef.forcepoint.virus_id | Virus ID | keyword | -| cef.name | | keyword | -| cef.severity | | keyword | -| cef.version | | keyword | -| checkpoint.app_risk | Application risk. | keyword | -| checkpoint.app_severity | Application threat severity. | keyword | -| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword | -| checkpoint.auth_method | Password authentication protocol used. | keyword | -| checkpoint.category | Category. | keyword | -| checkpoint.confidence_level | Confidence level determined. | integer | -| checkpoint.connectivity_state | Connectivity state. | keyword | -| checkpoint.cookie | IKE cookie. | keyword | -| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | -| checkpoint.email_control | Engine name. | keyword | -| checkpoint.email_id | Internal email ID. | keyword | -| checkpoint.email_recipients_num | Number of recipients. | long | -| checkpoint.email_session_id | Internal email session ID. | keyword | -| checkpoint.email_spool_id | Internal email spool ID. | keyword | -| checkpoint.email_subject | Email subject. | keyword | -| checkpoint.event_count | Number of events associated with the log. | long | -| checkpoint.frequency | Scan frequency. | keyword | -| checkpoint.icmp_code | ICMP code. | long | -| checkpoint.icmp_type | ICMP type. | long | -| checkpoint.identity_type | Identity type. | keyword | -| checkpoint.incident_extension | Format of original data. | keyword | -| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword | -| checkpoint.malware_family | Malware family. | keyword | -| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | -| checkpoint.performance_impact | Protection performance impact. | integer | -| checkpoint.protection_id | Protection malware ID. | keyword | -| checkpoint.protection_name | Specific signature name of the attack. | keyword | -| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | -| checkpoint.scan_result | Scan result. | keyword | -| checkpoint.sensor_mode | Sensor mode. | keyword | -| checkpoint.severity | Threat severity. | keyword | -| checkpoint.spyware_name | Spyware name. | keyword | -| checkpoint.spyware_status | Spyware status. | keyword | -| checkpoint.subs_exp | The expiration date of the subscription. | date | -| checkpoint.tcp_flags | TCP packet flags. | keyword | -| checkpoint.termination_reason | Termination reason. | keyword | -| checkpoint.update_status | Update status. | keyword | -| checkpoint.user_status | User response. | keyword | -| checkpoint.uuid | External ID. | keyword | -| checkpoint.virus_name | Virus name. | keyword | -| checkpoint.voip_log_type | VoIP log types. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.service.name | | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.service.name | | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cef/2.0.1/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.0.1/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json deleted file mode 100755 index c44bda0cc2..0000000000 --- a/packages/cef/2.0.1/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.0.1/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json deleted file mode 100755 index e740d26d0b..0000000000 --- a/packages/cef/2.0.1/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.0.1/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json deleted file mode 100755 index 3fa223db88..0000000000 --- a/packages/cef/2.0.1/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "Summary of ArcSight endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.0.1/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json deleted file mode 100755 index 153645a090..0000000000 --- a/packages/cef/2.0.1/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.0.1/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json deleted file mode 100755 index 9c26408568..0000000000 --- a/packages/cef/2.0.1/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "description": "Network data overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.0.1/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json deleted file mode 100755 index cf5b2ee7e4..0000000000 --- a/packages/cef/2.0.1/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "cef.extensions.categoryOutcome", - "cef.extensions.categorySignificance", - "cef.extensions.categoryObject", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.0.1/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json deleted file mode 100755 index dad033d27d..0000000000 --- a/packages/cef/2.0.1/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.0.1/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json deleted file mode 100755 index 9082a5e861..0000000000 --- a/packages/cef/2.0.1/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - OS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.0.1/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json deleted file mode 100755 index 74d6b3c820..0000000000 --- a/packages/cef/2.0.1/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.0.1/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json deleted file mode 100755 index f7372f962e..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.0.1/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json deleted file mode 100755 index e4e3fbc58d..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.0.1/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json deleted file mode 100755 index bec9522083..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.0.1/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json deleted file mode 100755 index 702933c209..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.0.1/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json deleted file mode 100755 index bba67eb563..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.0.1/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json deleted file mode 100755 index 1f0e2fde5c..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.0.1/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json deleted file mode 100755 index ec2f257b88..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.0.1/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json deleted file mode 100755 index a3f9d219f4..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json b/packages/cef/2.0.1/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json deleted file mode 100755 index db7522dd38..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-1b521f56-8089-433f-88f7-56aba867e07d", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.0.1/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json deleted file mode 100755 index 6c04dc9028..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.0.1/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json deleted file mode 100755 index 3b90350ff6..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.0.1/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json deleted file mode 100755 index 401dfbed0a..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.0.1/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json deleted file mode 100755 index 1697d134c5..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.0.1/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json deleted file mode 100755 index c52b647746..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.0.1/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json deleted file mode 100755 index 63e38a3cff..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.0.1/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json deleted file mode 100755 index 5ec0797be6..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.0.1/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json deleted file mode 100755 index 563c47bef0..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Type Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.0.1/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json deleted file mode 100755 index a2085e9b19..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.0.1/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json deleted file mode 100755 index 0614970e4b..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.0.1/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json deleted file mode 100755 index b0e9b3c257..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json b/packages/cef/2.0.1/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json deleted file mode 100755 index 86b518c893..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Source Locations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Source Location\",\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.0.1/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json deleted file mode 100755 index 5c7272c0cb..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json b/packages/cef/2.0.1/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json deleted file mode 100755 index 5d58895fd2..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Sources by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.0.1/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json deleted file mode 100755 index bb3e848ce7..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.0.1/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json deleted file mode 100755 index 38ac936b78..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.0.1/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json deleted file mode 100755 index 558660d19f..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by User Names [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.0.1/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json deleted file mode 100755 index 0a393d6652..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.0.1/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json deleted file mode 100755 index cc03e710d3..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.0.1/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json deleted file mode 100755 index 834908bc67..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.0.1/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json deleted file mode 100755 index 9518a579c1..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.0.1/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json deleted file mode 100755 index c978cbecff..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.0.1/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json deleted file mode 100755 index dc2ddd1c89..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.0.1/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json deleted file mode 100755 index 09e0d6ff6a..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.0.1/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json deleted file mode 100755 index 7ba2b39a50..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.0.1/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json deleted file mode 100755 index fa5dcd2adc..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.0.1/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json deleted file mode 100755 index 86943ae981..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.0.1/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json deleted file mode 100755 index 899b95824b..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.0.1/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json deleted file mode 100755 index 34d704fef6..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.0.1/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json deleted file mode 100755 index dd63b9809f..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json b/packages/cef/2.0.1/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json deleted file mode 100755 index 08b966f09b..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destination Locations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-8b31af8b-522e-41fe-b9d6-9a3451b54108", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.0.1/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json deleted file mode 100755 index 1f8c398abc..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.0.1/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json deleted file mode 100755 index f4f5f6eadc..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.0.1/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json deleted file mode 100755 index ab180b299a..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.0.1/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json deleted file mode 100755 index 3da6c90cb1..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.0.1/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json deleted file mode 100755 index 001000873c..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.0.1/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json deleted file mode 100755 index 8ec3a53f1f..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.0.1/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json deleted file mode 100755 index a5448711e4..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json b/packages/cef/2.0.1/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json deleted file mode 100755 index 42a376cff4..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destination Locations by Event [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-aaa80503-6d96-4a33-806f-b8a10aefe696", - "migrationVersion": { - "visualization": "7.10.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.0.1/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json deleted file mode 100755 index 71eae19918..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.0.1/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json deleted file mode 100755 index 8a888d067a..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.0.1/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json deleted file mode 100755 index 6601533058..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.0.1/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json deleted file mode 100755 index 4860454ee5..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.0.1/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json deleted file mode 100755 index bf65f0baac..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.0.1/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json deleted file mode 100755 index f56ace942b..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.0.1/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json deleted file mode 100755 index 6cf6e86635..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.0.1/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json deleted file mode 100755 index 20bdf88f92..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.0.1/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json deleted file mode 100755 index cb732f40b3..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.0.1/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json deleted file mode 100755 index 5387593733..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.0.1/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json deleted file mode 100755 index 4c21032237..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.0.1/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json deleted file mode 100755 index 827c7905e2..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.0.1/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json deleted file mode 100755 index 5b23c7fb8e..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.0.1/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json deleted file mode 100755 index aed8102339..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.0.1/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json deleted file mode 100755 index 74a61138dc..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Types by Vendor [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.0.1/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json deleted file mode 100755 index 32a6dda32a..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.0.1/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json deleted file mode 100755 index cce501f750..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.0.1/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json deleted file mode 100755 index 0907dbbef8..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.0.1/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json deleted file mode 100755 index df5b0a6e9f..0000000000 --- a/packages/cef/2.0.1/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.1/manifest.yml b/packages/cef/2.0.1/manifest.yml deleted file mode 100755 index 6ab7bed71d..0000000000 --- a/packages/cef/2.0.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: cef -title: CEF Logs -version: 2.0.1 -release: ga -description: Collect logs from CEF Logs with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: cef - title: CEF logs - description: Collect logs from CEF instances - inputs: - - type: logfile - title: "Collect CEF application logs (input: logfile)" - description: "Collecting application logs from CEF instances (input: logfile)" - - type: udp - title: "Collect CEF application logs (input: udp)" - description: "Collecting application logs from CEF instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cef/2.0.2/changelog.yml b/packages/cef/2.0.2/changelog.yml deleted file mode 100755 index 21efa799eb..0000000000 --- a/packages/cef/2.0.2/changelog.yml +++ /dev/null @@ -1,124 +0,0 @@ -# newer versions go on top -- version: "2.0.2" - changes: - - description: Improve field documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3465 -- version: "2.0.1" - changes: - - description: Clarify scope of dashboards - type: bugfix - link: https://github.com/elastic/integrations/pull/3470 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2804 -- version: "1.4.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.2" - changes: - - description: Add field mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2808 -- version: "1.4.1" - changes: - - description: Append pipeline errors to error.message instead of overwriting existing errors. - type: bugfix - link: https://github.com/elastic/integrations/pull/2789 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2386 -- version: "1.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.0" - changes: - - description: Change test IPs to the supported set for GeoIP - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2216 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1950 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1802 -- version: "1.2.0" - changes: - - description: Add CEF time zone config option. - type: enhancement - link: https://github.com/elastic/integrations/pull/1723 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1652 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1604 -- version: "0.5.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1469 -- version: '0.5.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1375 -- version: "0.5.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.4.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.3.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1255 -- version: "0.2.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options. - type: enhancement - link: https://github.com/elastic/integrations/pull/1032 -- version: "0.1.0" - changes: - - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/898 -- version: "0.0.4" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/838 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/418 diff --git a/packages/cef/2.0.2/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.0.2/data_stream/log/agent/stream/log.yml.hbs deleted file mode 100755 index c9f24092e8..0000000000 --- a/packages/cef/2.0.2/data_stream/log/agent/stream/log.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/cef/2.0.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.0.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 4d71aa0234..0000000000 --- a/packages/cef/2.0.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- rename: - fields: - - {from: "message", to: "event.original"} -- decode_cef: - field: event.original -{{#if decode_cef_timezone}} - timezone: {{ decode_cef_timezone }} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml deleted file mode 100755 index 8a53e9b0c7..0000000000 --- a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml +++ /dev/null @@ -1,380 +0,0 @@ ---- -description: Pipeline for Check Point CEF - -processors: - # This script is mapping CEF extensions to ECS when possible. Otherwise - # it maps them to fields under the `checkpoint` group using Check Point log - # field names. - # - # [1] Description of Check Point CEF extensions: - # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060 - # [2] Description of Check Point log field names (sk144192): - # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192 - # - # Note that in some cases the CEF extension name doesn't accurately describe - # its contents. For example sntdom/sourceNtDomain, which is used to store - # Check Point's domain_name, documented as "Domain name sent to DNS request". - # - # This script processes the `params.extensions` list below. This list consists - # of two different kinds of mappings, the simpler has a source ext `name` - # and a `to` field. It copies the given extension field to the target `to`. - # - # When the `labels` dict is defined, the target field depends on the value of - # the accompanying label field. For example, the field deviceCustomIPv6Address2 - # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label - # exists and its value is "Source IPv6 Address". - # - # Also it can convert the destination value by simple mapping when the - # convert key exists. Values without an entry in the convert dict are not - # copied and the target field remains unset. - # - # The output of this processor is a single field, `_tmp_copy`, that contains - # a list of actions `{"to": "target_field", "value":"field value"}` that is - # later executed using a foreach processor. This is done to avoid complex - # de-dotting and other gotchas of setting arbitrary fields in Painless. - - script: - lang: painless - params: - extensions: - - name: cp_app_risk - to: checkpoint.app_risk - - - name: cp_app_risk - to: event.risk_score - # This mapping is a mix of [1] and [2] above. - convert: - unknown: 0 - informational: 0 - very-low: 1 - low: 2 - medium: 3 - high: 4 - very-high: 5 - critical: 5 - - - name: cp_severity - to: checkpoint.severity - - - name: cp_severity - to: event.severity - convert: - # This mapping is a mix of [1] and [2] above. - unknown: 0 - informational: 0 - very-low: 1 - low: 1 - medium: 2 - high: 3 - very-high: 4 - critical: 4 - - # Number of events associated with the log - - name: baseEventCount - to: checkpoint.event_count - - # Log type - - name: deviceExternalId - to: observer.type - - # Product Family (override deviceExternalId if present). - - name: deviceFacility - to: observer.type - convert: - '0': Network - '1': Endpoint - '2': Access - '3': Threat - '4': Mobile - - # Gateway interface, where the connection is received from in case of an outbound connection - - name: deviceInboundInterface - to: observer.ingress.interface.name - - # Gateway interface, where the connection is sent from, in case of an inbound connection - - name: deviceOutboundInterface - to: observer.egress.interface.name - - - name: externalId - to: checkpoint.uuid - - - name: fileHash - to: checkpoint.file_hash - - - name: reason - to: checkpoint.termination_reason - - # Possibly an IKE cookie - - name: requestCookies - to: checkpoint.cookie - - # Probably a typo in CP's CEF docs - - name: checkrequestCookies - to: checkpoint.cookie - - # Domain name sent to DNS request - - name: sourceNtDomain - to: dns.question.name - - # CVE registry entry - - name: Signature - to: vulnerability.id - - - name: Recipient - to: destination.user.email - - - name: Sender - to: source.user.email - - - name: deviceCustomFloatingPoint1 - labels: - update version: observer.version - - - name: deviceCustomIPv6Address2 - labels: - source ipv6 address: source.ip - - - name: deviceCustomIPv6Address3 - labels: - destination ipv6 address: destination.ip - - - name: deviceCustomNumber1 - labels: - payload: network.bytes - elapsed time in seconds: event.duration - email recipients number: checkpoint.email_recipients_num - - - name: deviceCustomNumber2 - labels: - duration in seconds: event.duration - icmp type: checkpoint.icmp_type - - - name: deviceCustomNumber3 - labels: - icmp code: checkpoint.icmp_code - - - name: deviceCustomString1 - labels: - application rule name: rule.name - dlp rule name: rule.name - threat prevention rule name: rule.name - connectivity state: checkpoint.connectivity_state - email id: checkpoint.email_id - voip log type: checkpoint.voip_log_type - - - name: deviceCustomString2 - labels: - # Protection malware id - protection id: checkpoint.protection_id - update status: checkpoint.update_status - email subject: checkpoint.email_subject - sensor mode: checkpoint.sensor_mode - scan invoke type: checkpoint.integrity_av_invoke_type - category: checkpoint.category - # Matched categories - categories: rule.category - peer gateway: checkpoint.peer_gateway - - - name: deviceCustomString6 - labels: - application name: network.application - virus name: checkpoint.virus_name - malware name: checkpoint.spyware_name - malware family: checkpoint.malware_family - - - name: deviceCustomString3 - labels: - user group: group.name - # Format of original data. - incident extension: checkpoint.incident_extension - identity type: checkpoint.identity_type - email spool id: checkpoint.email_spool_id - # Type of protection used to detect the attack - protection type: checkpoint.protection_type - - - name: deviceCustomString4 - labels: - malware status: checkpoint.spyware_status - destination os: os.name - scan result: checkpoint.scan_result - frequency: checkpoint.frequency - protection name: checkpoint.protection_name - user response: checkpoint.user_status - email control: checkpoint.email_control - tcp flags: checkpoint.tcp_flags - threat prevention rule id: rule.id - - - name: deviceCustomString5 - labels: - matched category: rule.category - authentication method: checkpoint.auth_method - email session id: checkpoint.email_session_id - vlan id: network.vlan.id - - - name: deviceCustomDate2 - labels: - subscription expiration: checkpoint.subs_exp - - - name: deviceFlexNumber1 - labels: - confidence: checkpoint.confidence_level - - - name: deviceFlexNumber2 - labels: - destination phone number: checkpoint.dst_phone_number - performance impact: checkpoint.performance_impact - - - name: flexString1 - labels: - application signature id: checkpoint.app_sig_id - - - name: flexString2 - labels: - malware action: rule.description - attack information: event.action - - - name: rule_uid - to: rule.uuid - - - name: ifname - to: observer.ingress.interface.name - - - name: inzone - to: observer.ingress.zone - - - name: outzone - to: observer.egress.zone - - - name: product - to: observer.product - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: _tmp_copy - - - set: - field: email.to.address - value: ["{{{destination.user.email}}}"] - if: "ctx?.destination?.user?.email != null" - - set: - field: email.from.address - value: ["{{{source.user.email}}}"] - if: "ctx?.source?.user?.email != null" - - set: - field: email.subject - copy_from: checkpoint.email_subject - if: "ctx?.checkpoint?.email_subject != null" - - set: - field: email.message_id - copy_from: checkpoint.email_session_id - if: "ctx?.checkpoint?.email_session_id != null" - - convert: - field: event.risk_score - type: float - ignore_missing: true - on_failure: - - remove: - field: event.risk_score - - convert: - field: event.severity - type: long - ignore_missing: true - on_failure: - - remove: - field: event.severity - - # event.duration is a string and contains seconds. Convert to long nanos. - - script: - params: - second_to_nanos: 1000000000 - lang: painless - source: | - def duration = ctx.event?.duration; - if (duration == null) return; - ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos; - on_failure: - - remove: - field: event.duration - ignore_missing: true - - # checkpoint.file_hash can be either MD5, SHA1 or SHA256. - - rename: - field: checkpoint.file_hash - target_field: file.hash.md5 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha1 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' - - rename: - field: checkpoint.file_hash - target_field: file.hash.sha256 - if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' - - # Event kind is 'event' by default. 'alert' when a risk score and rule info - # is present. - - set: - field: event.kind - value: event - - set: - field: event.kind - value: alert - if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null' - - # Set event.category to network/malware/intrusion_detection depending on which - # fields have been populated. - - set: - field: event.category - value: network - if: 'ctx.source?.ip != null && ctx.destination?.ip != null' - - set: - field: event.category - value: malware - if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' - - set: - field: event.category - value: intrusion_detection - if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")' - - - convert: - field: checkpoint.event_count - type: long - ignore_missing: true - - convert: - field: cef.extensions.baseEventCount - type: long - ignore_missing: true - diff --git a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8875ec0695..0000000000 --- a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,159 +0,0 @@ ---- -description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations. - -processors: - - set: - field: ecs.version - value: '8.2.0' - - - convert: - field: event.id - type: string - ignore_missing: true - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hash - value: "{{cef.extensions.fileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - - append: - field: related.hash - value: "{{cef.extensions.oldFileHash}}" - allow_duplicates: false - if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - - append: - field: related.ip - value: "{{destination.nat.ip}}" - allow_duplicates: false - if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" - - append: - field: related.user - value: "{{source.user.name}}" - allow_duplicates: false - if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" - - append: - field: related.hosts - value: "{{observer.hostname}}" - allow_duplicates: false - if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - - pipeline: - name: '{{ IngestPipeline "fp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" - - pipeline: - name: '{{ IngestPipeline "cp-pipeline" }}' - if: "ctx.cef?.device?.vendor == 'Check Point'" - - community_id: {} - - # - # Timestamp parsing. - # - - grok: - # decode_cef sets @timestamp when deviceReceiptTime is provided. - description: Extract timestamp from log header when deviceReceiptTime not given. - if: ctx?.cef?.extensions?.deviceReceiptTime == null - field: event.original - patterns: - - '^%{SYSLOG_TIMESTAMP} ' - - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164 - - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224 - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' - ignore_failure: true - - date: - if: ctx?._tmp?.timestamp8601 != null - field: _tmp.timestamp8601 - formats: - - ISO8601 - - date: - if: ctx?._tmp?.timestamp != null - field: _tmp.timestamp - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - remove: - field: - - _tmp - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - # Cleanup - - remove: - field: - - cef.extensions._cefVer - ignore_missing: true - -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml deleted file mode 100755 index f87d217328..0000000000 --- a/packages/cef/2.0.2/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for Forcepoint CEF - -processors: - # cs1 is ruleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString1}}" - ignore_empty_value: true - - # cs2 is natRuleID - - set: - field: rule.id - value: "{{cef.extensions.deviceCustomString2}}" - ignore_empty_value: true - - # cs3 is VulnerabilityReference - - set: - field: vulnerability.reference - value: "{{cef.extensions.deviceCustomString3}}" - ignore_empty_value: true - - # cs4 is virusID - - set: - field: cef.forcepoint.virus_id - value: "{{cef.extensions.deviceCustomString4}}" - ignore_empty_value: true diff --git a/packages/cef/2.0.2/data_stream/log/fields/agent.yml b/packages/cef/2.0.2/data_stream/log/fields/agent.yml deleted file mode 100755 index d03a5f0211..0000000000 --- a/packages/cef/2.0.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/cef/2.0.2/data_stream/log/fields/base-fields.yml b/packages/cef/2.0.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 88e15e9046..0000000000 --- a/packages/cef/2.0.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cef -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cef.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cef/2.0.2/data_stream/log/fields/ecs.yml b/packages/cef/2.0.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index a2802bca93..0000000000 --- a/packages/cef/2.0.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,380 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long diff --git a/packages/cef/2.0.2/data_stream/log/fields/fields.yml b/packages/cef/2.0.2/data_stream/log/fields/fields.yml deleted file mode 100755 index c667ec5df0..0000000000 --- a/packages/cef/2.0.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,608 +0,0 @@ -- name: cef.name - type: keyword -- name: cef.severity - type: keyword -- name: cef.version - type: keyword -- name: destination.service.name - type: keyword -- name: source.service.name - type: keyword -- name: cef.forcepoint - type: group - fields: - - name: virus_id - type: keyword - description: | - Virus ID -- name: checkpoint - type: group - fields: - - name: app_risk - type: keyword - description: Application risk. - - name: app_severity - type: keyword - description: Application threat severity. - - name: app_sig_id - type: keyword - description: The signature ID which the application was detected by. - - name: auth_method - type: keyword - description: Password authentication protocol used. - - name: category - type: keyword - description: Category. - - name: confidence_level - type: integer - description: Confidence level determined. - - name: connectivity_state - type: keyword - description: Connectivity state. - - name: cookie - type: keyword - description: IKE cookie. - - name: dst_phone_number - type: keyword - description: Destination IP-Phone. - - name: email_control - type: keyword - description: Engine name. - - name: email_id - type: keyword - description: Internal email ID. - - name: email_recipients_num - type: long - description: Number of recipients. - - name: email_session_id - type: keyword - description: Internal email session ID. - - name: email_spool_id - type: keyword - description: Internal email spool ID. - - name: email_subject - type: keyword - description: Email subject. - - name: event_count - type: long - description: Number of events associated with the log. - - name: frequency - type: keyword - description: Scan frequency. - - name: icmp_type - type: long - description: ICMP type. - - name: icmp_code - type: long - description: ICMP code. - - name: identity_type - type: keyword - description: Identity type. - - name: incident_extension - type: keyword - description: Format of original data. - - name: integrity_av_invoke_type - type: keyword - description: Scan invoke type. - - name: malware_family - type: keyword - description: Malware family. - - name: peer_gateway - type: ip - description: Main IP of the peer Security Gateway. - - name: performance_impact - type: integer - description: Protection performance impact. - - name: protection_id - type: keyword - description: Protection malware ID. - - name: protection_name - type: keyword - description: Specific signature name of the attack. - - name: protection_type - type: keyword - description: Type of protection used to detect the attack. - - name: scan_result - type: keyword - description: Scan result. - - name: sensor_mode - type: keyword - description: Sensor mode. - - name: severity - type: keyword - description: Threat severity. - - name: spyware_name - type: keyword - description: Spyware name. - - name: spyware_status - type: keyword - description: Spyware status. - - name: subs_exp - type: date - description: The expiration date of the subscription. - - name: tcp_flags - type: keyword - description: TCP packet flags. - - name: termination_reason - type: keyword - description: Termination reason. - - name: update_status - type: keyword - description: Update status. - - name: user_status - type: keyword - description: User response. - - name: uuid - type: keyword - description: External ID. - - name: virus_name - type: keyword - description: Virus name. - - name: voip_log_type - type: keyword - description: VoIP log types. -- name: cef.device - type: group - fields: - - name: event_class_id - type: keyword - description: Unique identifier of the event type. - - name: product - type: keyword - description: Product of the device that produced the message. - - name: vendor - type: keyword - description: Vendor of the device that produced the message. - - name: version - type: keyword - description: Version of the product that produced the message. -- name: cef.extensions - type: group - fields: - - name: agentAddress - type: ip - description: The IP address of the ArcSight connector that processed the event. - - name: agentHostName - type: keyword - description: The hostname of the ArcSight connector that processed the event. - - name: agentId - type: keyword - description: The agent ID of the ArcSight connector that processed the event. - - name: agentReceiptTime - type: date - description: The time at which information about the event was received by the ArcSight connector. - - name: agentTimeZone - type: keyword - description: The agent time zone of the ArcSight connector that processed the event. - - name: agentType - type: keyword - description: The agent type of the ArcSight connector that processed the event. - - name: destinationHostName - type: keyword - description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. - - name: deviceTimeZone - type: keyword - description: The time zone for the device generating the event. - - name: requestUrlFileName - type: keyword - - name: startTime - type: date - description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). - - name: type - type: long - description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). - - name: agentVersion - type: keyword - description: The version of the ArcSight connector that processed the event. - - name: agentZoneURI - type: keyword - - name: deviceSeverity - type: keyword - - name: deviceZoneURI - type: keyword - description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. - - name: fileType - type: keyword - description: Type of file (pipe, socket, etc.) - - name: filename - type: keyword - description: Name of the file only (without its path). - - name: managerReceiptTime - type: date - description: When the Arcsight ESM received the event. - - name: agentMacAddress - type: keyword - description: The MAC address of the ArcSight connector that processed the event. - - name: deviceProcessName - type: keyword - description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. - - name: baseEventCount - type: long - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: dvc - type: ip - description: This field is used by Trend Micro if the hostname is an IPv4 address. - - name: dvchost - type: keyword - description: This field is used by Trend Micro for hostnames and IPv6 addresses. - - name: cp_app_risk - type: keyword - - name: cp_severity - type: keyword - - name: ifname - type: keyword - - name: inzone - type: keyword - - name: layer_uuid - type: keyword - - name: layer_name - type: keyword - - name: logid - type: keyword - - name: loguid - type: keyword - - name: match_id - type: keyword - - name: nat_addtnl_rulenum - type: keyword - - name: nat_rulenum - type: keyword - - name: origin - type: keyword - - name: originsicname - type: keyword - - name: outzone - type: keyword - - name: parent_rule - type: keyword - - name: product - type: keyword - - name: rule_action - type: keyword - - name: rule_uid - type: keyword - - name: sequencenum - type: keyword - - name: service_id - type: keyword - - name: version - type: keyword - - name: applicationProtocol - type: keyword - description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. - - name: categoryDeviceGroup - type: keyword - description: General device group like Firewall (ArcSight). - - name: categoryTechnique - type: keyword - description: Technique being used (e.g. /DoS) (ArcSight). - - name: deviceEventCategory - type: keyword - description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". - - name: sourceNtDomain - type: keyword - description: The Windows domain name for the source address. - - name: destinationNtDomain - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categoryOutcome - type: keyword - description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). - - name: categorySignificance - type: keyword - description: Characterization of the importance of the event (ArcSight). - - name: categoryObject - type: keyword - description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). - - name: categoryBehavior - type: keyword - description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). - - name: categoryDeviceType - type: keyword - description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). - - name: baseEventCount - type: keyword - description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. - - name: bytesIn - type: long - description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. - - name: bytesOut - type: long - description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. - - name: destinationAddress - type: ip - description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. - - name: destinationPort - type: long - description: The valid port numbers are between 0 and 65535. - - name: destinationServiceName - type: keyword - description: The service targeted by this event. - - name: destinationTranslatedAddress - type: ip - description: Identifies the translated destination that the event refers to in an IP network. - - name: destinationTranslatedPort - type: long - description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. - - name: destinationUserName - type: keyword - description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. - - name: destinationUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". - - name: deviceAction - type: keyword - description: Action taken by the device. - - name: deviceAddress - type: ip - description: Identifies the device address that an event refers to in an IP network. - - name: deviceCustomDate2 - type: keyword - description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomDate2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber1 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber2 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomNumber3 - type: long - description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomNumber3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString1 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString2 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString3 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString4 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString5 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString5Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomString6 - type: keyword - description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. - - name: deviceCustomString6Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceDirection - type: long - description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. - - name: deviceExternalId - type: keyword - description: A name that uniquely identifies the device generating this event. - - name: deviceFacility - type: keyword - description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. - - name: deviceHostName - type: keyword - description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. - - name: deviceOutboundInterface - type: keyword - description: Interface on which the packet or data left the device. - - name: deviceReceiptTime - type: keyword - description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) - - name: eventId - type: long - description: This is a unique ID that ArcSight assigns to each event. - - name: fileHash - type: keyword - description: Hash of a file. - - name: message - type: keyword - description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. - - name: oldFileHash - type: keyword - description: Hash of the old file. - - name: requestContext - type: keyword - description: Description of the content from which the request originated (for example, HTTP Referrer). - - name: requestMethod - type: keyword - description: The HTTP method used to access a URL. - - name: requestUrl - type: keyword - description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. - - name: method - type: keyword - description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - - name: sourceAddress - type: ip - description: Identifies the source that an event refers to in an IP network. - - name: sourceGeoLatitude - type: long - - name: sourceGeoLongitude - type: long - - name: sourcePort - type: long - description: The valid port numbers are 0 to 65535. - - name: sourceServiceName - type: keyword - description: The service that is responsible for generating this event. - - name: sourceTranslatedAddress - type: ip - description: Identifies the translated source that the event refers to in an IP network. - - name: sourceTranslatedPort - type: long - description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. - - name: sourceUserName - type: keyword - description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. - - name: sourceUserPrivileges - type: keyword - description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". - - name: transportProtocol - type: keyword - description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. - - name: ad - type: flattened - - name: TrendMicroDsDetectionConfidence - type: keyword - - name: TrendMicroDsFileMD5 - type: keyword - - name: TrendMicroDsFileSHA1 - type: keyword - - name: TrendMicroDsFileSHA256 - type: keyword - - name: TrendMicroDsFrameType - type: keyword - - name: TrendMicroDsMalwareTarget - type: keyword - - name: TrendMicroDsMalwareTargetType - type: keyword - - name: TrendMicroDsPacketData - type: keyword - - name: TrendMicroDsRelevantDetectionNames - type: keyword - - name: TrendMicroDsTenant - type: keyword - - name: TrendMicroDsTenantId - type: keyword - - name: assetCriticality - type: keyword - - name: deviceAssetId - type: keyword - - name: deviceCustomIPv6Address1 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address1Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address2 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address2Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address3 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address3Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceCustomIPv6Address4 - type: ip - description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. - - name: deviceCustomIPv6Address4Label - type: keyword - description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. - - name: deviceInboundInterface - type: keyword - description: Interface on which the packet or data entered the device. - - name: deviceZoneID - type: keyword - - name: eventAnnotationAuditTrail - type: keyword - - name: eventAnnotationEndTime - type: date - - name: eventAnnotationFlags - type: keyword - - name: eventAnnotationManagerReceiptTime - type: date - - name: eventAnnotationModificationTime - type: date - - name: eventAnnotationStageUpdateTime - type: date - - name: eventAnnotationVersion - type: keyword - - name: locality - type: keyword - - name: modelConfidence - type: keyword - - name: originalAgentAddress - type: keyword - - name: originalAgentHostName - type: keyword - - name: originalAgentId - type: keyword - - name: originalAgentType - type: keyword - - name: originalAgentVersion - type: keyword - - name: originalAgentZoneURI - type: keyword - - name: priority - type: keyword - - name: relevance - type: keyword - - name: severity - type: keyword - - name: sourceTranslatedZoneID - type: keyword - - name: sourceTranslatedZoneURI - type: keyword - description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. - - name: sourceZoneID - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: sourceZoneURI - type: keyword - description: The URI for the Zone that the source asset has been assigned to in ArcSight. - - name: aggregationType - type: keyword - - name: destinationMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: filePath - type: keyword - description: Full path to the file, including file name itself. - - name: fileSize - type: long - description: Size of the file. - - name: repeatCount - type: keyword - - name: sourceHostName - type: keyword - description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. - - name: sourceMacAddress - type: keyword - description: Six colon-separated hexadecimal numbers. - - name: sourceUserId - type: keyword - description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. - - name: target - type: keyword diff --git a/packages/cef/2.0.2/data_stream/log/manifest.yml b/packages/cef/2.0.2/data_stream/log/manifest.yml deleted file mode 100755 index 8383dac3ad..0000000000 --- a/packages/cef/2.0.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -type: logs -title: CEF log logs -streams: - - input: logfile - template_path: log.yml.hbs - title: CEF logs - description: Collect CEF logs using log input - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/cef.log - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - template_path: udp.yml.hbs - title: CEF logs - description: Collect CEF logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. - multi: false - required: true - show_user: true - default: 9003 - - name: decode_cef_timezone - type: text - title: CEF Timezone - multi: false - required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. - - name: tags - type: text - title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. - multi: true - required: true - show_user: false - default: - - cef - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cef/2.0.2/data_stream/log/sample_event.json b/packages/cef/2.0.2/data_stream/log/sample_event.json deleted file mode 100755 index 2921fcb328..0000000000 --- a/packages/cef/2.0.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} \ No newline at end of file diff --git a/packages/cef/2.0.2/docs/README.md b/packages/cef/2.0.2/docs/README.md deleted file mode 100755 index 8dca26f060..0000000000 --- a/packages/cef/2.0.2/docs/README.md +++ /dev/null @@ -1,617 +0,0 @@ -# Common Event Format (CEF) Integration - -This is an integration for parsing Common Event Format (CEF) data. It can accept -data over syslog or read it from a file. - -CEF data is a format like - -`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -When syslog is used as the transport the CEF data becomes the message that is -contained in the syslog envelope. This integration will parse the syslog -timestamp if it is present. Depending on the syslog RFC used the message will -have a format like one of these: - -`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` - -In both cases the integration will use the syslog timestamp as the `@timestamp` -unless the CEF data contains a device receipt timestamp. - -The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded -data. The decoded data is written into a `cef` object field. Lastly any Elastic -Common Schema (ECS) fields that can be populated with the CEF data are -populated. - -## Compatibility - -### Forcepoint NGFW Security Management Center - -This module will process CEF data from Forcepoint NGFW Security Management -Center (SMC). In the SMC configure the logs to be forwarded to the address set -in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. -Instructions can be found in [KB -15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring -the SMC. - -Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings -were taken from 'CEF Connector Configuration Guide' dated December 5, 2011. - -### Check Point devices - -This module will parse CEF data from Check Point devices as documented in [Log -Exporter CEF Field -Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060). - -Check Point CEF extensions are mapped as follows: - - -| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field | -|----------------------------|-----------------------------|--------------------------|--------------------------------| -| cp_app_risk | - | event.risk_score | checkpoint.app_risk | -| cp_severity | - | event.severity | checkpoint.severity | -| baseEventCount | - | - | checkpoint.event_count | -| deviceExternalId | - | observer.type | - | -| deviceFacility | - | observer.type | - | -| deviceInboundInterface | - | observer.ingress.interface.name | - | -| deviceOutboundInterface | - | observer.egress.interface.name | - | -| externalId | - | - | checkpoint.uuid | -| fileHash | - | file.hash.\{md5,sha1\} | - | -| reason | - | - | checkpoint.termination_reason | -| requestCookies | - | - | checkpoint.cookie | -| sourceNtDomain | - | dns.question.name | - | -| Signature | - | vulnerability.id | - | -| Recipient | - | email.to.address | - | -| Sender | - | email.from.address | - | -| deviceCustomFloatingPoint1 | update version | observer.version | - | -| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | -| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | -| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | -| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num | -| deviceCustomNumber1 | payload | network.bytes | - | -| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | -| deviceCustomNumber2 | duration in seconds | event.duration | - | -| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code | -| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state | -| deviceCustomString1 | application rule name | rule.name | - | -| deviceCustomString1 | threat prevention rule name | rule.name | - | -| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type | -| deviceCustomString1 | dlp rule name | rule.name | - | -| deviceCustomString1 | email id | - | checkpoint.email_id | -| deviceCustomString2 | category | - | checkpoint.category | -| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject | -| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode | -| deviceCustomString2 | protection id | - | checkpoint.protection_id | -| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type | -| deviceCustomString2 | update status | - | checkpoint.update_status | -| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway | -| deviceCustomString2 | categories | rule.category | - | -| deviceCustomString6 | application name | network.application | - | -| deviceCustomString6 | virus name | - | checkpoint.virus_name | -| deviceCustomString6 | malware name | - | checkpoint.spyware_name | -| deviceCustomString6 | malware family | - | checkpoint.malware_family | -| deviceCustomString3 | user group | group.name | - | -| deviceCustomString3 | incident extension | - | checkpoint.incident_extension | -| deviceCustomString3 | protection type | - | checkpoint.protection_type | -| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id | -| deviceCustomString3 | identity type | - | checkpoint.identity_type | -| deviceCustomString4 | malware status | - | checkpoint.spyware_status | -| deviceCustomString4 | threat prevention rule id | rule.id | - | -| deviceCustomString4 | scan result | - | checkpoint.scan_result | -| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags | -| deviceCustomString4 | destination os | os.name | - | -| deviceCustomString4 | protection name | - | checkpoint.protection_name | -| deviceCustomString4 | email control | - | checkpoint.email_control | -| deviceCustomString4 | frequency | - | checkpoint.frequency | -| deviceCustomString4 | user response | - | checkpoint.user_status | -| deviceCustomString5 | matched category | rule.category | - | -| deviceCustomString5 | vlan id | network.vlan.id | - | -| deviceCustomString5 | authentication method | - | checkpoint.auth_method | -| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id | -| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | -| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | -| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | -| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number | -| flexString1 | application signature id | - | checkpoint.app_sig_id | -| flexString2 | malware action | rule.description | - | -| flexString2 | attack information | event.action | - | -| rule_uid | - | rule.uuid | - | -| ifname | - | observer.ingress.interface.name | - | -| inzone | - | observer.ingress.zone | - | -| outzone | - | observer.egress.zone | - | -| product | - | observer.product | - | - -## Logs - -### CEF log - -This is the CEF `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-06-03T01:39:47.734Z", - "agent": { - "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "cef": { - "device": { - "event_class_id": "18", - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "extensions": { - "destinationAddress": "192.168.10.1", - "destinationPort": 443, - "eventId": 3457, - "requestContext": "https://www.google.com", - "requestMethod": "POST", - "requestUrl": "https://www.example.com/cart", - "sourceAddress": "89.160.20.156", - "sourceGeoLatitude": 38.915, - "sourceGeoLongitude": -77.511, - "sourcePort": 33876, - "sourceServiceName": "httpd", - "transportProtocol": "TCP" - }, - "name": "Web request", - "severity": "low", - "version": "0" - }, - "data_stream": { - "dataset": "cef.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "192.168.10.1", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "code": "18", - "dataset": "cef.log", - "id": "3457", - "ingested": "2022-06-03T01:39:48Z", - "severity": 0 - }, - "http": { - "request": { - "method": "POST", - "referrer": "https://www.google.com" - } - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.112.4:35889" - } - }, - "message": "Web request", - "network": { - "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", - "transport": "tcp" - }, - "observer": { - "product": "Vaporware", - "vendor": "Elastic", - "version": "1.0.0-alpha" - }, - "related": { - "ip": [ - "192.168.10.1", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 33876, - "service": { - "name": "httpd" - } - }, - "tags": [ - "cef", - "forwarded" - ], - "url": { - "original": "https://www.example.com/cart" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cef.device.event_class_id | Unique identifier of the event type. | keyword | -| cef.device.product | Product of the device that produced the message. | keyword | -| cef.device.vendor | Vendor of the device that produced the message. | keyword | -| cef.device.version | Version of the product that produced the message. | keyword | -| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | -| cef.extensions.TrendMicroDsFileMD5 | | keyword | -| cef.extensions.TrendMicroDsFileSHA1 | | keyword | -| cef.extensions.TrendMicroDsFileSHA256 | | keyword | -| cef.extensions.TrendMicroDsFrameType | | keyword | -| cef.extensions.TrendMicroDsMalwareTarget | | keyword | -| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | -| cef.extensions.TrendMicroDsPacketData | | keyword | -| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | -| cef.extensions.TrendMicroDsTenant | | keyword | -| cef.extensions.TrendMicroDsTenantId | | keyword | -| cef.extensions.ad | | flattened | -| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | -| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | -| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | -| cef.extensions.agentZoneURI | | keyword | -| cef.extensions.aggregationType | | keyword | -| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | -| cef.extensions.assetCriticality | | keyword | -| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | keyword | -| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | -| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | -| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | -| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | -| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | -| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | -| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | -| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | -| cef.extensions.cp_app_risk | | keyword | -| cef.extensions.cp_severity | | keyword | -| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | -| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | -| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | -| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | -| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | -| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | -| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | -| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | -| cef.extensions.deviceAction | Action taken by the device. | keyword | -| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | -| cef.extensions.deviceAssetId | | keyword | -| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | -| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | -| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | -| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | -| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | -| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | -| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | -| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | -| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | -| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | -| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | -| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | -| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | -| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | -| cef.extensions.deviceSeverity | | keyword | -| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | -| cef.extensions.deviceZoneID | | keyword | -| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | -| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | -| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | -| cef.extensions.eventAnnotationAuditTrail | | keyword | -| cef.extensions.eventAnnotationEndTime | | date | -| cef.extensions.eventAnnotationFlags | | keyword | -| cef.extensions.eventAnnotationManagerReceiptTime | | date | -| cef.extensions.eventAnnotationModificationTime | | date | -| cef.extensions.eventAnnotationStageUpdateTime | | date | -| cef.extensions.eventAnnotationVersion | | keyword | -| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | -| cef.extensions.fileHash | Hash of a file. | keyword | -| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | -| cef.extensions.fileSize | Size of the file. | long | -| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | -| cef.extensions.filename | Name of the file only (without its path). | keyword | -| cef.extensions.ifname | | keyword | -| cef.extensions.inzone | | keyword | -| cef.extensions.layer_name | | keyword | -| cef.extensions.layer_uuid | | keyword | -| cef.extensions.locality | | keyword | -| cef.extensions.logid | | keyword | -| cef.extensions.loguid | | keyword | -| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | -| cef.extensions.match_id | | keyword | -| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | -| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| cef.extensions.modelConfidence | | keyword | -| cef.extensions.nat_addtnl_rulenum | | keyword | -| cef.extensions.nat_rulenum | | keyword | -| cef.extensions.oldFileHash | Hash of the old file. | keyword | -| cef.extensions.origin | | keyword | -| cef.extensions.originalAgentAddress | | keyword | -| cef.extensions.originalAgentHostName | | keyword | -| cef.extensions.originalAgentId | | keyword | -| cef.extensions.originalAgentType | | keyword | -| cef.extensions.originalAgentVersion | | keyword | -| cef.extensions.originalAgentZoneURI | | keyword | -| cef.extensions.originsicname | | keyword | -| cef.extensions.outzone | | keyword | -| cef.extensions.parent_rule | | keyword | -| cef.extensions.priority | | keyword | -| cef.extensions.product | | keyword | -| cef.extensions.relevance | | keyword | -| cef.extensions.repeatCount | | keyword | -| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | -| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | -| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | -| cef.extensions.requestUrlFileName | | keyword | -| cef.extensions.rule_action | | keyword | -| cef.extensions.rule_uid | | keyword | -| cef.extensions.sequencenum | | keyword | -| cef.extensions.service_id | | keyword | -| cef.extensions.severity | | keyword | -| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | -| cef.extensions.sourceGeoLatitude | | long | -| cef.extensions.sourceGeoLongitude | | long | -| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | -| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | -| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | -| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | -| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | -| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | -| cef.extensions.sourceTranslatedZoneID | | keyword | -| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | -| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | -| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | -| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | -| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | -| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | -| cef.extensions.target | | keyword | -| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | -| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | -| cef.extensions.version | | keyword | -| cef.forcepoint.virus_id | Virus ID | keyword | -| cef.name | | keyword | -| cef.severity | | keyword | -| cef.version | | keyword | -| checkpoint.app_risk | Application risk. | keyword | -| checkpoint.app_severity | Application threat severity. | keyword | -| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword | -| checkpoint.auth_method | Password authentication protocol used. | keyword | -| checkpoint.category | Category. | keyword | -| checkpoint.confidence_level | Confidence level determined. | integer | -| checkpoint.connectivity_state | Connectivity state. | keyword | -| checkpoint.cookie | IKE cookie. | keyword | -| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | -| checkpoint.email_control | Engine name. | keyword | -| checkpoint.email_id | Internal email ID. | keyword | -| checkpoint.email_recipients_num | Number of recipients. | long | -| checkpoint.email_session_id | Internal email session ID. | keyword | -| checkpoint.email_spool_id | Internal email spool ID. | keyword | -| checkpoint.email_subject | Email subject. | keyword | -| checkpoint.event_count | Number of events associated with the log. | long | -| checkpoint.frequency | Scan frequency. | keyword | -| checkpoint.icmp_code | ICMP code. | long | -| checkpoint.icmp_type | ICMP type. | long | -| checkpoint.identity_type | Identity type. | keyword | -| checkpoint.incident_extension | Format of original data. | keyword | -| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword | -| checkpoint.malware_family | Malware family. | keyword | -| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | -| checkpoint.performance_impact | Protection performance impact. | integer | -| checkpoint.protection_id | Protection malware ID. | keyword | -| checkpoint.protection_name | Specific signature name of the attack. | keyword | -| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | -| checkpoint.scan_result | Scan result. | keyword | -| checkpoint.sensor_mode | Sensor mode. | keyword | -| checkpoint.severity | Threat severity. | keyword | -| checkpoint.spyware_name | Spyware name. | keyword | -| checkpoint.spyware_status | Spyware status. | keyword | -| checkpoint.subs_exp | The expiration date of the subscription. | date | -| checkpoint.tcp_flags | TCP packet flags. | keyword | -| checkpoint.termination_reason | Termination reason. | keyword | -| checkpoint.update_status | Update status. | keyword | -| checkpoint.user_status | User response. | keyword | -| checkpoint.uuid | External ID. | keyword | -| checkpoint.virus_name | Virus name. | keyword | -| checkpoint.voip_log_type | VoIP log types. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.service.name | | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.service.name | | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cef/2.0.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.0.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json deleted file mode 100755 index c44bda0cc2..0000000000 --- a/packages/cef/2.0.2/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "description": "Overview of Microsoft DNS activity via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Microsoft DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.0.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json deleted file mode 100755 index e740d26d0b..0000000000 --- a/packages/cef/2.0.2/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "attributes": { - "description": "Operating system activity from endpoints via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.0.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json deleted file mode 100755 index 3fa223db88..0000000000 --- a/packages/cef/2.0.2/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "Summary of ArcSight endpoint event data", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.0.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json deleted file mode 100755 index 153645a090..0000000000 --- a/packages/cef/2.0.2/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "Suspicious network activity overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "refreshInterval": { - "display": "Off", - "pause": false, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "17:panel_17", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.0.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json deleted file mode 100755 index 9c26408568..0000000000 --- a/packages/cef/2.0.2/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "attributes": { - "description": "Network data overview via ArcSight", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs CEF ArcSight] Network Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "name": "21:panel_21", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.0.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json deleted file mode 100755 index cf5b2ee7e4..0000000000 --- a/packages/cef/2.0.2/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryTechnique", - "cef.extensions.categoryOutcome", - "cef.extensions.categorySignificance", - "cef.extensions.categoryObject", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint Event Explorer [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.0.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json deleted file mode 100755 index dad033d27d..0000000000 --- a/packages/cef/2.0.2/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "attributes": { - "columns": [ - "priority", - "message", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "network.application", - "message", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.deviceAddress", - "cef.device.product", - "cef.device.vendor", - "cef.extensions.categoryDeviceGroup", - "cef.extensions.categoryDeviceType" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Network Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.0.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json deleted file mode 100755 index 9082a5e861..0000000000 --- a/packages/cef/2.0.2/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "message", - "cef.device.event_class_id", - "cef.extensions.deviceEventCategory", - "source.user.name", - "destination.user.name", - "destination.domain", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "cef.extensions.sourceNtDomain", - "cef.extensions.destinationNtDomain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Endpoint - OS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.0.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json deleted file mode 100755 index 74d6b3c820..0000000000 --- a/packages/cef/2.0.2/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "columns": [ - "cef.device.vendor", - "cef.device.product", - "cef.extensions.categoryBehavior", - "cef.extensions.categoryOutcome", - "destination.ip", - "destination.port", - "destination.domain", - "cef.device.event_class_id", - "cef.extensions.deviceCustomString1Label", - "cef.extensions.deviceCustomString1", - "cef.extensions.deviceCustomString2Label", - "cef.extensions.deviceCustomString2", - "cef.extension.deviceCustomString3Label", - "cef.extension.deviceCustomString3", - "cef.extension.deviceCustomString4Label", - "cef.extension.deviceCustomString4", - "cef.extensions.deviceEventCategory", - "event.severity", - "source.ip", - "source.port", - "network.transport", - "source.bytes", - "url.original" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Microsoft DNS Events [Logs CEF ArcSight]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.0.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json deleted file mode 100755 index f7372f962e..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.0.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json deleted file mode 100755 index e4e3fbc58d..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.0.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json deleted file mode 100755 index bec9522083..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Bandwidth Utilization [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.0.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json deleted file mode 100755 index 702933c209..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.0.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json deleted file mode 100755 index bba67eb563..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.0.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json deleted file mode 100755 index 1f0e2fde5c..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.0.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json deleted file mode 100755 index ec2f257b88..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.0.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json deleted file mode 100755 index a3f9d219f4..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Direction [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json b/packages/cef/2.0.2/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json deleted file mode 100755 index db7522dd38..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-1b521f56-8089-433f-88f7-56aba867e07d", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.0.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json deleted file mode 100755 index 6c04dc9028..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.0.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json deleted file mode 100755 index 3b90350ff6..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "DNS Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.0.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json deleted file mode 100755 index 401dfbed0a..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.0.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json deleted file mode 100755 index 1697d134c5..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 15 Event Types by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.0.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json deleted file mode 100755 index c52b647746..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.0.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json deleted file mode 100755 index 63e38a3cff..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.0.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json deleted file mode 100755 index 5ec0797be6..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Network - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.0.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json deleted file mode 100755 index 563c47bef0..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Type Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.0.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json deleted file mode 100755 index a2085e9b19..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.0.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json deleted file mode 100755 index 0614970e4b..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destinations [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.0.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json deleted file mode 100755 index b0e9b3c257..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Sources [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json b/packages/cef/2.0.2/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json deleted file mode 100755 index 86b518c893..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Source Locations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Source Location\",\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.0.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json deleted file mode 100755 index 5c7272c0cb..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json b/packages/cef/2.0.2/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json deleted file mode 100755 index 5d58895fd2..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Sources by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.0.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json deleted file mode 100755 index bb3e848ce7..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.0.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json deleted file mode 100755 index 38ac936b78..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.0.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json deleted file mode 100755 index 558660d19f..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes by User Names [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.0.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json deleted file mode 100755 index 0a393d6652..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Events by Source and Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.0.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json deleted file mode 100755 index cc03e710d3..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.0.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json deleted file mode 100755 index 834908bc67..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.0.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json deleted file mode 100755 index 9518a579c1..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.0.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json deleted file mode 100755 index c978cbecff..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Endpoint Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.0.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json deleted file mode 100755 index dc2ddd1c89..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Source Countries [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.0.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json deleted file mode 100755 index 09e0d6ff6a..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Event Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.0.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json deleted file mode 100755 index 7ba2b39a50..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.0.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json deleted file mode 100755 index fa5dcd2adc..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.0.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json deleted file mode 100755 index 86943ae981..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "DNS - Event Throughput [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.0.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json deleted file mode 100755 index 899b95824b..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.0.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json deleted file mode 100755 index 34d704fef6..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.0.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json deleted file mode 100755 index dd63b9809f..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcomes Breakdown [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json b/packages/cef/2.0.2/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json deleted file mode 100755 index 08b966f09b..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destination Locations by Events [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-8b31af8b-522e-41fe-b9d6-9a3451b54108", - "migrationVersion": { - "visualization": "7.10.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.0.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json deleted file mode 100755 index 1f8c398abc..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.0.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json deleted file mode 100755 index f4f5f6eadc..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.0.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json deleted file mode 100755 index ab180b299a..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Vendors by Product [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.0.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json deleted file mode 100755 index 3da6c90cb1..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Endpoint Average EPS [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.0.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json deleted file mode 100755 index 001000873c..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.0.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json deleted file mode 100755 index 8ec3a53f1f..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.0.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json deleted file mode 100755 index a5448711e4..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json b/packages/cef/2.0.2/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json deleted file mode 100755 index 42a376cff4..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top Destination Locations by Event [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"type\":\"tile_map\"}" - }, - "id": "cef-aaa80503-6d96-4a33-806f-b8a10aefe696", - "migrationVersion": { - "visualization": "7.10.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.0.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json deleted file mode 100755 index 71eae19918..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Users [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.0.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json deleted file mode 100755 index 8a888d067a..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.0.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json deleted file mode 100755 index 6601533058..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" - }, - "title": " Dashboard Navigation [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.0.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json deleted file mode 100755 index 4860454ee5..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Destination Port [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.0.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json deleted file mode 100755 index bf65f0baac..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Source Addresses [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.0.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json deleted file mode 100755 index f56ace942b..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Metrics Overview [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.0.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json deleted file mode 100755 index 6cf6e86635..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.0.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json deleted file mode 100755 index 20bdf88f92..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.0.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json deleted file mode 100755 index cb732f40b3..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Device Types [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.0.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json deleted file mode 100755 index 5387593733..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.0.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json deleted file mode 100755 index 4c21032237..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.0.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json deleted file mode 100755 index 827c7905e2..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events Types by Severity [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.0.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json deleted file mode 100755 index 5b23c7fb8e..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Events by Size [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.0.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json deleted file mode 100755 index aed8102339..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Application Protocols [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f5258de9-71f7-410f-b713-201007f77470", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.0.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json deleted file mode 100755 index 74a61138dc..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Device Types by Vendor [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.0.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json deleted file mode 100755 index 32a6dda32a..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.0.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json deleted file mode 100755 index cce501f750..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types by Size [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.0.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json deleted file mode 100755 index 0907dbbef8..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Destination Ports by Outcomes [Logs CEF ArcSight]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.0.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json deleted file mode 100755 index df5b0a6e9f..0000000000 --- a/packages/cef/2.0.2/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "Outcome by Device Type [Logs CEF ArcSight]", - "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cef/2.0.2/manifest.yml b/packages/cef/2.0.2/manifest.yml deleted file mode 100755 index 747d66df2e..0000000000 --- a/packages/cef/2.0.2/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: cef -title: CEF Logs -version: 2.0.2 -release: ga -description: Collect logs from CEF Logs with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: cef - title: CEF logs - description: Collect logs from CEF instances - inputs: - - type: logfile - title: "Collect CEF application logs (input: logfile)" - description: "Collecting application logs from CEF instances (input: logfile)" - - type: udp - title: "Collect CEF application logs (input: udp)" - description: "Collecting application logs from CEF instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_meraki/0.5.1/changelog.yml b/packages/cisco_meraki/0.5.1/changelog.yml deleted file mode 100755 index e8a3516767..0000000000 --- a/packages/cisco_meraki/0.5.1/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on topA -- version: "0.5.1" - changes: - - description: Fix doc build - type: enhancement - link: https://github.com/elastic/integrations/pull/3529 -- version: "0.5.0" - changes: - - description: Replace RSA2ELK with Syslog and Webhook integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2897 -- version: "0.4.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2580 -- version: "0.3.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2270 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1956 -- version: "0.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1808 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1785 -- version: "0.1.0" - changes: - - description: Initial commit splitting Cisco meraki from general Cisco package - type: enhancement - link: https://github.com/elastic/integrations/pull/1587 diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/0.5.1/data_stream/events/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/0.5.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dbd99aecc4..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for processing Cisco Meraki events -processors: -- set: - field: ecs.version - value: '8.0.0' -- set: - field: observer.serial_number - copy_from: json.deviceSerial -- gsub: - field: json.deviceMac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: observer.name - copy_from: json.deviceName -- set: - field: observer.vendor - value: Cisco -- set: - field: observer.product - copy_from: json.deviceModel -- set: - field: network.name - copy_from: json.networkName -- date: - field: json.occurredAt - formats: - - ISO8601 -- set: - field: organization.id - copy_from: json.organizationId -- set: - field: organization.name - copy_from: json.organizationName -- set: - field: log.level - copy_from: json.alertLevel -- append: - field: event.category - value: network -- append: - field: event.type - value: info -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - params: - eventmap: - "started_reporting": - type: - - start - "stopped_reporting": - type: - - end - "foreign_ap": - category: - - intrusion_detection - - threat - type: - - indicator - "bluetooth_in": - type: - - start - "bluetooth_out": - type: - - end - "port_cable_error": - type: - - connection - "node_hardware_failure": - category: - - host - type: - - end - "cellular_up": - type: - - start - "cellular_down": - type: - - end - "umbrella_expiring": - category: - - configuration - "ip_conflict": - type: - - protocol - "rogue_ap_association": - category: - - threat - type: - - indicator - "client_connectivity": - category: - - session - type: - - connection - "pcc_security_compliance": - category: - - configuration - "pcc_security_violation": - category: - - configuration - - threat - type: - - change - - indicator - "pcc_outage_end": - category: - - host - type: - - connection - "pcc_enrollment": - category: - - session - type: - - connection - - start - "geofencing_out": - type: - - connection - "pcc_outage_begin": - category: - - host - type: - - connection - - end - "dhcp_no_leases": - type: - - connection - - denied - - protocol - "vrrp": - category: - - configuration - type: - - change - "pcc_expired_apns_cert": - category: - - authentication - "amp_malware_blocked": - category: - - threat - - intrusion_detection - type: - - indicator - - denied - "amp_malware_detected": - category: - - threat - - intrusion_detection - type: - - indicator - - allowed - "pcc_sw_found": - category: - - host - - configuration - type: - - change - "pcc_unmanaged": - category: - - configuration - - iam - type: - - change - - deletion - "dhcp_alerts": - type: - - protocol - "power_supply_up": - type: - - start - "power_supply_down": - category: - - host - type: - - end - "unreachable_radius_server": - category: - - authentication - type: - - end - - denied - "rogue_ap": - category: - - threat - type: - - indicator - "rogue_dhcp": - category: - - threat - type: - - indicator - "settings_changed": - category: - - configuration - type: - - change - "port_connected": - type: - - connection - "port_disconnected": - type: - - end - "port_speed_change": - category: - - configuration - type: - - change - - protocol - "udld_error": - type: - - connection - - end - "uplink_ip6_conflict": - type: - - protocol - if: ctx?.json?.alertTypeId != null - source: |- - def alertTypeId = ctx.json.alertTypeId; - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(alertTypeId); - ctx.event.action = ctx.json.alertType; - if (eventData == null) { - // Unclassified events - // - geofencing_in, critical_temperature - // - gateway_to_repeater, mi_alert - // - motion_alert, usage_alert - // - new_splash_signup, rps_base_supply_up - // - rps_backup, vpn_connectivity_change - return; - } - def eventCategory = eventData.get('category'); - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - def eventType = eventData.get('type'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } -- rename: - field: json - target_field: cisco_meraki.event -## -# Clean up -## -- remove: - field: - - cisco_meraki.event.deviceSerial - - cisco_meraki.event.deviceMac - - cisco_meraki.event.deviceName - - cisco_meraki.event.deviceModel - - cisco_meraki.event.occurredAt - - cisco_meraki.event.networkName - - cisco_meraki.event.organizationId - - cisco_meraki.event.organizationName - - cisco_meraki.event.alertType - - cisco_meraki.event.alertLevel - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/fields/agent.yml b/packages/cisco_meraki/0.5.1/data_stream/events/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/0.5.1/data_stream/events/fields/base-fields.yml deleted file mode 100755 index ebba8d4244..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/0.5.1/data_stream/events/fields/ecs.yml deleted file mode 100755 index ca75c08a6e..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,696 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: |- - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - Recommended values - * Malware - * Tool - - While not required, you can use a MITRE ATT&CK® software type. - name: threat.software.type - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: client.geo.location.lon - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/fields/fields.yml b/packages/cisco_meraki/0.5.1/data_stream/events/fields/fields.yml deleted file mode 100755 index 7443e7680a..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: event - type: group - fields: - - name: version - type: keyword - description: Current version of webhook format - - name: sharedSecret - type: keyword - description: User defined secret to be validated by the webhook receiver (optional) - - name: sentAt - type: date - description: Timestamp of the sent message (UTC) - - name: organizationId - type: keyword - description: ID of the Meraki organization - - name: organizationName - type: keyword - description: Name of the Meraki organization - - name: organizationUrl - type: keyword - description: URL of the Meraki Dashboard organization - - name: networkId - type: keyword - description: ID for the Meraki network - - name: networkName - type: keyword - description: Name for the Meraki network - - name: networkUrl - type: keyword - description: URL of the Meraki Dashboard network - - name: networkTags - type: keyword - description: Tags assigned to the Meraki network - - name: deviceSerial - type: keyword - description: Serial number of the Meraki device - - name: deviceMac - type: keyword - description: MAC address of the Meraki device - - name: deviceName - type: keyword - description: Name assigned to the Meraki device - - name: deviceUrl - type: keyword - description: URL of the Meraki device - - name: deviceTags - type: keyword - description: Tags assigned to the Meraki device - - name: deviceModel - type: keyword - description: Meraki device model - - name: alertId - type: keyword - description: ID for this alert message - - name: alertType - type: keyword - description: Type of alert (“Network usage alert”, “Settings changed”, etc.) - - name: alertTypeId - type: keyword - description: Unique ID for the type of alert - - name: alertLevel - type: keyword - description: Alert level (informational, critical etc.) - - name: occurredAt - type: date - description: Timestamp of the alert (UTC) - - name: alertData - type: flattened - description: Additional alert data (differs based on alert type) diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/manifest.yml b/packages/cisco_meraki/0.5.1/data_stream/events/manifest.yml deleted file mode 100755 index bc4b29aa45..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: Cisco Meraki webhook events -release: experimental -type: logs -streams: - - input: http_endpoint - title: Cisco Meraki webhook events - description: Receives events from Cisco Meraki webhook - template_path: http_endpoint.yml.hbs - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8686 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /meraki/events - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - meraki-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/0.5.1/data_stream/events/sample_event.json b/packages/cisco_meraki/0.5.1/data_stream/events/sample_event.json deleted file mode 100755 index 198d32bfbe..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/events/sample_event.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4dfea986-5bfd-4b6a-a1b0-00b3043870bd", - "hostname": "docker-fleet-agent", - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-04-26T04:00:40Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} \ No newline at end of file diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 52b248876b..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 993860734e..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml deleted file mode 100755 index 2a7b399e94..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for Cisco Meraki airmarshal_events type -processors: -- dissect: - description: Determine the airmarshal event type - field: event.original - pattern: "%{} airmarshal_events %{*type}=%{&type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype -- grok: - field: event.original - patterns: - - '%{GREEDYDATA} ssid=%{QS:_temp.ssid}%{SPACE}%{GREEDYDATA:_temp.kvline}' -- dissect: - field: _temp.ssid - pattern: "'%{_temp.kv.ssid}'" -- kv: - field: _temp.kvline - field_split: " " - value_split: "=" - target_field: _temp.kv - strip_brackets: true -- rename: - field: _temp.kv.ssid - target_field: network.name - if: ctx?._temp?.kv?.ssid != null -- rename: - field: _temp.kv.bssid - target_field: cisco_meraki.bssid -- rename: - field: _temp.kv.vap - target_field: cisco_meraki.vap - if: ctx?.cisco_meraki?.event_subtype == 'ssid_spoofing_detected' -- gsub: - field: _temp.kv.src - target_field: source.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.dst - target_field: destination.mac - pattern: '[-:.]' - replacement: '-' -- gsub: - field: _temp.kv.wired_mac - target_field: observer.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.vlan_id - target_field: network.vlan.id - if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' -- rename: - field: _temp.kv.channel - target_field: cisco_meraki.channel -- rename: - field: _temp.kv.fc_type - target_field: cisco_meraki.fc_type -- rename: - field: _temp.kv.fc_subtype - target_field: cisco_meraki.fc_subtype diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8f1d8a55b1..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,356 +0,0 @@ ---- -description: Pipeline for Cisco Meraki syslog -processors: -- set: - field: ecs.version - value: 8.2.0 -- rename: - field: message - target_field: event.original -- dissect: - description: Extract syslog words - field: event.original - pattern: "%{} %{_temp.ts_nano} %{observer.hostname} %{cisco_meraki.event_type} %{}" -- date: - field: _temp.ts_nano - formats: - - UNIX - timezone: '{{{_conf.tz_offset}}}' -- pipeline: - name: '{{ IngestPipeline "flows" }}' - if: ctx.cisco_meraki.event_type == 'flows' -- pipeline: - name: '{{ IngestPipeline "ipflows" }}' - if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' -- pipeline: - name: '{{ IngestPipeline "airmarshal" }}' - if: ctx.cisco_meraki.event_type == 'airmarshal_events' -- pipeline: - name: '{{ IngestPipeline "security" }}' - if: ctx.cisco_meraki.event_type == 'security_event' -- pipeline: - name: '{{ IngestPipeline "idsalerts" }}' - if: ctx.cisco_meraki.event_type == 'ids-alerts' -- pipeline: - name: '{{ IngestPipeline "events" }}' - if: ctx.cisco_meraki.event_type == 'events' -- pipeline: - name: '{{ IngestPipeline "urls" }}' - if: ctx.cisco_meraki.event_type == 'urls' -- append: - field: event.category - value: ["network"] -- append: - field: event.type - value: ["info"] -- script: - lang: painless - description: The script sets event type, action and category based on type and sub-type fields - tag: set-event-type-for-meraki-events - params: - eventmap: - "vpn_connectivity_change": - category: - - session - type: - - connection - action: vpn-connectivity-change - "dhcp_offer": - type: - - access - - allowed - action: dhcp-offer - "dhcp_no_offer": - type: - - access - - denied - action: dhcp-no-offer - "Site-to-Site VPN": - type: - - access - action: site-to-site-vpn - "client_vpn_connect": - category: - - session - type: - - access - - allowed - - start - action: site-to-site-vpn - "ip_session_initiated": - type: - - access - - start - action: ip-session-initiated - "flow_allowed": - type: - - connection - - start - action: layer3-firewall-allowed-flow - "flow_denied": - type: - - access - - denied - action: layer3-firewall-denied-flow - "http_access": - category: - - web - type: - - access - action: http-access - "http_access_error": - category: - - web - type: - - error - action: http-access-error - "ids_alerted": - category: - - threat - type: - - indicator - action: ids-signature-matched - "security_filtering_file_scanned": - category: - - threat - - malware - type: - - indicator - - info - action: malicious-file-actioned - "security_filtering_disposition_change": - category: - - threat - - malware - type: - - indicator - - info - action: issued-retrospective-malicious-disposition - "association": - type: - - access - - connection - action: wifi-association-request - "disassociation": - category: - - session - type: - - access - - end - action: wifi-disassociation-request - "wpa_auth": - category: - - authentication - type: - - start - - access - action: wifi-wpa-authentication - "wpa_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-wpa-failed-auth-or-deauth - "8021x_eap_failure": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-authentication-attempt - "8021x_deauth": - category: - - authentication - type: - - end - - denied - action: wifi-8021x-failed-auth-or-deauth - "8021x_eap_success": - category: - - authentication - type: - - start - action: wifi-8021x-auth - "splash_auth": - category: - - authentication - type: - - start - action: splash-authentication - "device_packet_flood": - category: - - threat - type: - - indicator - action: wireless-packet-flood-detected - "rogue_ssid_detected": - category: - - threat - type: - - indicator - action: rogue-ssid-detected - "ssid_spoofing_detected": - category: - - threat - type: - - indicator - action: ssid-spoofing-detected - "multiple_dhcp_servers_detected": - type: - - protocol - "dfs_event": - action: dynamic-frequency-selection-detected - "aps_association_reject": - action: association-rejected-for-load-balancing - if: ctx?.cisco_meraki?.event_subtype != null - source: |- - def eventMap = params.get('eventmap'); - def eventData = eventMap.get(ctx.cisco_meraki.event_subtype); - if (eventData == null) { - ctx.event.action = ctx.cisco_meraki.event_subtype; - return; - } - def eventCategory = eventData.get('category'); - def eventType = eventData.get('type'); - def eventAction = eventData.get('action'); - if (eventType != null) { - for (def t : eventType) { - ctx.event.type.add(t); - } - } - if (eventCategory != null) { - for (def c : eventCategory) { - ctx.event.category.add(c); - } - } - if (eventAction != null) { - ctx.event.action = eventAction; - } - -# IP Geolocation Lookup (source) -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.geo == null && ctx?.source?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (destination) -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: ctx.destination?.geo == null && ctx?.destination?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.destination?.ip != null -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -# IP Geolocation Lookup (client) -- geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - if: ctx.client?.geo == null && ctx?.client?.ip != null -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.client?.ip != null -- rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true -- rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - _conf - - sport - - dport - - mac - - src - - dst - - translated_src_ip - - translated_dst_ip - - translated_port - - wired_mac - - rssi - - protocol - - dhost - - client_mac - - radio - - sts - - msgtype - - timestamp - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml deleted file mode 100755 index 8f778d2d34..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ /dev/null @@ -1,202 +0,0 @@ ---- -description: Pipeline for Cisco Meraki events type -processors: -#################################################### -# set event_subtype based on type/format -#################################################### -- dissect: - description: Determine event type/format - field: event.original - pattern: "%{} events %{msgtype} %{}" -- set: - field: cisco_meraki.event_subtype - value: 'Site-to-Site VPN' - if: ctx?.msgtype.toLowerCase() == "site-to-site" -- set: - field: cisco_meraki.event_subtype - value: client_vpn_connect - if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" -#################################################### -# log event with type= format -# these are dfs_event, association, disassocation, -# vpn_connectivity_change, wpa_auth, wpa_deauth -#################################################### -- dissect: - description: Get the event subtype - field: event.original - pattern: "%{} events type=%{type} %{}" - if: ctx?.msgtype.startsWith("type=") -- rename: - field: type - target_field: cisco_meraki.event_subtype - if: ctx?.type != null - -#################################################### -# Handle DHCP log events -#################################################### -- dissect: - field: event.original - pattern: "%{} events dhcp %{_temp.dhcp_op} %{_temp.dhcp_op2} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" -- set: - field: network.protocol - value: dhcp - if: ctx?.msgtype.toLowerCase() == "dhcp" -- dissect: - field: event.original - pattern: "%{} events dhcp lease of ip %{_temp.client_ip} from %{} mac %{server.mac} for client mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'lease' -- dissect: - field: event.original - pattern: "%{} events dhcp no offers for mac %{client.mac} %{}" - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -- set: - field: cisco_meraki.event_subtype - value: dhcp_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op == 'lease' -- set: - field: cisco_meraki.event_subtype - value: dhcp_no_offer - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' -- gsub: - field: client.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.msgtype.toLowerCase() == "dhcp" -- gsub: - field: server.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp.dhcp_op == 'lease' -#################################################### -# Handle Site-to-Site VPN message -#################################################### -- grok: - description: Process Site-to-Site VPN messages - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?i)Site-to-Site VPN:%{GREEDYDATA:cisco_meraki.site_to_site_vpn.raw}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" - -#################################################### -# Handle dfs_event, wpa_auth, wpa_deauth, -# association or disassociation -#################################################### -- grok: - field: event.original - patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{GREEDYDATA:_temp.rest}' - pattern_definitions: - SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOGVER: '\b(?:\d{1,2})\b' - SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' - WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' - if: ctx.event.original.startsWith('<') && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', 'vpn_connectivity_change', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.{{{cisco_meraki.event_subtype}}} - strip_brackets: true - if: ctx?._temp?.rest != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) -# special case for site-to-site vpn -- kv: - field: _temp.rest - field_split: "[ \t]{1,}" - value_split: "=" - target_field: cisco_meraki.site_to_site_vpn.connectivity_change - strip_brackets: true - if: ctx?._temp?.rest != null && ctx?.cisco_meraki?.event_subtype == 'vpn_connectivity_change' - -#################################################### -# Move values from event subtypes to ECS fields -# multiple_dhcp_servers_detected -#################################################### -- set: - field: network.protocol - value: dhcp - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- rename: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_mac - target_field: server.mac - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- gsub: - field: server.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process original_server_ip -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - target_field: server.ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' - ignore_failure: true -# cleanup only if the conversion was successful -- remove: - field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip - if: ctx?.server?.ip != null -- append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -# process server_ip (the other dhcp server ip) -- grok: - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - patterns: - - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- convert: - type: ip - field: cisco_meraki.multiple_dhcp_servers_detected.server_ip - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -- append: - field: related.ip - value: "{{{cisco_meraki.multiple_dhcp_servers_detected.server_ip}}}" - if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' -#################################################### -# wpa_deauth -#################################################### -- rename: - field: cisco_meraki.wpa_deauth.client_mac - target_field: client.mac - if: ctx?.cisco_meraki?.event_subtype == 'wpa_deauth' - -#################################################### -# Handle client_vpn_connect -#################################################### -- dissect: - field: event.original - pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" - if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" - -#################################################### -# parse dissected IP values and convert to IP type -# common case for DHCP lease and client_vpn_connect -#################################################### -- grok: - field: _temp.client_ip - patterns: - - "^%{IPV4:_temp.client_ip}$" - - "^%{IPV6:_temp.client_ip}$" - if: ctx?._temp?.client_ip != null - ignore_failure: true -- convert: - type: ip - field: _temp.client_ip - target_field: client.ip - if: ctx?._temp?.client_ip != null - ignore_failure: true diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml deleted file mode 100755 index 7f47b9f6cc..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/flows.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -description: Pipeline for Cisco Meraki flows message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{} %{_temp.token} %{}" -- dissect: - description: Case for src= follows flows keyword - field: event.original - pattern: "%{} flows %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{}" - if: ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for firewall action prepends src= - field: event.original - pattern: "%{} flows %{cisco_meraki.flows.op} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport}" - if: ctx._temp.token.startsWith("src=") == false -- grok: - field: src - patterns: - - "^%{IPV4:src}$" - - "^%{IPV6:src}$" - if: ctx?.src != null -- convert: - type: ip - field: src - target_field: source.ip - ignore_failure: true -- grok: - field: dst - patterns: - - "^%{IPV4:dst}$" - - "^%{IPV6:dst}$" - if: ctx?.dst != null -- convert: - type: ip - field: dst - target_field: destination.ip - ignore_failure: true -- rename: - field: protocol - target_field: network.protocol -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" - ignore_failure: true -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" - ignore_failure: true -- gsub: - field: mac - target_field: source.mac - pattern: '[-:.]' - replacement: '-' - if: ctx._temp.token.startsWith("src=") == false -- set: - field: cisco_meraki.event_subtype - value: "ip_session_initiated" - if: ctx._temp.token.startsWith("src=") == true -- set: - field: cisco_meraki.event_subtype - value: "flow_allowed" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'allow' -- set: - field: cisco_meraki.event_subtype - value: "flow_denied" - if: ctx._temp.token.startsWith("src=") == false && ctx?.cisco_meraki?.flows?.op == 'deny' diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml deleted file mode 100755 index a1684a5e30..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ids-alerts type -processors: -- dissect: - description: Determine the ids-alerts security event type - field: event.original - pattern: "%{} ids-alerts %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src}" -- set: - field: cisco_meraki.event_subtype - value: ids_alerted -- rename: - field: priority - target_field: cisco_meraki.security.priority -- rename: - field: signature - target_field: cisco_meraki.security.signature -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] -- rename: - field: direction - target_field: network.direction -- lowercase: - field: protocol - target_field: network.protocol -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - ignore_failure: true -- convert: - field: sport - target_field: source.port - type: long - ignore_failure: true diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml deleted file mode 100755 index eb6667d991..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for Cisco Meraki ip_flow_start and ip_flow_end message type -processors: -- dissect: - description: Determine if the token is src= or operation - field: event.original - pattern: "%{} %{} %{} %{_temp.event_type} %{_temp.token} %{}" -- dissect: - description: Case for src= follows ip_flow_start - field: event.original - pattern: "%{} ip_flow_start %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi}=%{&tsi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_start' && ctx._temp.token.startsWith("src=") == true -- dissect: - description: Case for src= follows ip_flow_end - field: event.original - pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" - if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true -# source field IP:port handling -- convert: - type: ip - field: translated_src_ip - target_field: source.ip - if: ctx?.translated_src_ip != null -- convert: - type: ip - field: src - target_field: source.ip - if: ctx?.translated_src_ip == null && ctx?.src != null -- convert: - field: translated_port - target_field: source.port - type: long - if: ctx?.translated_src_ip != null && ctx?.translated_port != null -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.translated_src_ip == null && ctx?.sport != null -# destination field IP:port handling -- convert: - type: ip - field: translated_dst_ip - target_field: destination.ip - if: ctx?.translated_dst_ip != null -- convert: - type: ip - field: dst - target_field: destination.ip - if: ctx?.translated_dst_ip == null && ctx?.dst != null -- convert: - field: translated_port - target_field: destination.port - type: long - if: ctx?.translated_dst_ip != null && ctx?.translated_port != null -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.translated_dst_ip == null && ctx?.dport != null -- rename: - field: protocol - target_field: network.protocol diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml deleted file mode 100755 index 38cd937352..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/security.yml +++ /dev/null @@ -1,151 +0,0 @@ ---- -description: Pipeline for Cisco Meraki security_event type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} security_event %{type} %{}" -- rename: - field: type - target_field: cisco_meraki.event_subtype - -# scan event based on event type -- dissect: - field: event.original - pattern: "%{} ids_alerted %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dhost}=%{&dhost} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src} %{*dst}=%{&dst} %{}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- dissect: - field: event.original - pattern: "%{} security_filtering_file_scanned %{*url}=%{&url} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*name}='%{&name}' %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- dissect: - field: event.original - pattern: "%{} security_filtering_disposition_change %{*name}=%{&name} %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' - -# handle fields of ids_alerted type -- rename: - field: priority - target_field: cisco_meraki.security.priority - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: signature - target_field: cisco_meraki.security.signature - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- gsub: - field: dhost - target_field: cisco_meraki.security.dhost - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: direction - target_field: network.direction - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- lowercase: - field: protocol - target_field: network.protocol - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -# Process the remaining after dst=. It can have "decision= message: *" or just "message: *" -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*decision}=%{&decision} %{*message}:%{&message}" - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - ignore_failure: true -- dissect: - field: event.original - pattern: "%{} dst=%{?ignore} %{*message}:%{&message}" - if: ctx?.decision == null && ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: message - target_field: threat.indicator.description - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' -- rename: - field: decision - target_field: cisco_meraki.security.decision - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - -# handle fields of security_filtering_file_scanned or security_filtering_disposition_change type -- rename: - field: url - target_field: threat.indicator.reference - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- gsub: - field: mac - target_field: cisco_meraki.security.mac - pattern: '[-:.]' - replacement: '-' - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' -- rename: - field: name - target_field: threat.indicator.file.name - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: sha256 - target_field: threat.indicator.file.hash.sha256 - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: disposition - target_field: threat.software.type - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -- rename: - field: action - target_field: cisco_meraki.security.action - if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' -# fields common to more than one event type -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.src != null -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: sport - target_field: source.port - type: long - if: ctx?.sport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.dst != null -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true - if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' -- convert: - field: dport - target_field: destination.port - type: long - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml deleted file mode 100755 index 68bcddb288..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/elasticsearch/ingest_pipeline/urls.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for Cisco Meraki urls type -processors: -- dissect: - description: Determine the security event type - field: event.original - pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}" -# src processing -- grok: - field: src - patterns: - - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" - - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" - - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" - - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.src_ip - target_field: source.ip -- convert: - type: long - field: sport - target_field: source.port - ignore_failure: true -# dst processing -- grok: - field: dst - patterns: - - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" - - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" - - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" - - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" - pattern_definitions: - IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' - IPV6PORTSEP: '(?: port |[p#.])' - PORT: '[0-9]+' -- convert: - type: ip - field: _temp.dst_ip - target_field: destination.ip - ignore_failure: true -- convert: - type: long - field: dport - target_field: destination.port - if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' - ignore_failure: true -- gsub: - field: mac - target_field: cisco_meraki.urls.mac - pattern: '[-:.]' - replacement: '-' -- set: - field: cisco_meraki.event_subtype - value: 'http_access' - if: ctx?.http?.request?.method.toLowerCase() != 'unknown' -- set: - field: cisco_meraki.event_subtype - value: 'http_access_error' - if: ctx?.http?.request?.method.toLowerCase() == 'unknown' diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/fields/agent.yml b/packages/cisco_meraki/0.5.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 162c9f3aa3..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. -- name: log.offset - type: long - description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/0.5.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 7691cacc73..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_meraki -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/0.5.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 5a7712bb73..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,681 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: |- - The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. - Recommended values - * Malware - * Tool - - While not required, you can use a MITRE ATT&CK® software type. - name: threat.software.type - type: keyword -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - name: client.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: client.geo.location.lon - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/fields/fields.yml b/packages/cisco_meraki/0.5.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 373013e01f..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: cisco_meraki - type: group - fields: - - name: event_type - type: keyword - - name: event_subtype - type: keyword - - name: bssid - type: keyword - - name: vap - type: keyword - - name: channel - type: keyword - - name: fc_type - type: keyword - - name: fc_subtype - type: keyword - - name: flows - type: flattened - - name: dfs_event - type: flattened - - name: wpa_auth - type: flattened - - name: wpa_deauth - type: flattened - - name: association - type: flattened - - name: disassociation - type: flattened - - name: 8021x_eap_failure - type: flattened - - name: 8021x_deauth - type: flattened - - name: 8021x_auth - type: flattened - - name: 8021x_eap_success - type: flattened - - name: splash_auth - type: flattened - - name: device_packet_flood - type: flattened - - name: multiple_dhcp_servers_detected - type: flattened - - name: aps_association_reject - type: flattened - - name: urls - type: group - fields: - - name: mac - type: keyword - - name: security - type: group - fields: - - name: priority - type: keyword - - name: signature - type: keyword - - name: dhost - type: keyword - - name: decision - type: keyword - - name: mac - type: keyword - - name: action - type: keyword - - name: site_to_site_vpn - type: group - fields: - - name: raw - type: text - - name: connectivity_change - type: flattened diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/manifest.yml b/packages/cisco_meraki/0.5.1/data_stream/log/manifest.yml deleted file mode 100755 index bf78f78a80..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Cisco Meraki logs (via Syslog) -release: experimental -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - template_path: tcp.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 8685 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - template_path: logfile.yml.hbs - title: Cisco Meraki logs - description: Collect Cisco Meraki logs (via Syslog) - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/cisco-meraki.log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - cisco-meraki - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/cisco_meraki/0.5.1/data_stream/log/sample_event.json b/packages/cisco_meraki/0.5.1/data_stream/log/sample_event.json deleted file mode 100755 index 28606304be..0000000000 --- a/packages/cisco_meraki/0.5.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "b81987d6-cf2e-4101-af0b-0415b1576f88", - "hostname": "docker-fleet-agent", - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-04-26T04:02:28Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.208.4:40317" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} \ No newline at end of file diff --git a/packages/cisco_meraki/0.5.1/docs/README.md b/packages/cisco_meraki/0.5.1/docs/README.md deleted file mode 100755 index 34664d2de0..0000000000 --- a/packages/cisco_meraki/0.5.1/docs/README.md +++ /dev/null @@ -1,700 +0,0 @@ -# Cisco Meraki Integration - -Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events. - -Cisco Meraki offers [several methods for device reporting](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API). This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch. - -## Compatibility - -A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Meraki** -3. Click on "Cisco Meraki" integration from the search results. -4. Click on **Add Cisco Meraki Integration** button to add the integration. - -### Cisco Meraki Dashboard Configuration - -#### Syslog - -Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server) page for more information on how to configure syslog server on Cisco Meraki. - -#### API Endpoint (Webhooks) - -Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the [Webhooks Dashboard Setup](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API#Webhooks_Dashboard_Setup) section. - -### Configure the Cisco Meraki integration - -#### Syslog - -Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file". - -Enter the values for syslog host and port OR file path based on the chosen configuration options. - -### API Endpoint (Webhooks) - -Check the option "Collect events from Cisco Meraki via Webhooks" option. - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8686/meraki/events`. -2. Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud. -3. Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Log Events - -Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream. - -## Logs - -### Syslog - -The `cisco_meraki.log` dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the `cisco_meraki.log` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.8021x_auth | | flattened | -| cisco_meraki.8021x_deauth | | flattened | -| cisco_meraki.8021x_eap_failure | | flattened | -| cisco_meraki.8021x_eap_success | | flattened | -| cisco_meraki.aps_association_reject | | flattened | -| cisco_meraki.association | | flattened | -| cisco_meraki.bssid | | keyword | -| cisco_meraki.channel | | keyword | -| cisco_meraki.device_packet_flood | | flattened | -| cisco_meraki.dfs_event | | flattened | -| cisco_meraki.disassociation | | flattened | -| cisco_meraki.event_subtype | | keyword | -| cisco_meraki.event_type | | keyword | -| cisco_meraki.fc_subtype | | keyword | -| cisco_meraki.fc_type | | keyword | -| cisco_meraki.flows | | flattened | -| cisco_meraki.multiple_dhcp_servers_detected | | flattened | -| cisco_meraki.security.action | | keyword | -| cisco_meraki.security.decision | | keyword | -| cisco_meraki.security.dhost | | keyword | -| cisco_meraki.security.mac | | keyword | -| cisco_meraki.security.priority | | keyword | -| cisco_meraki.security.signature | | keyword | -| cisco_meraki.site_to_site_vpn.connectivity_change | | flattened | -| cisco_meraki.site_to_site_vpn.raw | | text | -| cisco_meraki.splash_auth | | flattened | -| cisco_meraki.urls.mac | | keyword | -| cisco_meraki.vap | | keyword | -| cisco_meraki.wpa_auth | | flattened | -| cisco_meraki.wpa_deauth | | flattened | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values \* Malware \* Tool While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-11-23T18:13:18.348Z", - "agent": { - "ephemeral_id": "b81987d6-cf2e-4101-af0b-0415b1576f88", - "hostname": "docker-fleet-agent", - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cisco_meraki": { - "event_subtype": "ids_alerted", - "event_type": "security_event", - "security": { - "decision": "allowed", - "dhost": "D0-AB-D5-7B-43-73", - "priority": "1", - "signature": "1:29708:4" - } - }, - "data_stream": { - "dataset": "cisco_meraki.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.3.162", - "port": 56391 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "ids-signature-matched", - "agent_id_status": "verified", - "category": [ - "network", - "threat" - ], - "dataset": "cisco_meraki.log", - "ingested": "2022-04-26T04:02:28Z", - "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "type": [ - "info", - "indicator" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "192.168.208.4:40317" - } - }, - "network": { - "direction": "ingress", - "protocol": "tcp/ip" - }, - "observer": { - "hostname": "MX84" - }, - "source": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.12", - "port": 80 - }, - "tags": [ - "preserve_original_event", - "cisco-meraki", - "forwarded" - ], - "threat": { - "indicator": { - "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } -} -``` - -### API Endpoint (Webhooks) - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | -| cisco_meraki.event.alertId | ID for this alert message | keyword | -| cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | -| cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword | -| cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword | -| cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword | -| cisco_meraki.event.deviceModel | Meraki device model | keyword | -| cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword | -| cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword | -| cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword | -| cisco_meraki.event.networkId | ID for the Meraki network | keyword | -| cisco_meraki.event.networkName | Name for the Meraki network | keyword | -| cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword | -| cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword | -| cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date | -| cisco_meraki.event.organizationId | ID of the Meraki organization | keyword | -| cisco_meraki.event.organizationName | Name of the Meraki organization | keyword | -| cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword | -| cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | -| cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | -| cisco_meraki.event.version | Current version of webhook format | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. Recommended values \* Malware \* Tool While not required, you can use a MITRE ATT&CK® software type. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2018-02-11T00:00:00.123Z", - "agent": { - "ephemeral_id": "4dfea986-5bfd-4b6a-a1b0-00b3043870bd", - "hostname": "docker-fleet-agent", - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cisco_meraki": { - "event": { - "alertData": { - "connection": "LTE", - "local": "192.168.1.2", - "model": "UML290VW", - "provider": "Purview Wireless", - "remote": "1.2.3.5" - }, - "alertId": "0000000000000000", - "alertTypeId": "cellular_up", - "deviceTags": [ - "tag1", - "tag2" - ], - "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", - "networkId": "N_24329156", - "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", - "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", - "sentAt": "2021-10-07T08:42:00.926325Z", - "sharedSecret": "secret", - "version": "0.1" - } - }, - "data_stream": { - "dataset": "cisco_meraki.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "9e1c0aac-8d48-4c33-a9f5-98e770f2028e", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "Cellular came up", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "cisco_meraki.events", - "ingested": "2022-04-26T04:00:40Z", - "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "informational" - }, - "network": { - "name": "Main Office" - }, - "observer": { - "mac": "00-11-22-33-44-55", - "name": "My appliance", - "product": "MX", - "serial_number": "Q234-ABCD-5678", - "vendor": "Cisco" - }, - "organization": { - "id": "2930418", - "name": "My organization" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "meraki-events" - ] -} -``` diff --git a/packages/cisco_meraki/0.5.1/img/cisco-logo.svg b/packages/cisco_meraki/0.5.1/img/cisco-logo.svg deleted file mode 100755 index a174ad4488..0000000000 --- a/packages/cisco_meraki/0.5.1/img/cisco-logo.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-1.png b/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-1.png deleted file mode 100755 index 7f6816cf73..0000000000 Binary files a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-1.png and /dev/null differ diff --git a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-2.png b/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-2.png deleted file mode 100755 index 810b80d4ad..0000000000 Binary files a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-2.png and /dev/null differ diff --git a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-3.png b/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-3.png deleted file mode 100755 index 1cfa3ccb7d..0000000000 Binary files a/packages/cisco_meraki/0.5.1/img/cisco-meraki-dashboard-3.png and /dev/null differ diff --git a/packages/cisco_meraki/0.5.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json b/packages/cisco_meraki/0.5.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json deleted file mode 100755 index 11cb03d88a..0000000000 --- a/packages/cisco_meraki/0.5.1/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\":{\"columnOrder\":[\"c379da24-eba4-47a5-b9aa-213324504619\"],\"columns\":{\"c379da24-eba4-47a5-b9aa-213324504619\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of source.mac\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.mac\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c379da24-eba4-47a5-b9aa-213324504619\",\"layerId\":\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"title\":\"Count of source MAC address\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"511effff-5682-4cfa-a2de-739bbefa93ea\":{\"columnOrder\":[\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"0929169c-0ee9-4eb6-93b6-effcb648c779\",\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"columns\":{\"0929169c-0ee9-4eb6-93b6-effcb648c779\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c66ed022-eab0-4834-8a01-f508aa4b32b3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"},\"c66ed022-eab0-4834-8a01-f508aa4b32b3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"layerId\":\"511effff-5682-4cfa-a2de-739bbefa93ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"xAccessor\":\"0929169c-0ee9-4eb6-93b6-effcb648c779\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"w\":13,\"x\":9,\"y\":0},\"panelIndex\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"title\":\"Rate of events by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"abda3ec0-db97-4e02-a42e-45e716110de2\":{\"columnOrder\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\",\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\"],\"columns\":{\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c59ef8c2-80ea-4386-834f-378f4a76b87c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\"],\"layerId\":\"abda3ec0-db97-4e02-a42e-45e716110de2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"w\":13,\"x\":22,\"y\":0},\"panelIndex\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"title\":\"Event distribution by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\":{\"columnOrder\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\",\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\"],\"columns\":{\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of cisco_meraki.event_type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cisco_meraki.event_type\"},\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_subtype\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_subtype\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\"],\"layerId\":\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"title\":\"Event distribution by sub-type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\":{\"columnOrder\":[\"66ede758-6532-443e-834d-a847c964682f\"],\"columns\":{\"66ede758-6532-443e-834d-a847c964682f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of rogue SSIDs detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"rogue_ssid_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"rogue_ssid_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"66ede758-6532-443e-834d-a847c964682f\",\"layerId\":\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"title\":\"Number of rogue SSIDs detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bcffdee9-d006-4e9c-abcc-081ac4739d02\":{\"columnOrder\":[\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\"],\"columns\":{\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of SSID spoofing detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"ssid_spoofing_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"ssid_spoofing_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\",\"layerId\":\"bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"title\":\"Number of SSID spoofing detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9a165bef-572a-44fb-9285-70d75530b799\":{\"columnOrder\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\",\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\"],\"columns\":{\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.action\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.action\"},\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\"],\"layerId\":\"9a165bef-572a-44fb-9285-70d75530b799\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":24,\"i\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"w\":27,\"x\":0,\"y\":15},\"panelIndex\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"title\":\"Events by category and action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"09082ad3-0055-461d-bf69-2b69a5dfb298\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ce84cee6-da49-4261-beaa-628ca03abc52\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Green to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\",\\\"useCustomColorRamp\\\":false}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":3}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"field\\\":{\\\"label\\\":\\\"count\\\",\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\",\\\"type\\\":\\\"number\\\",\\\"supportsAutoDomain\\\":true}}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"8dec8632-de8b-43df-9731-5c6c45ecb45f\\\",\\\"label\\\":\\\"src-dst-ip-p2p\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.61,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-2y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"cisco_meraki.log\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"cisco_meraki.log\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.50912,\"lon\":-10.59576,\"zoom\":0.61},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"w\":21,\"x\":27,\"y\":15},\"panelIndex\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"title\":\"IP Flows\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"04c98418-d7c7-4552-9ed3-d0380795febd\":{\"columnOrder\":[\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"columns\":{\"1e47d004-4347-46ee-aed2-280f64e8888d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of url.original\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"4c2300ef-9033-45bd-8b0e-06deea3996f1\":{\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"layerId\":\"04c98418-d7c7-4552-9ed3-d0380795febd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"title\":\"Top URL access\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"w\":48,\"x\":0,\"y\":39},\"panelIndex\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"title\":\"Log stream\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs Cisco Meraki Syslog Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e359d544-a8d6-4019-9756-74519a9d3335:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "beacf090-799a-415a-bbad-302cd02d50be:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58d65007-15fc-492f-a8db-f509b7d28aad:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cisco_meraki/0.5.1/manifest.yml b/packages/cisco_meraki/0.5.1/manifest.yml deleted file mode 100755 index 219b1ca60b..0000000000 --- a/packages/cisco_meraki/0.5.1/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -format_version: 1.0.0 -name: cisco_meraki -title: Cisco Meraki Integration -version: 0.5.1 -license: basic -description: Collect events from Cisco Meraki. -type: integration -categories: - - network - - security -release: experimental -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/cisco-meraki-dashboard-1.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-2.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png - - src: /img/cisco-meraki-dashboard-3.png - title: Cisco Meraki Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/cisco-logo.svg - title: Cisco logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: cisco_meraki - title: Cisco Meraki logs or events - description: Collect logs or events from Cisco Meraki - inputs: - - type: udp - title: Collect syslog from Cisco Meraki via UDP - description: Collecting syslog from Cisco Meraki via UDP - - type: tcp - title: Collect syslog from Cisco Meraki via TCP - description: Collecting syslog from Cisco Meraki via TCP - - type: logfile - title: Collect syslog from Cisco Meraki via file - description: Collecting syslog from Cisco Meraki via file - - type: http_endpoint - title: Collect events from Cisco Meraki via Webhooks - description: Collecting events from Cisco Meraki via Webhooks -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.0.1/changelog.yml b/packages/cisco_umbrella/1.0.1/changelog.yml deleted file mode 100755 index 818e81b920..0000000000 --- a/packages/cisco_umbrella/1.0.1/changelog.yml +++ /dev/null @@ -1,76 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Update to readme. added link to Cisco documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3219 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.0.1/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 13c48cb366..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,70 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cadb340add..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: "8.2.0" - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx?.log?.file?.path.contains('dnslogs') - - - set: - field: observer.type - value: dns - if: ctx?.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx?.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx?.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.computer_name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx?.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx?.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx?.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx?.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx?.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx?.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.identities != null" - - - split: - field: cisco.umbrella.categories - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.blocked_categories != null" - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx?.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx?.cisco?.umbrella?.action != null - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx?.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx?.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx?.source?.port != null - - convert: - field: destination.port - type: long - if: ctx?.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx?.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx?.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx?.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx?.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx?.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx?.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx?.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx?.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx?.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx?.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx?.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx?.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx?.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx?.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx?.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx?.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx?.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx?.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx?.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index fbb3a4deb7..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,406 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 930527b81d..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: computer_name - type: keyword - description: > - The computer name related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: identities - type: keyword - - name: identity_types - type: keyword - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.0.1/data_stream/log/manifest.yml deleted file mode 100755 index 9908a895a4..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,148 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. Forward slash at the end required for Cisco Managed S3. - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.0.1/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.0.1/data_stream/log/sample_event.json deleted file mode 100755 index f2356b0269..0000000000 --- a/packages/cisco_umbrella/1.0.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.2.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.1/docs/README.md b/packages/cisco_umbrella/1.0.1/docs/README.md deleted file mode 100755 index 248366de8c..0000000000 --- a/packages/cisco_umbrella/1.0.1/docs/README.md +++ /dev/null @@ -1,275 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for [Cisco Umbrella](https://docs.umbrella.com/). It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.2.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.computer_name | The computer name related to the event. | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | | keyword | -| cisco.umbrella.identity_types | | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_umbrella/1.0.1/img/cisco.svg b/packages/cisco_umbrella/1.0.1/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.0.1/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.1/manifest.yml b/packages/cisco_umbrella/1.0.1/manifest.yml deleted file mode 100755 index bb5cdff638..0000000000 --- a/packages/cisco_umbrella/1.0.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: 1.0.1 -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/cloudflare/2.0.1/changelog.yml b/packages/cloudflare/2.0.1/changelog.yml deleted file mode 100755 index b36b7ef77d..0000000000 --- a/packages/cloudflare/2.0.1/changelog.yml +++ /dev/null @@ -1,96 +0,0 @@ -# newer versions go on top -- version: "2.0.1" - changes: - - description: Add link to vendor documentation in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3224 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.4.2" - changes: - - description: Update documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3228 -- version: "1.4.1" - changes: - - description: Add `_id` field to the logpull data stream to deduplicate events. - type: enhancement - link: https://github.com/elastic/integrations/pull/3187 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.3.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.1" - changes: - - description: Allow logpull interval to be less than 2 minutes. - type: bugfix - link: https://github.com/elastic/integrations/pull/2787 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2397 -- version: "1.2.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.0" - changes: - - description: Add audit logs - type: enhancement - link: https://github.com/elastic/integrations/pull/2294 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2243 -- version: "1.0.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2020 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1960 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1811 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1628 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1654 -- version: "0.1.1" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/984 diff --git a/packages/cloudflare/2.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 02f7a12ded..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,62 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/client/v4/accounts/{{account}}/audit_logs?page=1&direction=desc -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: - - set: - target: header.X-Auth-Email - value: "{{auth_email}}" - - set: - target: header.X-Auth-Key - value: "{{auth_key}}" - - set: - target: url.params.since - value: "[[.cursor.last_timestamp]]" - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' - -response.split: - target: body.result -response.pagination: -- set: - target: url.params.page - value: '[[add .last_response.page 1]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: "[[.first_event.when]]" - fail_on_template_error: true - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- add_fields: - target: _config - fields: - account_id: {{account}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7970b6597d..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,276 +0,0 @@ ---- -description: Pipeline for parsing cloudflare audit logs -processors: -- set: - field: ecs.version - value: '8.2.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- set: - field: cloud.provider - value: cloudflare -- set: - field: cloud.account.id - copy_from: _config.account_id - ignore_empty_value: true -- date: - field: json.when - formats: - - ISO8601 - timezone: UTC - target_field: "@timestamp" -- rename: - field: json.action.type - target_field: event.action - ignore_missing: true -- lowercase: - field: event.action - ignore_missing: true -- set: - field: event.outcome - value: success - if: ctx.json?.action?.result -- set: - field: event.outcome - value: failure - if: "!ctx.json?.action?.result" -- rename: - field: json.actor.email - target_field: user.email - ignore_missing: true -- rename: - field: json.actor.id - target_field: user.id - ignore_missing: true -- rename: - field: json.actor.ip - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: json.actor.type - target_field: cloudflare.audit.actor.type - ignore_missing: true -- rename: - field: json.id - target_field: event.id - ignore_missing: true -- fingerprint: - fields: - - event.id - target_field: _id - ignore_missing: true -- rename: - field: json.interface - target_field: event.provider - ignore_missing: true - if: ctx.json?.interface != "" -- rename: - field: json.metadata - target_field: cloudflare.audit.metadata - ignore_missing: true -- rename: - field: json.newValueJson - target_field: cloudflare.audit.new_value - ignore_missing: true -- rename: - field: json.oldValueJson - target_field: cloudflare.audit.old_value - ignore_missing: true -- rename: - field: json.newValue - target_field: cloudflare.audit.new_value.value - ignore_missing: true - if: ctx.json?.newValue != "null" -- rename: - field: json.oldValue - target_field: cloudflare.audit.old_value.value - ignore_missing: true - if: ctx.json?.oldValue != "null" -- rename: - field: json.owner.id - target_field: cloudflare.audit.owner.id - ignore_missing: true -- rename: - field: json.resource - target_field: cloudflare.audit.resource - ignore_missing: true -- append: - field: related.user - value: "{{user.id}}" - allow_duplicates: false - if: ctx.user?.id != null -- append: - field: related.user - value: "{{cloudflare.audit.resource.id}}" - allow_duplicates: false - if: ctx.cloudflare?.audit?.resource?.id != null && ctx.cloudflare?.audit?.resource?.type == "user" -- append: - field: related.ip - value: "{{source.ip}}" - if: ctx.source?.ip != null -- script: - lang: painless - tag: Add ECS categorization - params: - login: - category: - - authentication - type: - - info - outcome: success - token_create: - category: - - iam - type: - - creation - token_revoke: - category: - - iam - type: - - deletion - token_roll: - category: - - iam - type: - - change - api_key_view: - category: - - iam - type: - - info - rotate_api_key: - category: - - iam - type: - - change - api_key_created: - category: - - iam - type: - - creation - purge: - category: - - configuration - type: - - deletion - tls_settings_deployed: - category: - - configuration - type: - - info - add: - category: - - configuration - type: - - creation - delete: - category: - - configuration - type: - - deletion - rec_add: - category: - - configuration - type: - - creation - rec_del: - category: - - configuration - type: - - deletion - pending: - category: - - configuration - type: - - info - change_setting: - category: - - configuration - type: - - change - add_enforce_twofactor: - category: - - iam - - configuration - type: - - admin - - info - source: >- - ctx.event.kind = 'event'; - ctx.event.type = 'info'; - if (ctx?.event?.action == null) { - return; - } - if (params.get(ctx.event.action) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.action)); - hm.forEach((k, v) -> ctx.event[k] = v); -- remove: - field: - - json - - _config - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.0.1/data_stream/audit/fields/agent.yml b/packages/cloudflare/2.0.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 8d1db0dd27..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,107 +0,0 @@ -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - The cloud project identifier. - Examples: Google Cloud Project id, Azure Project id. - name: cloud.project.id - type: keyword -- description: Image ID for the cloud instance. - name: cloud.image.id - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: If the host is a container. - name: host.containerized - type: boolean -- description: OS build information. - name: host.os.build - type: keyword -- description: OS codename, if any. - name: host.os.codename - type: keyword diff --git a/packages/cloudflare/2.0.1/data_stream/audit/fields/base-fields.yml b/packages/cloudflare/2.0.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 41565c62c3..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cloudflare -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cloudflare.audit -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cloudflare/2.0.1/data_stream/audit/fields/beats.yml b/packages/cloudflare/2.0.1/data_stream/audit/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/cloudflare/2.0.1/data_stream/audit/fields/ecs.yml b/packages/cloudflare/2.0.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 6128c1d585..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,104 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/cloudflare/2.0.1/data_stream/audit/fields/fields.yml b/packages/cloudflare/2.0.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 5036e91dbb..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: cloudflare.audit - type: group - description: > - Fields for Cloudflare Audit Logs - - fields: - - name: metadata - type: flattened - description: > - An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. - - - name: actor.type - type: keyword - description: > - The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. - - - name: owner.id - type: keyword - description: > - User identifier tag - - - name: resource.id - type: keyword - description: > - An identifier for the resource that was affected by the action - - - name: resource.type - type: keyword - description: > - A short string that describes the resource that was affected by the action - - - name: new_value - type: flattened - description: > - The new value of the resource that was modified - - - name: old_value - type: flattened - description: >- - The value of the resource before it was modified diff --git a/packages/cloudflare/2.0.1/data_stream/audit/manifest.yml b/packages/cloudflare/2.0.1/data_stream/audit/manifest.yml deleted file mode 100755 index b7ba0a75c4..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: Cloudflare Audit Logs -streams: - - input: httpjson - vars: - - name: auth_email - type: text - title: Auth Email - description: The Auth Email. Needs to be used with an Auth Key. - multi: false - required: true - show_user: true - - name: auth_key - type: password - title: Auth Key - description: The Auth Key. Needs to be used with an Auth Email. - multi: false - required: true - show_user: true - - name: account - type: text - title: Account ID - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: false - description: Initial interval at which the logs will be pulled. Defaults to 30 days (720 hours). Max is 12960 hours (18 months). - default: 720h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - cloudflare-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Cloudflare Audit logs - description: Collect Cloudflare Audit logs via the API diff --git a/packages/cloudflare/2.0.1/data_stream/audit/sample_event.json b/packages/cloudflare/2.0.1/data_stream/audit/sample_event.json deleted file mode 100755 index f3bfb9f88d..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2021-11-30T13:42:04.000Z", - "agent": { - "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4", - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cloud": { - "account": { - "id": "aaabbbccc" - }, - "provider": "cloudflare" - }, - "cloudflare": { - "audit": { - "actor": { - "type": "user" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - } - } - }, - "data_stream": { - "dataset": "cloudflare.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "rotate_api_key", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2021-12-30T04:58:37.412Z", - "dataset": "cloudflare.audit", - "id": "8d3396e8-c903-5a66-9421-00fc34570550", - "ingested": "2021-12-30T04:58:38Z", - "kind": "event", - "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "52.91.36.10" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "address": "52.91.36.10", - "ip": "52.91.36.10" - }, - "tags": [ - "forwarded", - "cloudflare-audit", - "preserve_original_event" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.0.1/data_stream/logpull/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 54eb358869..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/client/v4/zones/{{zone_id}}/logs/received -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: -{{#if auth_token}} - - set: - target: header.Authorization - value: "Bearer {{auth_token}}" -{{else}} - - set: - target: header.X-Auth-Email - value: "{{auth_email}}" - - set: - target: header.X-Auth-Key - value: "{{auth_key}}" -{{/if}} - - set: - target: url.params.start - value: "[[.cursor.last_execution_datetime]]" - default: '[[formatDate (((now).Add (parseDuration "-1m")).Add (parseDuration "-{{interval}}"))]]' - - set: - target: url.params.end - value: '[[formatDate ((parseDate .cursor.last_execution_datetime).Add (parseDuration "{{interval}}"))]]' - default: '[[formatDate ((now).Add (parseDuration "-1m"))]]' - - set: - target: url.params.fields - value: CacheCacheStatus,CacheResponseBytes,CacheResponseStatus,CacheTieredFill,ClientASN,ClientCountry,ClientDeviceType,ClientIP,ClientIPClass,ClientRequestBytes,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientSrcPort,ClientXRequestedWith,EdgeColoCode,EdgeColoID,EdgeEndTimestamp,EdgePathingOp,EdgePathingSrc,EdgePathingStatus,EdgeRateLimitAction,EdgeRateLimitID,EdgeRequestHost,EdgeResponseBytes,EdgeResponseCompressionRatio,EdgeResponseContentType,EdgeResponseStatus,EdgeServerIP,EdgeStartTimestamp,FirewallMatchesActions,FirewallMatchesRuleIDs,FirewallMatchesSources,OriginIP,OriginResponseBytes,OriginResponseHTTPExpires,OriginResponseHTTPLastModified,OriginResponseStatus,OriginResponseTime,OriginSSLProtocol,ParentRayID,RayID,SecurityLevel,WAFAction,WAFFlags,WAFMatchedVar,WAFProfile,WAFRuleID,WAFRuleMessage,WorkerCPUTime,WorkerStatus,WorkerSubrequest,WorkerSubrequestCount,ZoneID,Action - -response.decode_as: application/x-ndjson - -cursor: - last_execution_datetime: - value: '[[.last_response.url.params.Get "end"]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 894c07fd87..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -description: Pipeline for parsing cloudflare logs -processors: -- set: - field: ecs.version - value: '8.2.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- set: - field: observer.vendor - value: cloudflare -- set: - field: observer.type - value: proxy -- fingerprint: - fields: - - event.original - target_field: "_id" - ignore_missing: true -- pipeline: - name: '{{ IngestPipeline "http" }}' - if: "ctx.json?.EdgeRequestHost != null" -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml b/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml deleted file mode 100755 index afa6a45a5d..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml +++ /dev/null @@ -1,475 +0,0 @@ ---- -description: Pipeline for parsing cloudflare http logs -processors: -# Event Time Fields -- convert: - field: json.EdgeStartTimestamp - type: string -- convert: - field: json.EdgeEndTimestamp - type: string -- gsub: - field: json.EdgeStartTimestamp - pattern: "\\d{6}$" - replacement: "" - if: "ctx?.json?.EdgeStartTimestamp != null && (ctx?.json?.EdgeStartTimestamp).length() > 18" -- gsub: - field: json.EdgeEndTimestamp - pattern: "\\d{6}$" - replacement: "" - if: "ctx?.json?.EdgeEndTimestamp != null && (ctx?.json?.EdgeEndTimestamp).length() > 18" -- date: - field: json.EdgeStartTimestamp - formats: - - ISO8601 - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: "@timestamp" -- date: - field: json.EdgeStartTimestamp - formats: - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: "event.start" -- date: - field: json.EdgeEndTimestamp - formats: - - uuuu-MM-dd'T'HH:mm:ssX - - uuuu-MM-dd'T'HH:mm:ss.SSSX - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - UNIX_MS - timezone: UTC - target_field: "event.end" -- script: - lang: painless - if: ctx?.event?.start != null && ctx?.event?.end != null - source: >- - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); - ctx.event.duration = ChronoUnit.NANOS.between(start, end); -# TLS Fields -- rename: - field: json.ClientSSLProtocol - target_field: cloudflare.client.ssl.protocol - ignore_missing: true - if: ctx?.json?.ClientSSLProtocol.toLowerCase() != 'none' -- rename: - field: json.ClientSSLCipher - target_field: tls.cipher - ignore_missing: true - if: ctx?.json?.ClientSSLCipher.toLowerCase() != 'none' -- dissect: - field: cloudflare.client.ssl.protocol - pattern: "%{tls.version_protocol}v%{tls.version}" - ignore_failure: true - ignore_missing: true -- lowercase: - field: tls.version_protocol - ignore_missing: true -# URL Fields -- uri_parts: - field: json.ClientRequestURI - ignore_failure: true - if: ctx?.json?.ClientRequestURI != null -- set: - field: url.domain - copy_from: json.ClientRequestHost - ignore_empty_value: true - if: ctx?.url?.domain == null -- set: - field: url.path - copy_from: json.ClientRequestPath - ignore_empty_value: true - if: ctx?.url?.path == null -- set: - field: url.scheme - copy_from: json.ClientRequestScheme - ignore_empty_value: true - if: ctx?.url?.scheme == null -- set: - field: url.scheme - value: https - ignore_empty_value: true - if: ctx?.url?.scheme == null && ctx?.cloudflare?.client?.ssl?.protocol != null -- set: - field: url.scheme - value: http - ignore_empty_value: true - if: ctx?.url?.scheme == null -- script: - lang: painless - description: This script builds the `url.full` field out of the available `url.*` parts. - source: | - def full = ""; - if(ctx.url.scheme != null && ctx.url.scheme != "") { - full += ctx.url.scheme+"://"; - } - if(ctx.url.domain != null && ctx.url.domain != "") { - full += ctx.url.domain; - } - if(ctx.url.path != null && ctx.url.path != "") { - full += ctx.url.path; - } - if(ctx.url.query != null && ctx.url.query != "") { - full += "?"+ctx.url.query; - } - if(full != "") { - ctx.url.full = full - } -# User Agent Fields -- user_agent: - field: json.ClientRequestUserAgent - target_field: user_agent - ignore_missing: true -# Observer Fields -- rename: - field: json.EdgeServerIP - target_field: observer.ip - ignore_missing: true - if: ctx?.json?.EdgeServerIP != '' -- geoip: - field: observer.ip - target_field: observer.geo - ignore_missing: true -# Cloudflare Cache Fields -- rename: - field: json.CacheCacheStatus - target_field: cloudflare.cache.status - ignore_missing: true -- rename: - field: json.CacheTieredFill - target_field: cloudflare.cache.tiered_fill - ignore_missing: true -- convert: - field: json.CacheResponseBytes - target_field: cloudflare.cache.bytes - type: long - ignore_missing: true - if: ctx?.json?.CacheResponseBytes != 0 -- convert: - field: json.CacheResponseStatus - target_field: cloudflare.cache.status_code - type: long - ignore_missing: true - if: ctx?.json?.CacheResponseStatus != 0 -# Cloudflare Edge Fields -- rename: - field: json.EdgeColoCode - target_field: cloudflare.edge.colo.code - ignore_missing: true -- rename: - field: json.EdgeColoID - target_field: cloudflare.edge.colo.id - ignore_missing: true -- rename: - field: json.EdgePathingOp - target_field: cloudflare.edge.pathing.op - ignore_missing: true -- rename: - field: json.EdgePathingSrc - target_field: cloudflare.edge.pathing.src - ignore_missing: true -- rename: - field: json.EdgePathingStatus - target_field: cloudflare.edge.pathing.status - ignore_missing: true -- rename: - field: json.EdgeRateLimitAction - target_field: cloudflare.edge.rate_limit.action - ignore_missing: true -- rename: - field: json.EdgeRateLimitID - target_field: cloudflare.edge.rate_limit.id - ignore_missing: true -- rename: - field: json.EdgeRequestHost - target_field: cloudflare.edge.request.host - ignore_missing: true -- convert: - field: json.EdgeResponseBytes - target_field: cloudflare.edge.response.bytes - type: long - ignore_missing: true -- rename: - field: json.EdgeResponseStatus - target_field: cloudflare.edge.response.status_code - ignore_missing: true -- rename: - field: json.EdgeResponseCompressionRatio - target_field: cloudflare.edge.response.compression_ratio - ignore_missing: true -- rename: - field: json.EdgeResponseContentType - target_field: cloudflare.edge.response.content_type - ignore_missing: true -- convert: - field: json.EdgeResponseBodyBytes - target_field: cloudflare.edge.response.body.bytes - type: long - ignore_missing: true -# Cloudflare Firewall Fields -- rename: - field: json.FirewallMatchesActions - target_field: cloudflare.firewall.actions - ignore_missing: true -- rename: - field: json.FirewallMatchesSources - target_field: cloudflare.firewall.sources - ignore_missing: true -- rename: - field: json.FirewallMatchesRuleIDs - target_field: cloudflare.firewall.rule_ids - ignore_missing: true -# Cloudflare WAF Fields -- rename: - field: json.WAFAction - target_field: cloudflare.waf.action - ignore_missing: true -- rename: - field: json.WAFFlags - target_field: cloudflare.waf.flags - ignore_missing: true -- rename: - field: json.WAFMatchedVar - target_field: cloudflare.waf.matched_var - ignore_missing: true -- rename: - field: json.WAFProfile - target_field: cloudflare.waf.profile - ignore_missing: true -- rename: - field: json.WAFRuleID - target_field: cloudflare.waf.rule.id - ignore_missing: true -- rename: - field: json.WAFRuleMessage - target_field: cloudflare.waf.rule.message - ignore_missing: true -# CLoudflare Worker Fields -- convert: - field: json.WorkerCPUTime - target_field: cloudflare.worker.cpu_time - type: long - ignore_missing: true -- rename: - field: json.WorkerStatus - target_field: cloudflare.worker.status - ignore_missing: true -- rename: - field: json.WorkerSubrequest - target_field: cloudflare.worker.subrequest - ignore_missing: true -- convert: - field: json.WorkerSubrequestCount - target_field: cloudflare.worker.subrequest_count - type: long - ignore_missing: true -# Cloudflare Origin Fields -- rename: - field: json.OriginResponseBytes - target_field: cloudflare.origin.response.bytes - ignore_missing: true -- date: - field: json.OriginResponseHTTPExpires - formats: - - EEE, dd MMM yyyy HH:mm:ss z - timezone: UTC - target_field: cloudflare.origin.response.expires - if: ctx?.json?.OriginResponseHTTPExpires != null - ignore_failure: true -- date: - field: json.OriginResponseHTTPLastModified - formats: - - EEE, dd MMM yyyy HH:mm:ss z - timezone: UTC - target_field: cloudflare.origin.response.last_modified - if: ctx?.json?.OriginResponseHTTPLastModified != null - ignore_failure: true -- rename: - field: json.OriginResponseStatus - target_field: cloudflare.origin.response.status_code - ignore_missing: true -- convert: - field: json.OriginResponseTime - target_field: cloudflare.origin.response.time - type: long - ignore_missing: true -- rename: - field: json.OriginSSLProtocol - target_field: cloudflare.origin.ssl.protocol - ignore_missing: true -# Cloudflare RayID Fields -- rename: - field: json.ParentRayID - target_field: cloudflare.parent.ray_id - ignore_missing: true -- rename: - field: json.RayID - target_field: cloudflare.ray_id - ignore_missing: true -# Cloudflare Other Fields -- rename: - field: json.ZoneID - target_field: cloudflare.zone.id - ignore_missing: true -- rename: - field: json.ZoneName - target_field: cloudflare.zone.name - ignore_missing: true -- rename: - field: json.SecurityLevel - target_field: cloudflare.security_level - ignore_missing: true -- rename: - field: json.ClientDeviceType - target_field: cloudflare.device_type - ignore_missing: true -# HTTP Fields -- dissect: - field: json.ClientRequestProtocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true -- set: - field: http.response.bytes - copy_from: cloudflare.edge.response.bytes - ignore_empty_value: true -- set: - field: http.response.body.bytes - copy_from: cloudflare.edge.response.body.bytes - ignore_empty_value: true -- convert: - field: json.ClientRequestBytes - target_field: http.request.bytes - type: long - ignore_missing: true -- rename: - field: json.ClientRequestMethod - target_field: http.request.method - ignore_missing: true -- rename: - field: json.ClientRequestReferer - target_field: http.request.referrer - ignore_missing: true -- set: - field: http.response.status_code - copy_from: cloudflare.edge.response.status_code - ignore_empty_value: true -- set: - field: http.response.status_code - copy_from: cloudflare.origin.response.status_code - ignore_empty_value: true - if: ctx?.http?.response?.status_code == null && ctx?.cloudflare?.origin?.response?.status_code != 0 -# Source Fields -- rename: - field: json.ClientIP - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- rename: - field: json.ClientCountry - target_field: source.geo.country_iso_code - ignore_missing: true - if: ctx?.source?.geo?.country_iso_code == null -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: json.ClientASN - target_field: source.as.number - ignore_missing: true - if: ctx?.source?.as?.number == null -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: source.bytes - copy_from: http.request.bytes - ignore_empty_value: true -- convert: - field: json.ClientSrcPort - target_field: source.port - type: long - ignore_missing: true -# Client Fields -- set: - field: client - copy_from: source -- rename: - field: json.ClientIPClass - target_field: cloudflare.client.ip_class - ignore_missing: true -# Destination Fields -- rename: - field: json.OriginIP - target_field: destination.address - ignore_missing: true -- convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true -- set: - field: destination.bytes - copy_from: cloudflare.edge.response.bytes - ignore_empty_value: true -# Server Fields -- set: - field: server - copy_from: destination -- set: - field: event.category - value: network -- set: - field: event.kind - value: event -- append: - field: event.type - value: denied - allow_duplicates: false - if: ctx?.cloudflare?.firewall?.actions.contains('block') -# Network Fields -- lowercase: - field: network.protocol - ignore_missing: true -- set: - field: network.transport - value: tcp - if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http' -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/fields/agent.yml b/packages/cloudflare/2.0.1/data_stream/logpull/fields/agent.yml deleted file mode 100755 index 4d9a6f7b36..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/fields/agent.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/fields/base-fields.yml b/packages/cloudflare/2.0.1/data_stream/logpull/fields/base-fields.yml deleted file mode 100755 index 2905a4c5b4..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cloudflare -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cloudflare.logpull -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/fields/beats.yml b/packages/cloudflare/2.0.1/data_stream/logpull/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/2.0.1/data_stream/logpull/fields/ecs.yml deleted file mode 100755 index 9653c5bc71..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/fields/ecs.yml +++ /dev/null @@ -1,451 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Username of the request. - name: url.username - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: observer.geo.location - type: geo_point -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/fields/fields.yml b/packages/cloudflare/2.0.1/data_stream/logpull/fields/fields.yml deleted file mode 100755 index 0712d73ccb..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/fields/fields.yml +++ /dev/null @@ -1,319 +0,0 @@ -- name: cloudflare - type: group - release: beta - default_field: false - description: > - Fields for Cloudflare Logs - - fields: - - name: cache - type: group - description: > - Fields for Cloudflare Cache - - fields: - - name: status - type: keyword - description: > - Status of cache - - - name: tiered_fill - type: boolean - description: > - Tiered Cache was used to serve this request - - - name: bytes - type: long - description: > - Number of bytes returned by the cache - - - name: status_code - type: long - description: > - HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. - - - name: edge - type: group - description: > - Fields for Cloudflare Edge - - fields: - - name: colo - type: group - description: > - Fields for Cloudflare Edge Colo - - fields: - - name: code - type: keyword - description: > - IATA airport code of data center that received the request - - - name: id - type: long - description: > - Cloudflare edge colo id - - - name: pathing - type: group - description: > - Fields for Cloudflare Edge Pathing - - fields: - - name: op - type: keyword - description: > - Indicates what type of response was issued for this request (unknown = no specific action) - - - name: src - type: keyword - description: > - Details how the request was classified based on security checks (unknown = no specific classification) - - - name: status - type: keyword - description: > - Indicates what data was used to determine the handling of this request (unknown = no data) - - - name: rate_limit - type: group - description: > - Fields for Cloudflare Edge Pathing - - fields: - - name: action - type: keyword - description: > - The action taken by the blocking rule; empty if no action taken - - - name: id - type: long - description: > - The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken. - - - name: request - type: group - description: > - Fields for Cloudflare Edge Request - - fields: - - name: host - type: keyword - description: > - Host header on the request from the edge to the origin - - - name: response - type: group - description: > - Fields for Cloudflare Edge Response - - fields: - - name: compression_ratio - type: long - description: > - Edge response compression ratio - - - name: content_type - type: keyword - description: > - Edge response Content-Type header value - - - name: bytes - type: long - description: > - Number of bytes returned by the edge to the client - - - name: status_code - type: long - description: > - HTTP status code returned by Cloudflare to the client - - - name: firewall - type: group - description: > - Fields for Cloudflare Firewall - - fields: - - name: actions - type: array - description: > - Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. - - - name: sources - type: array - description: > - The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. - - - name: rule_ids - type: array - description: > - Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. - - - name: waf - type: group - description: > - Fields for Cloudflare WAF - - fields: - - name: action - type: keyword - description: > - Action taken by the WAF, if triggered - - - name: flags - type: keyword - description: > - Additional configuration flags: simulate (0x1) | null - - - name: matched_var - type: keyword - description: > - The full name of the most-recently matched variable - - - name: profile - type: keyword - description: > - low | med | high - - - name: rule - type: group - description: > - Fields for Cloudflare WAF Rule - - fields: - - name: id - type: keyword - description: > - ID of the applied WAF rule - - - name: message - type: keyword - description: > - Rule message associated with the triggered rule - - - name: worker - type: group - description: > - Fields for Cloudflare Worker - - fields: - - name: cpu_time - type: long - description: > - Amount of time in microseconds spent executing a worker, if any - - - name: status - type: keyword - description: > - Status returned from worker daemon - - - name: subrequest - type: boolean - description: > - Whether or not this request was a worker subrequest - - - name: subrequest_count - type: long - description: > - Number of subrequests issued by a worker when handling this request - - - name: origin - type: group - description: > - Fields for Cloudflare Origin - - fields: - - name: ssl - type: group - description: > - Fields for Cloudflare Origin SSL - - fields: - - name: protocol - type: keyword - description: > - SSL (TLS) protocol used to connect to the origin - - - name: response - type: group - description: > - Fields for Cloudflare Origin Response - - fields: - - name: time - type: long - description: > - Number of nanoseconds it took the origin to return the response to edge - - - name: status_code - type: long - description: > - Status returned by the origin server - - - name: last_modified - type: date - description: > - Value of the origin 'last-modified' header - - - name: expires - type: date - description: > - Value of the origin 'expires' header - - - name: bytes - type: long - description: > - Number of bytes returned by the origin server - - - name: parent - type: group - description: > - Fields for Cloudflare Parent - - fields: - - name: ray_id - type: keyword - description: > - Ray ID of the parent request if this request was made using a Worker script - - - name: ray_id - type: keyword - description: > - Ray ID of the parent request if this request was made using a Worker script - - - name: security_level - type: keyword - description: > - The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. - - - name: device_type - type: keyword - description: > - Client device type - - - name: zone - type: group - description: > - Fields for Cloudflare Zone - - fields: - - name: id - type: long - description: > - Internal zone ID - - - name: name - type: keyword - description: > - The human-readable name of the zone (e.g. 'cloudflare.com'). - - - name: client.ip_class - type: keyword - description: > - Class of client, ex. badHost | searchEngine | allowlist | greylist.... - - - name: client.ssl.protocol - type: keyword - description: > - Client SSL (TLS) protocol - diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/manifest.yml b/packages/cloudflare/2.0.1/data_stream/logpull/manifest.yml deleted file mode 100755 index 1a3eccd77a..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -type: logs -title: Cloudflare Logpull -streams: - - input: httpjson - vars: - - name: auth_email - type: text - title: Auth Email - description: The Auth Email. Needs to be used with an Auth Key. Do not fill if you are using an Auth Token. - multi: false - required: false - show_user: true - - name: auth_key - type: password - title: Auth Key - description: The Auth Key. Needs to be used with an Auth Email. Do not fill if you are using an Auth Token. - multi: false - required: false - show_user: true - - name: auth_token - type: password - title: Auth token - description: The auth token. If set, Auth Email and Auth Key will be ignored. - required: false - multi: false - show_user: true - - name: zone_id - type: text - title: Zone ID - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 1s and 1h. - default: 5m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - cloudflare-logpull - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Cloudflare logs - description: Collect Cloudflare logs via the Logpull API diff --git a/packages/cloudflare/2.0.1/data_stream/logpull/sample_event.json b/packages/cloudflare/2.0.1/data_stream/logpull/sample_event.json deleted file mode 100755 index 798d1c9b58..0000000000 --- a/packages/cloudflare/2.0.1/data_stream/logpull/sample_event.json +++ /dev/null @@ -1,191 +0,0 @@ -{ - "@timestamp": "2019-08-02T15:29:08.000Z", - "agent": { - "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8", - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "35.232.161.245", - "as": { - "number": 15169 - }, - "bytes": 2577, - "geo": { - "country_iso_code": "us" - }, - "ip": "35.232.161.245", - "port": 55028 - }, - "cloudflare": { - "cache": { - "status": "unknown", - "tiered_fill": false - }, - "client": { - "ip_class": "noRecord", - "ssl": { - "protocol": "TLSv1.2" - } - }, - "device_type": "desktop", - "edge": { - "colo": { - "id": 14 - }, - "pathing": { - "op": "chl", - "src": "filterBasedFirewall", - "status": "captchaNew" - }, - "rate_limit": { - "id": 0 - }, - "response": { - "bytes": 2848, - "compression_ratio": 2.64, - "content_type": "text/html", - "status_code": 403 - } - }, - "firewall": { - "actions": [ - "simulate", - "challenge" - ], - "rule_ids": [ - "094b71fea25d4860a61fa0c6fbbd8d8b", - "e454fd4a0ce546b3a9a462536613692c" - ], - "sources": [ - "firewallRules", - "firewallRules" - ] - }, - "origin": { - "response": { - "bytes": 0, - "status_code": 0, - "time": 0 - }, - "ssl": { - "protocol": "unknown" - } - }, - "parent": { - "ray_id": "00" - }, - "ray_id": "500115ec386354d8", - "security_level": "med", - "waf": { - "action": "unknown", - "flags": "0", - "profile": "unknown" - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": false, - "subrequest_count": 0 - }, - "zone": { - "id": 155978002 - } - }, - "data_stream": { - "dataset": "cloudflare.logpull", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 2848 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-30T04:59:20.268Z", - "dataset": "cloudflare.logpull", - "duration": 0, - "end": "2019-08-02T15:29:08.000Z", - "ingested": "2021-12-30T04:59:21Z", - "kind": "event", - "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", - "start": "2019-08-02T15:29:08.000Z" - }, - "http": { - "request": { - "bytes": 2577, - "method": "POST", - "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000" - }, - "response": { - "bytes": 2848, - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "httpjson" - }, - "network": { - "bytes": 5425, - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "cloudflare" - }, - "server": { - "bytes": 2848 - }, - "source": { - "address": "35.232.161.245", - "as": { - "number": 15169 - }, - "bytes": 2577, - "geo": { - "country_iso_code": "us" - }, - "ip": "35.232.161.245", - "port": 55028 - }, - "tags": [ - "forwarded", - "cloudflare-logpull", - "preserve_original_event" - ], - "tls": { - "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "cf-analytics.com", - "extension": "php", - "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", - "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", - "path": "/wp-cron.php", - "query": "doing_wp_cron=1564759748.3962020874023437500000", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "WordPress", - "original": "WordPress/5.2.2;https://cf-analytics.com", - "version": "5.2.2" - } -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/docs/README.md b/packages/cloudflare/2.0.1/docs/README.md deleted file mode 100755 index 1ef65f949f..0000000000 --- a/packages/cloudflare/2.0.1/docs/README.md +++ /dev/null @@ -1,628 +0,0 @@ -# Cloudflare Integration - -Cloudflare integration uses [Cloudflare's API](https://api.cloudflare.com/) to retrieve [audit logs](https://support.cloudflare.com/hc/en-us/articles/115002833612-Understanding-Cloudflare-Audit-Logs) and [traffic logs](https://developers.cloudflare.com/logs/logpull/understanding-the-basics/) from Cloudflare, for a particular zone, and ingest them into Elasticsearch. This allows you to search, observe and visualize the Cloudflare log events through Elasticsearch. - -Users of [Cloudflare](https://www.cloudflare.com/en-au/learning/what-is-cloudflare/) use Cloudflare services to increase the security and performance of their web sites and services. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In the "Search for integrations" search bar type **Cloudflare**. -3. Click on "Cloudflare" integration from the search results. -4. Click on **Add Cloudflare** button to add Cloudflare integration. - -### Configure Cloudflare audit logs data stream - -Enter values "Auth Email", "Auth Key" and "Account ID". - -1. **Auth Email** is the email address associated with your account. -2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page. -3. **Account ID** can be found on the Cloudflare dashboard. Follow the navigation documentation from [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). - -NOTE: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key. - -### Configure Cloudflare logs - -These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/). - -The integration can retrieve Cloudflare logs using - - -1. Auth Email and Auth Key -2. API Token - -More information is available [here](https://developers.cloudflare.com/logs/logpull/requesting-logs/#required-authentication-headers) - -#### Configure using Auth Email and Auth Key - -Enter values "Auth Email", "Auth Key" and "Zone ID". - -1. **Auth Email** is the email address associated with your account. -2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page. -3. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). - -> Note: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key. - -#### Configure using API Token - -Enter values "API Token" and "Zone ID". - -For the Cloudflare integration to be able to successfully get logs the following permissions must be granted to the API token - - -- Account.Access: Audit Logs: Read - -1. [**API Tokens**](https://developers.cloudflare.com/api/tokens/) allow for more granular permission settings. -2. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). - -## Logs - -### Audit - -Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account-level actions like login and logout, as well as setting changes to DNS, Crypto, Firewall, Speed, Caching, Page Rules, Network, and Traffic features, etc. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| cloudflare.audit.actor.type | The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. | keyword | -| cloudflare.audit.metadata | An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. | flattened | -| cloudflare.audit.new_value | The new value of the resource that was modified | flattened | -| cloudflare.audit.old_value | The value of the resource before it was modified | flattened | -| cloudflare.audit.owner.id | User identifier tag | keyword | -| cloudflare.audit.resource.id | An identifier for the resource that was affected by the action | keyword | -| cloudflare.audit.resource.type | A short string that describes the resource that was affected by the action | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-11-30T13:42:04.000Z", - "agent": { - "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4", - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "cloud": { - "account": { - "id": "aaabbbccc" - }, - "provider": "cloudflare" - }, - "cloudflare": { - "audit": { - "actor": { - "type": "user" - }, - "owner": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - }, - "resource": { - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", - "type": "account" - } - } - }, - "data_stream": { - "dataset": "cloudflare.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "rotate_api_key", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2021-12-30T04:58:37.412Z", - "dataset": "cloudflare.audit", - "id": "8d3396e8-c903-5a66-9421-00fc34570550", - "ingested": "2021-12-30T04:58:38Z", - "kind": "event", - "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", - "outcome": "success", - "type": [ - "change" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "ip": [ - "52.91.36.10" - ], - "user": [ - "enl3j9du8rnx2swwd9l32qots7l54t9s" - ] - }, - "source": { - "address": "52.91.36.10", - "ip": "52.91.36.10" - }, - "tags": [ - "forwarded", - "cloudflare-audit", - "preserve_original_event" - ], - "user": { - "email": "user@example.com", - "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" - } -} -``` - -### Logpull - -These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/). - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloudflare.cache.bytes | Number of bytes returned by the cache | long | -| cloudflare.cache.status | Status of cache | keyword | -| cloudflare.cache.status_code | HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. | long | -| cloudflare.cache.tiered_fill | Tiered Cache was used to serve this request | boolean | -| cloudflare.client.ip_class | Class of client, ex. badHost | searchEngine | allowlist | greylist.... | keyword | -| cloudflare.client.ssl.protocol | Client SSL (TLS) protocol | keyword | -| cloudflare.device_type | Client device type | keyword | -| cloudflare.edge.colo.code | IATA airport code of data center that received the request | keyword | -| cloudflare.edge.colo.id | Cloudflare edge colo id | long | -| cloudflare.edge.pathing.op | Indicates what type of response was issued for this request (unknown = no specific action) | keyword | -| cloudflare.edge.pathing.src | Details how the request was classified based on security checks (unknown = no specific classification) | keyword | -| cloudflare.edge.pathing.status | Indicates what data was used to determine the handling of this request (unknown = no data) | keyword | -| cloudflare.edge.rate_limit.action | The action taken by the blocking rule; empty if no action taken | keyword | -| cloudflare.edge.rate_limit.id | The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken. | long | -| cloudflare.edge.request.host | Host header on the request from the edge to the origin | keyword | -| cloudflare.edge.response.bytes | Number of bytes returned by the edge to the client | long | -| cloudflare.edge.response.compression_ratio | Edge response compression ratio | long | -| cloudflare.edge.response.content_type | Edge response Content-Type header value | keyword | -| cloudflare.edge.response.status_code | HTTP status code returned by Cloudflare to the client | long | -| cloudflare.firewall.actions | Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. | array | -| cloudflare.firewall.rule_ids | Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. | array | -| cloudflare.firewall.sources | The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. | array | -| cloudflare.origin.response.bytes | Number of bytes returned by the origin server | long | -| cloudflare.origin.response.expires | Value of the origin 'expires' header | date | -| cloudflare.origin.response.last_modified | Value of the origin 'last-modified' header | date | -| cloudflare.origin.response.status_code | Status returned by the origin server | long | -| cloudflare.origin.response.time | Number of nanoseconds it took the origin to return the response to edge | long | -| cloudflare.origin.ssl.protocol | SSL (TLS) protocol used to connect to the origin | keyword | -| cloudflare.parent.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword | -| cloudflare.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword | -| cloudflare.security_level | The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. | keyword | -| cloudflare.waf.action | Action taken by the WAF, if triggered | keyword | -| cloudflare.waf.flags | Additional configuration flags: simulate (0x1) | null | keyword | -| cloudflare.waf.matched_var | The full name of the most-recently matched variable | keyword | -| cloudflare.waf.profile | low | med | high | keyword | -| cloudflare.waf.rule.id | ID of the applied WAF rule | keyword | -| cloudflare.waf.rule.message | Rule message associated with the triggered rule | keyword | -| cloudflare.worker.cpu_time | Amount of time in microseconds spent executing a worker, if any | long | -| cloudflare.worker.status | Status returned from worker daemon | keyword | -| cloudflare.worker.subrequest | Whether or not this request was a worker subrequest | boolean | -| cloudflare.worker.subrequest_count | Number of subrequests issued by a worker when handling this request | long | -| cloudflare.zone.id | Internal zone ID | long | -| cloudflare.zone.name | The human-readable name of the zone (e.g. 'cloudflare.com'). | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `logpull` looks as following: - -```json -{ - "@timestamp": "2019-08-02T15:29:08.000Z", - "agent": { - "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8", - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "35.232.161.245", - "as": { - "number": 15169 - }, - "bytes": 2577, - "geo": { - "country_iso_code": "us" - }, - "ip": "35.232.161.245", - "port": 55028 - }, - "cloudflare": { - "cache": { - "status": "unknown", - "tiered_fill": false - }, - "client": { - "ip_class": "noRecord", - "ssl": { - "protocol": "TLSv1.2" - } - }, - "device_type": "desktop", - "edge": { - "colo": { - "id": 14 - }, - "pathing": { - "op": "chl", - "src": "filterBasedFirewall", - "status": "captchaNew" - }, - "rate_limit": { - "id": 0 - }, - "response": { - "bytes": 2848, - "compression_ratio": 2.64, - "content_type": "text/html", - "status_code": 403 - } - }, - "firewall": { - "actions": [ - "simulate", - "challenge" - ], - "rule_ids": [ - "094b71fea25d4860a61fa0c6fbbd8d8b", - "e454fd4a0ce546b3a9a462536613692c" - ], - "sources": [ - "firewallRules", - "firewallRules" - ] - }, - "origin": { - "response": { - "bytes": 0, - "status_code": 0, - "time": 0 - }, - "ssl": { - "protocol": "unknown" - } - }, - "parent": { - "ray_id": "00" - }, - "ray_id": "500115ec386354d8", - "security_level": "med", - "waf": { - "action": "unknown", - "flags": "0", - "profile": "unknown" - }, - "worker": { - "cpu_time": 0, - "status": "unknown", - "subrequest": false, - "subrequest_count": 0 - }, - "zone": { - "id": 155978002 - } - }, - "data_stream": { - "dataset": "cloudflare.logpull", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 2848 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-30T04:59:20.268Z", - "dataset": "cloudflare.logpull", - "duration": 0, - "end": "2019-08-02T15:29:08.000Z", - "ingested": "2021-12-30T04:59:21Z", - "kind": "event", - "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", - "start": "2019-08-02T15:29:08.000Z" - }, - "http": { - "request": { - "bytes": 2577, - "method": "POST", - "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000" - }, - "response": { - "bytes": 2848, - "status_code": 403 - }, - "version": "1.1" - }, - "input": { - "type": "httpjson" - }, - "network": { - "bytes": 5425, - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "cloudflare" - }, - "server": { - "bytes": 2848 - }, - "source": { - "address": "35.232.161.245", - "as": { - "number": 15169 - }, - "bytes": 2577, - "geo": { - "country_iso_code": "us" - }, - "ip": "35.232.161.245", - "port": 55028 - }, - "tags": [ - "forwarded", - "cloudflare-logpull", - "preserve_original_event" - ], - "tls": { - "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "cf-analytics.com", - "extension": "php", - "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", - "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", - "path": "/wp-cron.php", - "query": "doing_wp_cron=1564759748.3962020874023437500000", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Spider" - }, - "name": "WordPress", - "original": "WordPress/5.2.2;https://cf-analytics.com", - "version": "5.2.2" - } -} -``` diff --git a/packages/cloudflare/2.0.1/img/cf-logo-v.svg b/packages/cloudflare/2.0.1/img/cf-logo-v.svg deleted file mode 100755 index 35c7495a8a..0000000000 --- a/packages/cloudflare/2.0.1/img/cf-logo-v.svg +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/cloudflare/2.0.1/img/cloudflare-performance.png b/packages/cloudflare/2.0.1/img/cloudflare-performance.png deleted file mode 100755 index 6c703e688d..0000000000 Binary files a/packages/cloudflare/2.0.1/img/cloudflare-performance.png and /dev/null differ diff --git a/packages/cloudflare/2.0.1/img/cloudflare-performance2.png b/packages/cloudflare/2.0.1/img/cloudflare-performance2.png deleted file mode 100755 index e1b4509987..0000000000 Binary files a/packages/cloudflare/2.0.1/img/cloudflare-performance2.png and /dev/null differ diff --git a/packages/cloudflare/2.0.1/img/cloudflare-reliability.png b/packages/cloudflare/2.0.1/img/cloudflare-reliability.png deleted file mode 100755 index b0a4dd4b49..0000000000 Binary files a/packages/cloudflare/2.0.1/img/cloudflare-reliability.png and /dev/null differ diff --git a/packages/cloudflare/2.0.1/img/cloudflare-security-overview.png b/packages/cloudflare/2.0.1/img/cloudflare-security-overview.png deleted file mode 100755 index 819196d8c5..0000000000 Binary files a/packages/cloudflare/2.0.1/img/cloudflare-security-overview.png and /dev/null differ diff --git a/packages/cloudflare/2.0.1/img/cloudflare-snapshot.png b/packages/cloudflare/2.0.1/img/cloudflare-snapshot.png deleted file mode 100755 index 60772e5bc3..0000000000 Binary files a/packages/cloudflare/2.0.1/img/cloudflare-snapshot.png and /dev/null differ diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json deleted file mode 100755 index cb34d553d1..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Get a quick overview of the most important metrics from your websites and applications on the Cloudflare network.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":11,\"x\":1,\"y\":26},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":31},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":18,\"x\":29,\"y\":13},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"4\",\"w\":12,\"x\":12,\"y\":26},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"5\",\"w\":12,\"x\":35,\"y\":26},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":11,\"x\":24,\"y\":26},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":23,\"x\":24,\"y\":31},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":12,\"x\":1,\"y\":38},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":16,\"x\":13,\"y\":38},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"10\",\"w\":18,\"x\":29,\"y\":38},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":10,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":13,\"x\":11,\"y\":9},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":11,\"x\":24,\"y\":9},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":12,\"x\":35,\"y\":9},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":22},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"84e94c8e-19d9-4dfe-8e37-c43c004c3f05\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"5f05840e-eb7e-45bd-9319-e6746cc4fa49\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Traffic Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"0f8532d1-8c6a-4c1d-900e-8d6eb49112df\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"*\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Traffic Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":9,\"i\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"w\":28,\"x\":1,\"y\":13},\"panelIndex\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Snapshot", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "bdc0fa59-ea05-4976-983a-70567c1fd2d6:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 36a8a139ec..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "Get insights on threats to your websites and applications, including number of threats stopped, threats over time, top threat countries, and more.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":16,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"2\",\"w\":15,\"x\":17,\"y\":9},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"3\",\"w\":15,\"x\":32,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":31,\"y\":14},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":17,\"x\":30,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":29,\"x\":1,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"8\",\"w\":46,\"x\":1,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":11,\"x\":20,\"y\":14},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":29,\"x\":1,\"y\":24},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":17,\"x\":30,\"y\":24},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"15\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"573a3d3e-987d-41b5-a714-2344535c0ca9\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"4d50c3a6-72f9-46f4-bb21-4d54fe1c9842\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Threat Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"25e907ec-31fb-40fe-9a10-49f002b31bf0\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[{\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"},\\\"meta\\\":{\\\"alias\\\":null,\\\"disabled\\\":false,\\\"key\\\":\\\"query\\\",\\\"negate\\\":false,\\\"type\\\":\\\"custom\\\",\\\"value\\\":\\\"{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"bic\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"captchaFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"jschlFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"zl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"us\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"rateLimit\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ctry\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"terms\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":[\\\\\\\"ipr16\\\\\\\",\\\\\\\"ipr24\\\\\\\",\\\\\\\"ip6\\\\\\\",\\\\\\\"ip6r64\\\\\\\",\\\\\\\"ip6r48\\\\\\\",\\\\\\\"ip6r32\\\\\\\"]}}]}}]},\\\\\\\"_source\\\\\\\":{\\\\\\\"excludes\\\\\\\":[],\\\\\\\"includes\\\\\\\":[\\\\\\\"source.geo.region_name\\\\\\\",\\\\\\\"cloudflare.client.ip_class\\\\\\\",\\\\\\\"url.path\\\\\\\",\\\\\\\"cloudflare.client.request.protocol\\\\\\\",\\\\\\\"http.request.referrer\\\\\\\",\\\\\\\"url.full\\\\\\\",\\\\\\\"user_agent.original\\\\\\\",\\\\\\\"cloudflare.client.ssl.cipher\\\\\\\",\\\\\\\"cloudflare.client.ssl.protocol\\\\\\\",\\\\\\\"cloudflare.edge.rate_limit.action\\\\\\\",\\\\\\\"cloudflare.edge.response.content_type\\\\\\\",\\\\\\\"cloudflare.origin.response.http.expires\\\\\\\",\\\\\\\"cloudflare.origin.response.http.last_modified\\\\\\\",\\\\\\\"cloudflare.origin.ssl.protocol\\\\\\\",\\\\\\\"user_agent.os.full\\\\\\\",\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"cloudflare.waf.action\\\\\\\",\\\\\\\"cloudflare.waf.flags\\\\\\\",\\\\\\\"cloudflare.waf.matched_var\\\\\\\",\\\\\\\"cloudflare.waf.profile\\\\\\\",\\\\\\\"cloudflare.waf.rule.id\\\\\\\",\\\\\\\"cloudflare.waf.rule.message\\\\\\\",\\\\\\\"cloudflare.worker.status\\\\\\\",\\\\\\\"message\\\\\\\",\\\\\\\"tags\\\\\\\"]},\\\\\\\"docvalue_fields\\\\\\\":[{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@version\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.tiered.fill\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.as.number\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_iso_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.device_type\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.city_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.continent_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code2\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code3\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.dma_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.latitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.longitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.postal_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.region_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.timezone\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"url.domain\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.method\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.port\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.colo.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.end.timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.op\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.src\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.rate_limit.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.request.host\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.response.compression_ratio\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"observer.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.parent.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.security_level\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.build\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.device\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.patch\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.cpu_time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest_count\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.zone_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"}],\\\\\\\"size\\\\\\\":50,\\\\\\\"sort\\\\\\\":[{\\\\\\\"_doc\\\\\\\":{\\\\\\\"order\\\\\\\":\\\\\\\"asc\\\\\\\"}}]}\\\",\\\"index\\\":\\\"logs-*\\\"},\\\"query\\\":{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"bic\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"captchaFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"jschlFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"zl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"us\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"rateLimit\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ctry\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"terms\\\":{\\\"boost\\\":1,\\\"cloudflare.edge.pathing.status\\\":[\\\"ipr16\\\",\\\"ipr24\\\",\\\"ip6\\\",\\\"ip6r64\\\",\\\"ip6r48\\\",\\\"ip6r32\\\"]}}]}}]},\\\"_source\\\":{\\\"excludes\\\":[],\\\"includes\\\":[\\\"source.geo.region_name\\\",\\\"cloudflare.client.ip_class\\\",\\\"url.path\\\",\\\"cloudflare.client.request.protocol\\\",\\\"http.request.referrer\\\",\\\"url.full\\\",\\\"user_agent.original\\\",\\\"cloudflare.client.ssl.cipher\\\",\\\"cloudflare.client.ssl.protocol\\\",\\\"cloudflare.edge.rate_limit.action\\\",\\\"cloudflare.edge.response.content_type\\\",\\\"cloudflare.origin.response.http.expires\\\",\\\"cloudflare.origin.response.http.last_modified\\\",\\\"cloudflare.origin.ssl.protocol\\\",\\\"user_agent.os.full\\\",\\\"user_agent.name\\\",\\\"cloudflare.waf.action\\\",\\\"cloudflare.waf.flags\\\",\\\"cloudflare.waf.matched_var\\\",\\\"cloudflare.waf.profile\\\",\\\"cloudflare.waf.rule.id\\\",\\\"cloudflare.waf.rule.message\\\",\\\"cloudflare.worker.status\\\",\\\"message\\\",\\\"tags\\\"]},\\\"docvalue_fields\\\":[{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"@version\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.tiered.fill\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.as.number\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_iso_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.device_type\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.city_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.continent_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code2\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code3\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.dma_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.latitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.longitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.postal_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.region_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.timezone\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"url.domain\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.method\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.port\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.colo.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.end.timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.op\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.src\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.rate_limit.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.request.host\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"destination.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.response.compression_ratio\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"observer.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"destination.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.parent.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.security_level\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.build\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.device\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.patch\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.cpu_time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest_count\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.zone_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"}],\\\"size\\\":50,\\\"sort\\\":[{\\\"_doc\\\":{\\\"order\\\":\\\"asc\\\"}}]}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Threat Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":10,\"i\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"w\":19,\"x\":1,\"y\":14},\"panelIndex\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Security (Overview)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "240814e0-fc79-4c27-af94-fa9df006d441:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 548a6b2545..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Get insights into your most popular hostnames, most requested content types, breakdown of request methods, and connection type.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":21},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":33},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":44},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"8\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index ad53a143a9..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Identify and address performance issues and caching misconfigurations. Metrics include total vs. cached bandwidth, saved bandwidth, total requests, cache ratio, top uncached requests, and more.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":10,\"x\":1,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"2\",\"w\":13,\"x\":11,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"3\",\"w\":13,\"x\":24,\"y\":12},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":14,\"x\":1,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":14,\"x\":15,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":18,\"x\":29,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"7\",\"w\":25,\"x\":1,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":21,\"x\":26,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":21,\"x\":26,\"y\":50},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":24,\"x\":1,\"y\":16},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":22,\"x\":25,\"y\":16},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":25,\"x\":1,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"15\",\"w\":21,\"x\":26,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"17\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":41},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"20\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Performance (Requests, Bandwidth, Cache)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "20:panel_20", - "type": "visualization" - }, - { - "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f", - "name": "21:panel_21", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 1799a88fd7..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "Get insights on the availability of your websites and applications. Metrics include origin response error ratio, origin response status over time, percentage of 3xx/4xx/5xx errors over time, and more.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":34,\"x\":1,\"y\":18},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":34,\"x\":1,\"y\":26},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":15,\"x\":31,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":17,\"x\":29,\"y\":37},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"6\",\"w\":28,\"x\":1,\"y\":37},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"7\",\"w\":28,\"x\":1,\"y\":46},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8\",\"w\":17,\"x\":29,\"y\":46},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":11,\"x\":35,\"y\":26},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":11,\"x\":35,\"y\":18},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":30,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"12\",\"w\":45,\"x\":1,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":38,\"x\":8,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"15\",\"w\":45,\"x\":1,\"y\":34},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Reliability", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f", - "name": "15:panel_15", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index a9662ea58c..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Get insights into the performance of your static and dynamic content, including slowest URLs.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":19},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":42},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Performance (Static vs. Dynamic Content)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 729b9536a3..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Get insights on rate limiting protection against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeted at your websites or applications.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":16},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":23,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Security (Rate Limiting)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-b221c710-2963-11e9-b959-4502c43b2e30", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 2c678190bc..0000000000 --- a/packages/cloudflare/2.0.1/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Get insights on threat identification and mitigation by our Web Application Firewall, including events like SQL injections, XSS, and more. Use this data to fine tune the firewall to target obvious threats and prevent false positives.\n", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":29,\"x\":18,\"y\":23},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":17,\"x\":1,\"y\":23},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":18,\"x\":29,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"5\",\"w\":11,\"x\":18,\"y\":9},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":8,\"x\":10,\"y\":9},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":9,\"x\":1,\"y\":9},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"10\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"11\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "Cloudflare - Security (WAF)", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "name": "11:panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json b/packages/cloudflare/2.0.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json deleted file mode 100755 index 0e79f4e006..0000000000 --- a/packages/cloudflare/2.0.1/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Discover [Cloudflare]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json deleted file mode 100755 index 6deef7fada..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Traffic IPs [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 89833b34a5..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Countries - Reliability [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Countries - Reliability\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json deleted file mode 100755 index 51c24c2d0e..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Traffic Type [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.device_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Traffic Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json deleted file mode 100755 index 09f8427894..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threat Client IPs [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 0476c0cc63..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Total Requests vs. Origin Requests in rps last 24 hours [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"number\",\"id\":\"fca6dbb0-4991-11e9-b6ee-0784825b4ddc\",\"label\":\"origin requests\",\"line_width\":1,\"metrics\":[{\"id\":\"fca6dbb1-4991-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Requests vs. Origin Requests in rps last 24 hours\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 8632157d21..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top WAF Rules Triggered [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.waf.rule.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top WAF Rules Triggered\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 320a2be360..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Cache Status Ratio [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Cache Status Ratio\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index aa891dd0e0..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Client Requests by Hostname Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Hostname Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 4c32681062..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Origin Requests By Hostname - Content Type - Request Methods - Connection Type**\",\"openLinksInNewTab\":false},\"title\":\"Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 80c716cb4f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Hostnames - Reliability [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Hostnames - Reliability\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json deleted file mode 100755 index bb6bae84f4..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Referrer [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.referrer\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Referrer\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 89ecd8bd19..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF Events Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"WAF Events Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 4c8bfdee9d..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Threats Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Threats Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 88e454e5d7..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Slowest URIs by cumulative time to first byte for dynamic requests [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for dynamic requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json deleted file mode 100755 index 6c74a813b4..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "HTTP Protocols [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"HTTP Protocols\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 68286ce235..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "WAF Events triggered by the Web Application Firewall - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**WAF - Events triggered by the Web Application Firewall**\",\"openLinksInNewTab\":false},\"title\":\"WAF Events triggered by the Web Application Firewall - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json deleted file mode 100755 index 1b27233b9e..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top User Agents [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json deleted file mode 100755 index 636f5f2e54..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Cached Bandwidth [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cached Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Bandwidth\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 42cd820659..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Total number of requests vs cached vs uncached over time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"lucene\",\"query\":\"metricset.name:cloudflare.cache.status\"},\"id\":\"e847cce0-4731-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"cloudflare.cache.status\",\"terms_order_by\":\"_term\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(hit OR stale OR updating OR ignored)\"},\"formatter\":\"number\",\"id\":\"0d45cce0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"0d45cce1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"id\":\"14053f70-498f-11e9-b6ee-0784825b4ddc\"}],\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored)\"},\"formatter\":\"number\",\"id\":\"3edf18b0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"uncached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"3edf18b1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total number of requests vs cached vs uncached over time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index b7bd165e0f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Bandwidth - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Bandwidth**\",\"openLinksInNewTab\":false},\"title\":\"Bandwidth - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 4b321c4b8f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Web Traffic Overview - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Overview**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Overview - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 019a1d489a..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"c520c1a0-1c6e-11ea-9387-9362a5ae410a\"}],\"bar_color_rules\":[{\"id\":\"c6258770-1c6e-11ea-9387-9362a5ae410a\"}],\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"c7b83560-1c6e-11ea-9387-9362a5ae410a\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"bytes\",\"id\":\"65f93df0-49a7-11e9-a870-03d340338f04\",\"label\":\"origin bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"65f93df1-49a7-11e9-a870-03d340338f04\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 84c8378342..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":{\"query\":\"miss\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"miss\"},\"query\":{\"match\":{\"cloudflare.cache.status\":{\"query\":\"miss\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top URIs with Cache Status Miss [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top URIs with Cache Status Miss\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 8fa929434e..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Rate Limiting - Get insights into rate limiting events and banned IPs and URIs**\",\"openLinksInNewTab\":false},\"title\":\"Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json deleted file mode 100755 index c441021b2c..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":{\"query\":\"ban\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ban\"},\"query\":{\"match\":{\"cloudflare.edge.rate_limit.action\":{\"query\":\"ban\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Banned Client IPs [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Banned Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json deleted file mode 100755 index 12376966f2..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Total Number of Requests [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Number of Requests\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index c4c92004a3..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Cache - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Cache**\",\"openLinksInNewTab\":false},\"title\":\"Cache - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json deleted file mode 100755 index 0f0494d481..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Request Methods [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Request Methods\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index b0d17a8289..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Web Traffic Types - Text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Types -\\nGet insight into the various types of traffic and content**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Types - Text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 78b0147220..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF: Top User Agents [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top User Agents\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json deleted file mode 100755 index 6bc87a03e7..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Traffic Type [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.client.ip_class\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Type\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 11c85327a6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Edge Response Status Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Edge Response Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 8c0b7176a6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Static vs Dynamic Content - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Static vs Dynamic Content**\",\"openLinksInNewTab\":false},\"title\":\"Static vs Dynamic Content - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index a09615ee11..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Client IPs and AS Number - Reliability [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.as.number\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Client IPs and AS Number - Reliability\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json deleted file mode 100755 index 63ad465553..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threat Countries Map [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.5.4\\u0026license=4552d43c-e532-47b1-9552-27fed12f7d1a\"}}},\"title\":\"Top Threat Countries Map\",\"type\":\"tile_map\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "cloudflare-623f3110-338b-11e9-ab62-2d2dc754fa8f", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json deleted file mode 100755 index eab3fb830d..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF: Top Hosts [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 402ce71cd6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"http.version\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.os.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threat Target URIs [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Target URIs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index f23dcd94eb..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Summary of Edge and Origin Response Status - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Summary of Edge and Origin Response Status**\\n\\nGet an overview of the edge and origin response status codes\",\"openLinksInNewTab\":false},\"title\":\"Summary of Edge and Origin Response Status - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 031607d1a9..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Origin Response Status Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Origin Response Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 75d9c75ae0..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"challenge\",\"jsChallenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, challenge, jsChallenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Rate Limit Over Time [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-6M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Rate Limit Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json deleted file mode 100755 index 60020f5987..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Total Bandwidth [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Bandwidth\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json deleted file mode 100755 index 1ff7620257..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Threats Stopped [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Threats Stopped\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json deleted file mode 100755 index c196e260d5..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF: Top Client IP [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Client IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 6623eff5a1..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Origin time to first byte dynamic requests [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte dynamic requests\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 44ea4ceac6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Performance Overview - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Performance Overview**\",\"openLinksInNewTab\":false},\"title\":\"Performance Overview - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 9ce4f8c854..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Threats - Review threat activity - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Threats - Review threat activity**\",\"openLinksInNewTab\":false},\"title\":\"Threats - Review threat activity - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json deleted file mode 100755 index f45e0e3b4d..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Content Type [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Content Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 0f8ba8c4b6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Cloudflare logo [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"![alt text](https://www.cloudflare.com/img/logo-cloudflare-dark.svg)\",\"openLinksInNewTab\":false},\"title\":\"Cloudflare logo\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 3482fa40cd..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Rate Limit Actions [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Actions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 81eb744f48..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Origin Response Error Ratio [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Origin Response Error Ratio\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 6b0d9664bf..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Client Requests by Content Type [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Content Type\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 09fb8f7e8b..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Uncached Bandwidth [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Bandwidth\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 6270faa803..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threat Countries [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Countries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index dd54f85a2e..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Cached Requests [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Requests\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 1ffedbbec6..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF: Top Countries [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"WAF: Top Countries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index d5e3635479..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Client Requests Methods Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests Methods Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index bb76962042..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Errors Ratio (Edge) [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(0,104,55)\",\"50 - 75\":\"rgb(255,255,190)\",\"75 - 100\":\"rgb(165,0,38)\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"horizontal\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"Errors Ratio (Edge)\",\"type\":\"gauge\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index ad111537be..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":14,\"markdown\":\"Detailed View\\nBreakdown of Origin Response Status Codes by Various Metrics\",\"openLinksInNewTab\":false},\"title\":\"Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index be29b07593..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threat User Agents [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat User Agents\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index b4b6d0cd3c..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Requested URI - Reliability [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI - Reliability\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json deleted file mode 100755 index fa9b2d83bc..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Traffic Countries [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Countries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json deleted file mode 100755 index fe30ad6d17..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-caf67100-23d7-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Traffic Countries Map [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.5.4\\u0026license=4552d43c-e532-47b1-9552-27fed12f7d1a\"}}},\"title\":\"Top Traffic Countries Map\",\"type\":\"tile_map\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "cloudflare-caf67100-23d7-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 178761e45b..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Requests - text [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Requests**\",\"openLinksInNewTab\":false},\"title\":\"Requests - text\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index f2f503bfed..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Cached vs Uncached Bandwidth Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(hit OR stale OR updating OR ignored OR revalidated)\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"saved bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored OR -revalidated)\"},\"formatter\":\"bytes\",\"id\":\"73f43510-49a0-11e9-8499-d5aa4562b1c7\",\"label\":\"uncached bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"73f43511-49a0-11e9-8499-d5aa4562b1c7\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Cached vs Uncached Bandwidth Over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index a4b15ea573..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Edge Response Error Ratio [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Edge Response Error Ratio\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 81b9a6af94..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Origin time to first byte static requests [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":1.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte static requests\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 9ddf576777..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Threats Stopped [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threats Stopped\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 6f9780ad23..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Uncached Requests [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Requests\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 3c3bda44c7..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top User Agents - Reliability [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents - Reliability\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index ad0501c78f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Client Requests by Connection Over Time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.client.ssl.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Connection Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index c68f5ba629..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "title": "Filters [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloudflare.device_type\",\"id\":\"1554899945457\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Device Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"source.geo.country_name\",\"id\":\"1554900041526\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.domain\",\"id\":\"1554900064098\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"client.ip\",\"id\":\"1554900102344\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user_agent.original\",\"id\":\"1554900136614\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"User Agent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.full\",\"id\":\"1554900159944\",\"indexPatternRefName\":\"control_5_index_pattern\",\"label\":\"Request URI\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.response.status_code\",\"id\":\"1554900185676\",\"indexPatternRefName\":\"control_6_index_pattern\",\"label\":\"Edge Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.origin.response.status_code\",\"id\":\"1554900211881\",\"indexPatternRefName\":\"control_7_index_pattern\",\"label\":\"Origin Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"destination.ip\",\"id\":\"1556549231725\",\"indexPatternRefName\":\"control_8_index_pattern\",\"label\":\"Origin IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.ray_id\",\"id\":\"1554900244300\",\"indexPatternRefName\":\"control_9_index_pattern\",\"label\":\"RayID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.worker.subrequest\",\"id\":\"1554900268999\",\"indexPatternRefName\":\"control_10_index_pattern\",\"label\":\"Worker Subrequest\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.request.method\",\"id\":\"1554900324235\",\"indexPatternRefName\":\"control_11_index_pattern\",\"label\":\"Client Request Method\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":true,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"Filters\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_4_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_5_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_6_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_7_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_8_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_9_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_10_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_11_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 6d5358e3a1..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Cache status over time [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Cache status over time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json deleted file mode 100755 index 38b0a34b1f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Requested URI [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 500e479c4b..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"unknown\",\"bypass\"],\"type\":\"phrases\",\"value\":\"unknown, bypass\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Slowest URIs by cumulative time to first byte for static requests [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for static requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json deleted file mode 100755 index 69432d0f5d..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "WAF Events Triggered [Cloudflare]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"WAF Events Triggered\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json deleted file mode 100755 index adeade4e0f..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Rate Limit Countries [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Countries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json deleted file mode 100755 index 04e881cbe5..0000000000 --- a/packages/cloudflare/2.0.1/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Pathing Statuses [Cloudflare]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.pathing.src\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.pathing.op\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.edge.pathing.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Pathing Statuses\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/cloudflare/2.0.1/manifest.yml b/packages/cloudflare/2.0.1/manifest.yml deleted file mode 100755 index ddbc27b8a2..0000000000 --- a/packages/cloudflare/2.0.1/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: cloudflare -title: Cloudflare -version: 2.0.1 -release: ga -description: Collect and parse logs from Cloudflare API with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security, network, web, cloud] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/cf-logo-v.svg - title: Cloudflare - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/cloudflare-snapshot.png - title: Cloudflare - Snapshot - size: 1847x950 - type: image/png - - src: /img/cloudflare-reliability.png - title: Cloudflare - Reliability - size: 1850x948 - type: image/png - - src: /img/cloudflare-security-overview.png - title: Cloudflare - Security - size: 1848x949 - type: image/png - - src: /img/cloudflare-performance.png - title: Cloudflare - Performance (Requests, Bandwidth, Cache) - size: 1847x949 - type: image/png - - src: /img/cloudflare-performance2.png - title: Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type) - size: 1847x950 - type: image/png -policy_templates: - - name: cloudflare - title: Cloudflare logs - description: Collect logs from Cloudflare - inputs: - - type: httpjson - title: "Collect Cloudflare logs via API" - description: "Collecting logs from Cloudflare via API" - vars: - - name: api_url - type: text - title: API URL. - description: The API URL without the path. - multi: false - required: true - show_user: false - default: https://api.cloudflare.com - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s -owner: - github: elastic/security-external-integrations diff --git a/packages/crowdstrike/1.3.4/changelog.yml b/packages/crowdstrike/1.3.4/changelog.yml deleted file mode 100755 index 4dbec56bc2..0000000000 --- a/packages/crowdstrike/1.3.4/changelog.yml +++ /dev/null @@ -1,170 +0,0 @@ -# newer versions go on top -- version: "1.3.4" - changes: - - description: Prevent missing `@timestamp` field. - type: bugfix - link: https://github.com/elastic/integrations/pull/3484 -- version: "1.3.3" - changes: - - description: Optimize FDR pipeline script processor. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.2" - changes: - - description: Format source.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3302 -- version: "1.3.1" - changes: - - description: Update readme file. Added link to CrowdStrike docs - type: enhancement - link: https://github.com/elastic/integrations/pull/3057 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.7" - changes: - - description: Move invalid field value - type: enhancement - link: https://github.com/elastic/integrations/pull/3098 -- version: "1.2.6" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.5" - changes: - - description: Add date parsing for BiosReleaseDate field. - type: bugfix - link: https://github.com/elastic/integrations/pull/2867 -- version: "1.2.4" - changes: - - description: Add missing field mapping for several event and host fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/2869 -- version: "1.2.3" - changes: - - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document. - type: bugfix - link: https://github.com/elastic/integrations/pull/2701 -- version: "1.2.2" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.2.1" - changes: - - description: Fix issue with "Is FDR Queue" selector having no effect. - type: bugfix - link: https://github.com/elastic/integrations/pull/2653 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2398 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2229 -- version: "1.0.4" - changes: - - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 - - description: Pipeline fixes for FDR - type: bugfix - link: https://github.com/elastic/integrations/pull/2198 -- version: "1.0.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2022 -- version: "1.0.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1961 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1812 -- version: '1.0.0' - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1630 -- version: "0.9.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1655 -- version: "0.8.1" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "0.8.0" - changes: - - description: Add FDR data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Change Falcon ECS fields definition to use references - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 - - description: Add cleanup processor to Falcon - type: enhancement - link: https://github.com/elastic/integrations/pull/1522 -- version: '0.7.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1378 -- version: "0.7.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.6.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1258 -- version: "0.5.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1036 -- version: "0.4.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/841 -- version: "0.4.0" - changes: - - description: Moves edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/774 -- version: "0.3.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/182 diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/agent/stream/log.yml.hbs b/packages/crowdstrike/1.3.4/data_stream/falcon/agent/stream/log.yml.hbs deleted file mode 100755 index 79e1726037..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/agent/stream/log.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -# Crowdstrike Falcon SIEM connector logs are multiline JSON by default -multiline.pattern: '^{' -multiline.negate: true -multiline.match: after -multiline.max_lines: 5000 -multiline.timeout: 10 -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml deleted file mode 100755 index 1469046543..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [authentication] - - append: - field: event.type - value: [change] - - convert: - field: crowdstrike.event.ServiceName - type: string - target_field: message - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" - - script: - lang: painless - source: | - def regex = /([a-z0-9])([A-Z])/; - def replacement = "$1_$2"; - def action = ctx?.crowdstrike?.event?.OperationName; - if (action == null || action == "") return; - ctx["event.action"] = regex.matcher(action).replaceAll(replacement).toLowerCase(); diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2a94af718b..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Ingest pipeline for normalizing CrowdStrike Falcon logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: crowdstrike - - remove: - field: - - host.name - ignore_missing: true - - remove: - field: crowdstrike.event.ProcessStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessStartTime == 0 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.ProcessEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.ProcessEndTime == 0 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentStartTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentStartTime == 0 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) >= 12 - - remove: - field: crowdstrike.event.IncidentEndTime - ignore_missing: true - if: ctx?.crowdstrike?.event?.IncidentEndTime == 0 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) >= 12 - - remove: - field: crowdstrike.event.StartTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.StartTimestamp == 0 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.EndTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.EndTimestamp == 0 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.event.UTCTimestamp - ignore_missing: true - if: ctx?.crowdstrike?.event?.UTCTimestamp == 0 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) >= 12 - - remove: - field: crowdstrike.metadata.eventCreationTime - ignore_missing: true - if: ctx?.crowdstrike?.metadata?.eventCreationTime == 0 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX_MS - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) >= 12 - - date: - field: crowdstrike.event.ProcessStartTime - target_field: crowdstrike.event.ProcessStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessStartTime != null && - !(ctx.crowdstrike.event.ProcessStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessStartTime) + 1) < 12 - - date: - field: crowdstrike.event.ProcessEndTime - target_field: crowdstrike.event.ProcessEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.ProcessEndTime != null && - !(ctx.crowdstrike.event.ProcessEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.ProcessEndTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentStartTime - target_field: crowdstrike.event.IncidentStartTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentStartTime != null && - !(ctx.crowdstrike.event.IncidentStartTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentStartTime) + 1) < 12 - - date: - field: crowdstrike.event.IncidentEndTime - target_field: crowdstrike.event.IncidentEndTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.IncidentEndTime != null && - !(ctx.crowdstrike.event.IncidentEndTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.IncidentEndTime) + 1) < 12 - - date: - field: crowdstrike.event.StartTimestamp - target_field: crowdstrike.event.StartTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.StartTimestamp != null && - !(ctx.crowdstrike.event.StartTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.StartTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.EndTimestamp - target_field: crowdstrike.event.EndTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.EndTimestamp != null && - !(ctx.crowdstrike.event.EndTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.EndTimestamp) + 1) < 12 - - date: - field: crowdstrike.event.UTCTimestamp - target_field: crowdstrike.event.UTCTimestamp - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.event?.UTCTimestamp != null && - !(ctx.crowdstrike.event.UTCTimestamp instanceof String) && - (int)(Math.log10(ctx.crowdstrike.event.UTCTimestamp) + 1) < 12 - - date: - field: crowdstrike.metadata.eventCreationTime - target_field: crowdstrike.metadata.eventCreationTime - timezone: UTC - formats: - - UNIX - ignore_failure: true - if: | - ctx?.crowdstrike?.metadata?.eventCreationTime != null && - !(ctx.crowdstrike.metadata.eventCreationTime instanceof String) && - (int)(Math.log10(ctx.crowdstrike.metadata.eventCreationTime) + 1) < 12 - - set: - field: event.outcome - value: success - if: ctx?.crowdstrike?.event?.Success == true - - set: - field: event.outcome - value: failure - if: ctx?.crowdstrike?.event?.Success == false - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - - convert: - field: crowdstrike.metadata.eventCreationTime - target_field: "@timestamp" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LateralMovement - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.LocalPort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCount - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.MatchCountSinceLastReport - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.PID - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.RemotePort - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: source.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: destination.port - type: long - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.UserId - target_field: user.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.user?.name == null || ctx?.user?.name == "" - - set: - field: user.email - value: "{{user.name}}" - ignore_empty_value: true - ignore_failure: true - if: ctx?.user?.name != null && /@/.split(ctx.user.name).length == 2 - - script: - lang: painless - source: | - def commandLine = ctx?.crowdstrike?.event?.CommandLine; - if (commandLine != null) { - - commandLine = commandLine.trim(); - - if (commandLine != "") { - def args = Arrays.asList(/ /.split(commandLine)); - args.removeIf(arg -> arg == ""); - - ctx["process.command_line"] = commandLine; - ctx["process.args"] = args; - ctx["process.executable"] = args.get(0); - } - } - - pipeline: - name: '{{ IngestPipeline "detection_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "incident_summary" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" - - pipeline: - name: '{{ IngestPipeline "user_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "auth_activity_audit" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" - - pipeline: - name: '{{ IngestPipeline "firewall_match" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_start" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" - - pipeline: - name: '{{ IngestPipeline "remote_response_session_end" }}' - if: ctx?.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" - - script: - lang: painless - if: ctx?.crowdstrike?.event != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - - 0 - source: | - ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - script: - lang: painless - if: ctx?.crowdstrike?.metadata != null - params: - values: - - null - - '' - - '-' - - 'N/A' - - 'NA' - source: | - ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - - append: - field: related.user - value: "{{user.name}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.user?.name != null && ctx?.user?.name != "" - - append: - field: related.ip - value: "{{source.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - append: - field: related.hosts - value: "{{host.name}}" - ignore_failure: true - allow_duplicates: false - if: ctx?.host?.name != null && ctx?.host?.name != "" - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml deleted file mode 100755 index 22bebe784e..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.LocalIP - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" - - convert: - field: crowdstrike.event.ProcessId - target_field: process.pid - ignore_failure: true - type: long - ignore_missing: true - - convert: - field: crowdstrike.event.ParentImageFileName - target_field: process.parent.executable - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ParentCommandLine - target_field: process.parent.command_line - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.PatternDispositionDescription - target_field: event.action - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Severity - target_field: event.severity - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.FileName - target_field: process.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserName - target_field: user.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.MachineDomain - target_field: user.domain - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SensorId - target_field: agent.id - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.ComputerName - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.SHA256String - target_field: file.hash.sha256 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha256}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha256 != null && ctx?.file?.hash?.sha256 != "" && !(/^0+$/.matcher(ctx.file.hash.sha256).matches()) - - convert: - field: crowdstrike.event.MD5String - target_field: file.hash.md5 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.md5}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.md5 != null && ctx?.file?.hash?.md5 != "" && !(/^0+$/.matcher(ctx.file.hash.md5).matches()) - - convert: - field: crowdstrike.event.SHA1String - target_field: file.hash.sha1 - type: string - ignore_failure: true - ignore_missing: true - - append: - field: related.hash - value: "{{file.hash.sha1}}" - allow_duplicates: false - ignore_failure: true - if: ctx?.file?.hash?.sha1 != null && ctx?.file?.hash?.sha1 != "" && !(/^0+$/.matcher(ctx.file.hash.sha1).matches()) - - convert: - field: crowdstrike.event.DetectName - target_field: rule.name - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.DetectDescription - target_field: rule.description - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.Technique - target_field: threat.technique.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.technique.name - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.event.Tactic - target_field: threat.tactic.name - type: string - ignore_failure: true - ignore_missing: true - - lowercase: - field: threat.tactic.name - ignore_missing: true - ignore_failure: true diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml deleted file mode 100755 index 28dac8ccd0..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network] - - append: - field: event.action - value: [firewall_match_event] - - append: - field: event.type - value: [start, connection] - - set: - field: message - value: "Firewall Rule '{{crowdstrike.event.RuleName}}' triggered" - if: ctx?.crowdstrike?.event?.RuleName != null - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.PID" - target_field: "process.pid" - ignore_failure: true - ignore_missing: true - type: "long" - - convert: - field: "crowdstrike.event.RuleId" - target_field: "rule.id" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleName" - target_field: "rule.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleGroupName" - target_field: "rule.ruleset" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleDescription" - target_field: "rule.description" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.RuleFamilyID" - target_field: "rule.category" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.HostName" - target_field: "host.name" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.Ipv" - target_field: "network.type" - type: string - ignore_missing: true - ignore_failure: true - - convert: - field: "crowdstrike.event.EventType" - target_field: "event.code" - type: string - ignore_missing: true - ignore_failure: true - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: source.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection == "1" - - set: - field: network.direction - value: ingress - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: destination.ip - value: "{{crowdstrike.event.RemoteAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.RemotePort - target_field: destination.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - set: - field: source.ip - value: "{{crowdstrike.event.LocalAddress}}" - ignore_empty_value: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" - - convert: - field: crowdstrike.event.LocalPort - target_field: source.port - type: long - ignore_missing: true - ignore_failure: true - if: ctx?.crowdstrike?.event?.ConnectionDirection != "1" diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml deleted file mode 100755 index 667222dc79..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: alert - - append: - field: event.category - value: [malware] - - append: - field: event.type - value: [info] - - set: - field: event.action - value: incident - - set: - field: agent.type - value: falcon - - convert: - field: crowdstrike.event.FalconHostLink - target_field: event.url - type: string - ignore_failure: true - ignore_missing: true - - set: - field: message - value: "Incident score {{crowdstrike.event.FineScore}}" - if: ctx?.crowdstrike?.event?.FineScore != null diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml deleted file mode 100755 index 7415f62e1d..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_end_event] - - append: - field: event.type - value: [end] - - set: - field: message - value: Remote response session ended. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml deleted file mode 100755 index d965bd8ac7..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [network, session] - - append: - field: event.action - value: [remote_response_session_start_event] - - append: - field: event.type - value: [start] - - set: - field: message - value: Remote response session started. - - convert: - field: crowdstrike.event.HostnameField - target_field: host.name - type: string - ignore_failure: true - ignore_missing: true diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml deleted file mode 100755 index 7d03e0115b..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -processors: - - set: - field: event.kind - value: event - - append: - field: event.category - value: [iam] - - append: - field: event.type - value: [change] - - set: - field: event.action - value: user_activity_audit_event - - convert: - field: crowdstrike.event.OperationName - target_field: message - type: string - ignore_failure: true - ignore_missing: true - - convert: - field: crowdstrike.event.UserIp - target_field: source.ip - type: string - ignore_failure: true - ignore_missing: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/fields/agent.yml deleted file mode 100755 index 5c9e2055ad..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/agent.yml +++ /dev/null @@ -1,190 +0,0 @@ -- description: Fields related to the cloud or infrastructure the events are coming from. - fields: - - description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - example: 666777888999 - ignore_above: 1024 - level: extended - name: account.id - type: keyword - - description: Availability zone in which this host is running. - example: us-east-1c - ignore_above: 1024 - level: extended - name: availability_zone - type: keyword - - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - ignore_above: 1024 - level: extended - name: instance.id - type: keyword - - description: Instance name of the host machine. - ignore_above: 1024 - level: extended - name: instance.name - type: keyword - - description: Machine type of the host machine. - example: t2.medium - ignore_above: 1024 - level: extended - name: machine.type - type: keyword - - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - ignore_above: 1024 - level: extended - name: provider - type: keyword - - description: Region in which this host is running. - example: us-east-1 - ignore_above: 1024 - level: extended - name: region - type: keyword - - description: Name of the project in Google Cloud. - name: project.id - type: keyword - - description: Image ID for the cloud instance. - name: image.id - type: keyword - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - group: 2 - name: cloud - title: Cloud - type: group -- description: |- - Container fields are used for meta information about the specific container that is the source of information. - These fields help correlate data based containers from any runtime. - fields: - - description: Unique container id. - name: id - type: keyword - - description: Name of the image the container was built on. - ignore_above: 1024 - level: extended - name: image.name - type: keyword - - description: Image labels. - level: extended - name: labels - object_type: keyword - type: object - - description: Container name. - ignore_above: 1024 - level: extended - name: name - type: keyword - group: 2 - name: container - title: Container - type: group -- description: |- - A host is defined as a general computing instance. - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - fields: - - description: Operating system architecture. - example: x86_64 - ignore_above: 1024 - level: core - name: architecture - type: keyword - - default_field: false - description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - example: CONTOSO - ignore_above: 1024 - level: extended - name: domain - type: keyword - - description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - ignore_above: 1024 - level: core - name: hostname - type: keyword - - description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - ignore_above: 1024 - level: core - name: id - type: keyword - - description: Host ip addresses. - level: core - name: ip - type: ip - - description: Host mac addresses. - ignore_above: 1024 - level: core - name: mac - type: keyword - - description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: name - type: keyword - - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - ignore_above: 1024 - level: extended - name: os.family - type: keyword - - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - ignore_above: 1024 - level: extended - name: os.kernel - type: keyword - - description: Operating system name, without the version. - example: Mac OS X - ignore_above: 1024 - level: extended - multi_fields: - - default_field: false - name: text - norms: false - type: text - name: os.name - type: keyword - - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - ignore_above: 1024 - level: extended - name: os.platform - type: keyword - - description: Operating system version as a raw string. - example: 10.14.1 - ignore_above: 1024 - level: extended - name: os.version - type: keyword - - description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - ignore_above: 1024 - level: core - name: type - type: keyword - - description: | - If the host is a container. - name: containerized - type: boolean - - description: | - OS build information. - example: 18D109 - name: os.build - type: keyword - - description: | - OS codename, if any. - example: stretch - name: os.codename - type: keyword - group: 2 - name: host - title: Host - type: group diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/base-fields.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/fields/base-fields.yml deleted file mode 100755 index 8248c071b3..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.falcon -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/beats.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/fields/beats.yml deleted file mode 100755 index 986a819b29..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/beats.yml +++ /dev/null @@ -1,14 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/ecs.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/fields/ecs.yml deleted file mode 100755 index 5a7c547c56..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/ecs.yml +++ /dev/null @@ -1,229 +0,0 @@ -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - If no name is given, the name is often left empty. - name: agent.name - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/fields/fields.yml deleted file mode 100755 index f8b93a2aaf..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/fields/fields.yml +++ /dev/null @@ -1,399 +0,0 @@ -- name: crowdstrike.metadata - title: Metadata fields - type: group - fields: - - name: eventType - type: keyword - description: | - DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - - name: eventCreationTime - type: date - description: | - The time this event occurred on the endpoint in UTC UNIX_MS format. - - name: offset - type: integer - description: | - Offset number that tracks the location of the event in stream. This is used to identify unique detection events. - - name: customerIDString - type: keyword - description: | - Customer identifier - - name: version - type: keyword - description: | - Schema version -- name: crowdstrike.event - title: Event fields - type: group - fields: - - name: ProcessStartTime - type: date - description: | - The process start time in UTC UNIX_MS format. - - name: ProcessEndTime - type: date - description: | - The process termination time in UTC UNIX_MS format. - - name: ProcessId - type: integer - description: | - Process ID related to the detection. - - name: ParentProcessId - type: integer - description: | - Parent process ID related to the detection. - - name: ComputerName - type: keyword - description: | - Name of the computer where the detection occurred. - - name: UserName - type: keyword - description: | - User name associated with the detection. - - name: DetectName - type: keyword - description: | - Name of the detection. - - name: DetectDescription - type: keyword - description: | - Description of the detection. - - name: Severity - type: integer - description: | - Severity score of the detection. - - name: SeverityName - type: keyword - description: | - Severity score text. - - name: FileName - type: keyword - description: | - File name of the associated process for the detection. - - name: FilePath - type: keyword - description: | - Path of the executable associated with the detection. - - name: CommandLine - type: keyword - description: | - Executable path with command line arguments. - - name: SHA1String - type: keyword - description: | - SHA1 sum of the executable associated with the detection. - - name: SHA256String - type: keyword - description: | - SHA256 sum of the executable associated with the detection. - - name: MD5String - type: keyword - description: | - MD5 sum of the executable associated with the detection. - - name: MachineDomain - type: keyword - description: | - Domain for the machine associated with the detection. - - name: FalconHostLink - type: keyword - description: | - URL to view the detection in Falcon. - - name: SensorId - type: keyword - description: | - Unique ID associated with the Falcon sensor. - - name: DetectId - type: keyword - description: | - Unique ID associated with the detection. - - name: LocalIP - type: keyword - description: | - IP address of the host associated with the detection. - - name: MACAddress - type: keyword - description: | - MAC address of the host associated with the detection. - - name: Tactic - type: keyword - description: | - MITRE tactic category of the detection. - - name: Technique - type: keyword - description: | - MITRE technique category of the detection. - - name: Objective - type: keyword - description: | - Method of detection. - - name: PatternDispositionDescription - type: keyword - description: | - Action taken by Falcon. - - name: PatternDispositionValue - type: integer - description: | - Unique ID associated with action taken. - - name: PatternDispositionFlags - type: group - description: | - Flags indicating actions taken. - fields: - - name: Detect - type: boolean - - name: InddetMask - type: boolean - - name: Indicator - type: boolean - - name: KillParent - type: boolean - - name: KillProcess - type: boolean - - name: KillSubProcess - type: boolean - - name: OperationBlocked - type: boolean - - name: PolicyDisabled - type: boolean - - name: ProcessBlocked - type: boolean - - name: QuarantineFile - type: boolean - - name: QuarantineMachine - type: boolean - - name: Rooting - type: boolean - - name: SensorOnly - type: boolean - - name: BootupSafeguardEnabled - type: boolean - - name: CriticalProcessDisabled - type: boolean - - name: FsOperationBlocked - type: boolean - - name: RegistryOperationBlocked - type: boolean - - name: State - type: keyword - description: | - Whether the incident summary is open and ongoing or closed. - - name: IncidentStartTime - type: date - description: | - Start time for the incident in UTC UNIX format. - - name: IncidentEndTime - type: date - description: | - End time for the incident in UTC UNIX format. - - name: FineScore - type: float - description: | - Score for incident. - - name: UserId - type: keyword - description: | - Email address or user ID associated with the event. - - name: UserIp - type: keyword - description: | - IP address associated with the user. - - name: OperationName - type: keyword - description: | - Event subtype. - - name: ServiceName - type: keyword - description: | - Service associated with this event. - - name: Success - type: boolean - description: | - Indicator of whether or not this event was successful. - - name: UTCTimestamp - type: date - description: | - Timestamp associated with this event in UTC UNIX format. - - name: AuditKeyValues - type: nested - description: | - Fields that were changed in this event. - - name: ExecutablesWritten - type: nested - description: | - Detected executables written to disk by a process. - - name: SessionId - type: keyword - description: | - Session ID of the remote response session. - - name: HostnameField - type: keyword - description: | - Host name of the machine for the remote session. - - name: StartTimestamp - type: date - description: | - Start time for the remote session in UTC UNIX format. - - name: EndTimestamp - type: date - description: | - End time for the remote session in UTC UNIX format. - - name: LateralMovement - type: long - description: | - Lateral movement field for incident. - - name: ParentImageFileName - type: keyword - description: | - Path to the parent process. - - name: ParentCommandLine - type: keyword - description: | - Parent process command line arguments. - - name: GrandparentImageFileName - type: keyword - description: | - Path to the grandparent process. - - name: GrandparentCommandLine - type: keyword - description: | - Grandparent process command line arguments. - - name: IOCType - type: keyword - description: | - CrowdStrike type for indicator of compromise. - - name: IOCValue - type: keyword - description: | - CrowdStrike value for indicator of compromise. - - name: CustomerId - type: keyword - description: | - Customer identifier. - - name: DeviceId - type: keyword - description: | - Device on which the event occurred. - - name: Ipv - type: keyword - description: | - Protocol for network request. - - name: ConnectionDirection - type: keyword - description: | - Direction for network connection. - - name: EventType - type: keyword - description: | - CrowdStrike provided event type. - - name: HostName - type: keyword - description: | - Host name of the local machine. - - name: ICMPCode - type: keyword - description: | - RFC2780 ICMP Code field. - - name: ICMPType - type: keyword - description: | - RFC2780 ICMP Type field. - - name: ImageFileName - type: keyword - description: | - File name of the associated process for the detection. - - name: PID - type: long - description: | - Associated process id for the detection. - - name: LocalAddress - type: ip - description: | - IP address of local machine. - - name: LocalPort - type: long - description: | - Port of local machine. - - name: RemoteAddress - type: ip - description: | - IP address of remote machine. - - name: RemotePort - type: long - description: | - Port of remote machine. - - name: RuleAction - type: keyword - description: | - Firewall rule action. - - name: RuleDescription - type: keyword - description: | - Firewall rule description. - - name: RuleFamilyID - type: keyword - description: | - Firewall rule family id. - - name: RuleGroupName - type: keyword - description: | - Firewall rule group name. - - name: RuleName - type: keyword - description: | - Firewall rule name. - - name: RuleId - type: keyword - description: | - Firewall rule id. - - name: MatchCount - type: long - description: | - Number of firewall rule matches. - - name: MatchCountSinceLastReport - type: long - description: | - Number of firewall rule matches since the last report. - - name: Timestamp - type: date - description: | - Firewall rule triggered timestamp. - - name: Flags.Audit - type: boolean - description: | - CrowdStrike audit flag. - - name: Flags.Log - type: boolean - description: | - CrowdStrike log flag. - - name: Flags.Monitor - type: boolean - description: | - CrowdStrike monitor flag. - - name: Protocol - type: keyword - description: | - CrowdStrike provided protocol. - - name: NetworkProfile - type: keyword - description: | - CrowdStrike network profile. - - name: PolicyName - type: keyword - description: | - CrowdStrike policy name. - - name: PolicyID - type: keyword - description: | - CrowdStrike policy id. - - name: Status - type: keyword - description: | - CrowdStrike status. - - name: TreeID - type: keyword - description: | - CrowdStrike tree id. - - name: Commands - type: keyword - description: | - Commands run in a remote session. diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/manifest.yml b/packages/crowdstrike/1.3.4/data_stream/falcon/manifest.yml deleted file mode 100755 index 29fc804f02..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -type: logs -title: Crowdstrike falcon logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/crowdstrike/falconhoseclient/output - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - crowdstrike-falcon - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Crowdstrike falcon logs (log) - description: Collect Crowdstrike falcon logs using log input diff --git a/packages/crowdstrike/1.3.4/data_stream/falcon/sample_event.json b/packages/crowdstrike/1.3.4/data_stream/falcon/sample_event.json deleted file mode 100755 index b2a82f11fc..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/falcon/sample_event.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index bd89d34816..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,57 +0,0 @@ -queue_url: {{queue_url}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if proxy_url }} -proxy_url: {{proxy_url}} -{{/if}} -{{#if is_fdr_queue}} -sqs.notification_parsing_script.source: {{fdr_parsing_script}} -{{/if}} -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/stream.yml.hbs deleted file mode 100755 index 51174aef53..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -{{#if tags.length}} -tags: -{{else}} -{{#if preserve_original_event}} -tags: -{{/if}} -{{/if}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: - - add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/1.3.4/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8f90f5732c..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,2287 +0,0 @@ ---- -description: Pipeline for processing sample logs -processors: - ## Message decoding. - - rename: - tag: message-to-original - field: message - target_field: event.original - - json: - tag: json-decoding - description: Decodes original JSON into `crowdstrike` field. - field: event.original - target_field: crowdstrike - - date: - tag: date-timestamp-utc - description: Parse timestamp from event. - field: crowdstrike.UTCTimestamp - target_field: event.created - formats: - - UNIX_MS - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-timestamp - description: Parse timestamp from event. - field: crowdstrike.timestamp - target_field: event.created - formats: - - UNIX_MS - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-event-created - description: Parse timestamp from event. - field: crowdstrike.CreationTimeStamp - target_field: event.created - formats: - - UNIX - - ISO8601 - ignore_failure: true - if: ctx.event?.created == null - - date: - tag: date-agent-local-time - description: Parse timestamp from event. - field: crowdstrike.AgentLocalTime - target_field: event.created - formats: - - ISO8601 - - UNIX - ignore_failure: true - if: ctx.event?.created == null - - set: - tag: set-timestamp - field: "@timestamp" - copy_from: event.created - if: ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == "") - - set: - tag: set-timestamp-ingest - field: "@timestamp" - copy_from: _ingest.timestamp - if: ctx["@timestamp"] == null - - date: - tag: date-context-timestamp - if: ctx.crowdstrike?.ContextTimeStamp != null - field: crowdstrike.ContextTimeStamp - formats: - - UNIX - ignore_failure: true - - rename: - tag: rename-message - field: crowdstrike.message - target_field: message - ignore_missing: true - - ## ECS fields. - - set: - field: ecs.version - value: "8.2.0" - - ## Categorization. - - script: - tag: script-categorize-events - description: Categorize events. - lang: painless - params: - AcUninstallConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AcUnloadConfirmation: - category: [ package ] - type: [ deletion ] - kind: state - outcome: success - AgentConnect: - category: [ network, session ] - type: [ connection, info ] - kind: event - outcome: success - AgentOnline: - category: [ configuration, package, host ] - type: [ change, installation, start ] - kind: state - outcome: success - AmsiRegistrationStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - AsepFileChange: - category: [ file ] - type: [ creation, change ] - kind: event - outcome: success - AsepKeyUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AsepValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - AssociateIndicator: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - AssociateTreeIdWithRoot: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - BITSJobCreated: - category: [ network, file ] - type: [ connection, creation ] - kind: event - outcome: success - BZip2FileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - BehaviorWhitelisted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - BrowserInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - CloudAssociateTreeIdWithRoot: - category: [ malware ] - type: [ deletion ] - kind: alert - outcome: success - CommandHistory: - category: [ process ] - type: [ end, info ] - kind: event - outcome: success - ConfigStateUpdate: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - CrashNotification: - category: [ host ] - type: [ info ] - kind: event - outcome: failure - CreateProcessArgs: - category: [ process ] - type: [ start ] - kind: state - outcome: success - CreateService: - category: [ host ] - type: [ change ] - kind: event - outcome: success - CreateThreadNoStartImage: - category: [ process ] - type: [ start ] - kind: event - outcome: success - CreateThreadReflectiveDll: - category: [ process ] - type: [ change ] - kind: event - outcome: success - CriticalEnvironmentVariableChanged: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - CriticalFileAccessed: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - CriticalFileModified: - category: [ file ] - type: [ change ] - kind: alert - outcome: success - CurrentSystemTags: - category: [ host ] - type: [ info ] - kind: state - outcome: success - CustomIOABasicProcessDetectionInfoEvent: - category: [ malware ] - type: [ info ] - kind: alert - outcome: unknown - DCSyncAttempted: - category: [ configuration, iam ] - type: [ access ] - kind: event - outcome: unknown - DcOffline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcOnline: - category: [ iam ] - type: [ info ] - kind: event - outcome: success - DcStatus: - category: [ iam ] - type: [ info ] - kind: state - outcome: success - DetectAnalysis: - category: [ malware ] - type: [ info ] - kind: alert - outcome: success - DetectionExcluded: - category: [ configuration, malware ] - type: [ change, info ] - kind: alert - outcome: success - DirectoryCreate: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DllInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - DmpFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - DnsRequest: - category: [ network ] - type: [ protocol ] - kind: event - outcome: success - DocumentProgramInjectedThread: - category: [ process ] - type: [ access, change ] - kind: event - outcome: success - DriverLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - DwgFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - EarlyExploitPivotDetect: - category: [ malware ] - type: [ info ] - kind: event - outcome: unknown - EndOfProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - ErrorEvent: - category: [ package ] - type: [ info ] - kind: alert - outcome: failure - EtwErrorEvent: - category: [ package, host ] - type: [ info ] - kind: event - outcome: failure - ExecutableDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FalconHostRegTamperingInfo: - category: [ registry ] - type: [ change ] - kind: alert - outcome: unknown - FalconServiceStatus: - category: [ package ] - type: [ info ] - kind: state - outcome: unknown - FileCreateInfo: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - FileDeleteInfo: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - FileDetectInfo: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - FileInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: unknown - FileOpenInfo: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FileRenameInfo: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FileSystemOperationBlocked: - category: [ file ] - type: [ change, deletion ] - kind: event - outcome: failure - FileSystemOperationDetectInfo: - category: [ file ] - type: [ change, deletion ] - kind: alert - outcome: unknown - FileTimestampsModified: - category: [ file ] - type: [ change ] - kind: event - outcome: success - FirewallChangeOption: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDeleteRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallDisabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallEnabled: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - FirewallSetRule: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP4: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirewallSetRuleIP6: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - FirmwareAnalysisErrorEvent: - category: [ host ] - type: [ info ] - kind: state - outcome: failure - FirmwareAnalysisHardwareData: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FirmwareAnalysisStatus: - category: [ host ] - type: [ info ] - kind: state - outcome: success - FlashThreadCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - FsPostOpenSnapshotFile: - category: [ file ] - type: [ access ] - kind: event - outcome: success - FsVolumeMounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - FsVolumeUnmounted: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HostInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - HostedServiceStarted: - category: [ package ] - type: [ start ] - kind: event - outcome: success - HostedServiceStopped: - category: [ package ] - type: [ end ] - kind: event - outcome: success - HostnameChanged: - category: [ host ] - type: [ change ] - kind: event - outcome: success - HttpRequestDetect: - category: [ network, session ] - type: [ connection, start ] - kind: event - outcome: success - HttpVisibilityStatus: - category: [ session ] - type: [ info ] - kind: state - outcome: unknown - IOServiceRegister: - category: [ package ] - type: [ change ] - kind: event - outcome: success - ImageHash: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - InjectedThreadFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - InstallBundleDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstallServiceDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - InstalledApplication: - category: [ package ] - type: [ installation ] - kind: event - outcome: success - InstalledUpdates: - category: [ host, package ] - type: [ change, installation ] - kind: event - outcome: success - InstanceMetadata: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - IoSessionConnected: - category: [ session ] - type: [ start ] - kind: event - outcome: success - IoSessionLoggedOn: - category: [ session ] - type: [ end ] - kind: event - outcome: success - JarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaClassFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - JavaInjectedThread: - category: [ process ] - type: [ change ] - kind: event - outcome: success - KernelModeLoadImage: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextLoad: - category: [ driver ] - type: [ start ] - kind: event - outcome: success - KextUnload: - category: [ driver ] - type: [ end ] - kind: event - outcome: success - LFODownloadConfirmation: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - LfoUploadDataComplete: - category: [ file ] - type: [ change ] - kind: event - outcome: success - LfoUploadDataFailed: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LfoUploadDataUnneeded: - category: [ file ] - type: [ change ] - kind: event - outcome: failure - LocalIpAddressIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP4: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LocalIpAddressRemovedIP6: - category: [ configuration, host ] - type: [ change ] - kind: state - outcome: success - LsassHandleFromUnsignedModule: - category: [ process ] - type: [ change ] - kind: alert - outcome: unknown - MachOFileWritten: - category: [ file ] - type: [ change ] - kind: event - outcome: success - ManifestDownloadComplete: - category: [ configuration, file ] - type: [ change, creation ] - kind: event - outcome: success - ModifyServiceBinary: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - ModuleBlockedEvent: - category: [ process, malware ] - type: [ info, denied ] - kind: alert - outcome: success - ModuleBlockedEventWithPatternId: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - ModuleDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: event - outcome: unknown - NeighborListIP4: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NeighborListIP6: - category: [ host, network ] - type: [ info ] - kind: state - outcome: unknown - NetShareAdd: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareDelete: - category: [ host ] - type: [ change ] - kind: event - outcome: success - NetShareSecurityModify: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - NetworkCloseIP4: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkCloseIP6: - category: [ network ] - type: [ end, connection ] - kind: event - outcome: unknown - NetworkConnectIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkConnectIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: unknown - NetworkListenIP4: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkListenIP6: - category: [ network ] - type: [ start ] - kind: event - outcome: success - NetworkReceiveAcceptIP4: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NetworkReceiveAcceptIP6: - category: [ network ] - type: [ allowed, access, connection ] - kind: event - outcome: unknown - NewExecutableRenamed: - category: [ file ] - type: [ change ] - kind: event - outcome: success - NewExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - NewScriptWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OciContainerTelemetry: - category: [ host ] - type: [ info ] - kind: state - outcome: unknown - OleFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OoxmlFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - OsVersionInfo: - category: [ host ] - type: [ info ] - kind: event - outcome: success - PackedExecutableWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PdfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - PeVersionInfo: - category: [ file ] - type: [ info ] - kind: event - outcome: success - PrivilegedProcessHandleFromUnsignedModule: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - ProcessBlocked: - category: [ process ] - type: [ access ] - kind: alert - outcome: failure - ProcessExecOnPackedExecutable: - category: [ process, file ] - type: [ access ] - kind: alert - outcome: success - ProcessExecOnSMBFile: - category: [ process, file, network ] - type: [ access ] - kind: alert - outcome: success - ProcessHandleOpDetectInfo: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - ProcessInjection: - category: [ process ] - type: [ change ] - kind: event - outcome: success - ProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - ProcessRollup2Stats: - category: [ process ] - type: [ info ] - kind: state - outcome: unknown - ProcessSelfDeleted: - category: [ process ] - type: [ end ] - kind: event - outcome: success - PromiscuousBindIP4: - category: [ host ] - type: [ change ] - kind: state - outcome: success - PtyCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - QuarantineActionResult: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QuarantinedFile: - category: [ file ] - type: [ change ] - kind: alert - outcome: unknown - QuarantinedFileState: - category: [ file ] - type: [ info ] - kind: alert - outcome: unknown - QueueApcEtw: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareCreateFile: - category: [ file ] - type: [ creation ] - kind: alert - outcome: success - RansomwareFileAccessPattern: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RansomwareOpenFile: - category: [ file ] - type: [ access ] - kind: alert - outcome: success - RarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - RawBindIP4: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - RawBindIP6: - category: [ network ] - type: [ start, connection ] - kind: event - outcome: success - ReflectiveDllOpenProcess: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - RegGenericValueUpdate: - category: [ registry ] - type: [ change ] - kind: event - outcome: success - RegSystemConfigValueUpdate: - category: [ registry, host, configuration ] - type: [ change ] - kind: event - outcome: success - RegisterRawInputDevicesEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - RegistryOperationDetectInfo: - category: [ malware, registry ] - type: [ info ] - kind: alert - outcome: success - RemoteBruteForceDetectInfo: - category: [ malware, authentication ] - type: [ info ] - kind: alert - outcome: success - RemovableDiskModuleLoadAttempt: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RemovableMediaVolumeMounted: - category: [ configuration, host ] - type: [ change ] - kind: event - outcome: success - RtfFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SAMHashDumpFromUnsignedModule: - category: [ registry, file ] - type: [ access, creation ] - kind: alert - outcome: success - ScheduledTaskDeleted: - category: [ configuration ] - type: [ deletion ] - kind: event - outcome: success - ScheduledTaskModified: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - ScheduledTaskRegistered: - category: [ configuration ] - type: [ creation ] - kind: event - outcome: success - ScreenshotTakenEtw: - category: [ process ] - type: [ access ] - kind: event - outcome: success - ScriptControlBlocked: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlDetectInfo: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: success - ScriptControlErrorEvent: - category: [ malware, file ] - type: [ info ] - kind: alert - outcome: failure - ScriptControlScanInfo: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - ScriptControlScanTelemetry: - category: [ malware, file ] - type: [ info ] - kind: state - outcome: success - SensitiveWmiQuery: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SensorHeartbeat: - category: [ package ] - type: [ info ] - kind: event - outcome: success - ServiceStarted: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SetWinEventHookEtw: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SevenZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - SignInfoError: - category: [ file ] - type: [ info ] - kind: state - outcome: failure - SignInfoWithCertAndContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SignInfoWithContext: - category: [ file ] - type: [ info ] - kind: state - outcome: unknown - SmbClientNamedPipeConnectEtw: - category: [ network ] - type: [ connection ] - kind: event - outcome: success - SmbClientShareClosedEtw: - category: [ network ] - type: [ connection, end ] - kind: event - outcome: success - SmbClientShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerShareOpenedEtw: - category: [ network ] - type: [ connection, start ] - kind: event - outcome: success - SmbServerV1AuditEtw: - category: [ network ] - type: [ connection ] - kind: state - outcome: unknown - SnapshotVolumeMounted: - category: [ host, configuration ] - type: [ change ] - kind: event - outcome: success - SuspiciousCreateSymbolicLink: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousDnsRequest: - category: [ network ] - type: [ start, protocol ] - kind: alert - outcome: success - SuspiciousEseFileWritten: - category: [ malware, file ] - type: [ creation, info ] - kind: alert - outcome: success - SuspiciousRegAsepUpdate: - category: [ malware, registry, configuration ] - type: [ change, info ] - kind: alert - outcome: success - SuspiciousUserRemoteAPCAttempt: - category: [ malware, process ] - type: [ info ] - kind: alert - outcome: success - SyntheticProcessRollup2: - category: [ process ] - type: [ start ] - kind: event - outcome: success - SystemCapacity: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - TelemetryCounters2: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TelemetryNetworkConnections: - category: [ network ] - type: [ connection ] - kind: state - outcome: success - TelemetryStats: - category: [ host ] - type: [ info ] - kind: state - outcome: success - TerminateProcess: - category: [ process ] - type: [ end ] - kind: event - outcome: success - TokenImpersonated: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACCOMElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACExeElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UACMSIElevation: - category: [ process, authentication ] - type: [ info, change ] - kind: event - outcome: success - UmppaErrorEvent: - category: [ package ] - type: [ info ] - kind: event - outcome: failure - UnsignedModuleLoad: - category: [ process ] - type: [ change ] - kind: alert - outcome: success - UpdateManifestDownloadComplete: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - UserAccountAddedToGroup: - category: [ configuration, iam ] - type: [ change, group ] - kind: event - outcome: success - UserAccountCreated: - category: [ configuration, iam ] - type: [ creation ] - kind: event - outcome: success - UserAccountDeleted: - category: [ configuration, iam ] - type: [ deletion ] - kind: event - outcome: success - UserExceptionDEP: - category: [ process, malware ] - type: [ info ] - kind: alert - outcome: success - UserFontLoad: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - UserIdentity: - category: [ authentication, iam ] - type: [ info, user ] - kind: event - outcome: success - UserLogoff: - category: [ authentication ] - type: [ end ] - kind: event - outcome: success - UserLogon: - category: [ authentication ] - type: [ start ] - kind: event - outcome: success - UserLogonFailed: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - UserLogonFailed2: - category: [ authentication ] - type: [ start ] - kind: event - outcome: failure - VolumeSnapshotCreated: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - VolumeSnapshotDeleted: - category: [ file ] - type: [ deletion ] - kind: event - outcome: success - WfpFilterTamperingFilterAdded: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WfpFilterTamperingFilterDeleted: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiCreateProcess: - category: [ process ] - type: [ start ] - kind: event - outcome: success - WmiFilterConsumerBindingEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WmiProviderRegistrationEtw: - category: [ configuration ] - type: [ change ] - kind: event - outcome: success - WroteExeAndGeneratedServiceEvent: - category: [ process ] - type: [ access ] - kind: alert - outcome: success - XarFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - ZipFileWritten: - category: [ file ] - type: [ creation ] - kind: event - outcome: success - source: |- - def m = params.get(ctx.crowdstrike?.event_simpleName); - if (m != null) { - m.forEach((k, v) -> { - if (v instanceof List) { - ctx.event[k] = new ArrayList(v); - } else { - ctx.event[k] = v; - } - }); - } - - ## Event fields. - - rename: - field: crowdstrike.id - target_field: event.id - ignore_missing: true - - rename: - field: crowdstrike.event_simpleName - target_field: event.action - ignore_missing: true - -## Prepare data. - - script: - tag: convert-count-fields-to-long - description: Convert all count fields to number. - lang: painless - source: |- - for (entry in ctx.crowdstrike.entrySet()) { - def key = entry.getKey().toString(); - if (key.contains("Count") || key.contains("Port")) { - try { - ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); - } catch (Exception e) { - } - } - } - - script: - tag: remove-empty-hashes - description: Remove all 0's hashes. - lang: painless - params: - MD5HashData: md5 - SHA1HashData: sha1 - SHA256HashData: sha256 - source: |- - def hashIsEmpty(String hash) { - if (hash == null || hash == "") { - return true; - } - - Pattern emptyHashRegex = /^0*$/; - def matcher = emptyHashRegex.matcher(hash); - - return matcher.matches(); - } - - def hashes = new HashMap(); - def related = [ - "hash": new ArrayList() - ]; - for (entry in params.entrySet()) { - def key = entry.getKey().toString(); - def value = ctx.crowdstrike[key]; - ctx.crowdstrike.remove(key); - if (hashIsEmpty(value)) { - continue; - } - - hashes[entry.getValue().toString()] = value; - related.hash.add(value); - } - - ctx._temp = new HashMap(); - ctx._temp.hashes = hashes; - if (related.hash.length > 0) { - ctx.related = related; - } - - ## Observer fields. - - rename: - field: crowdstrike.aid - target_field: observer.serial_number - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.aip - type: ip - ignore_missing: true - - rename: - field: crowdstrike.aip - target_field: observer.ip - ignore_missing: true - ignore_failure: true - - set: - field: observer.address - copy_from: observer.ip - ignore_empty_value: true - - rename: - field: crowdstrike.AgentVersion - target_field: observer.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.ConfigBuild - target_field: observer.version - ignore_missing: true - ignore_failure: true - - set: - field: observer.vendor - value: crowdstrike - - set: - field: observer.type - value: agent - - append: - field: related.ip - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - append: - field: related.hosts - value: "{{{observer.ip}}}" - allow_duplicates: false - if: ctx.observer?.ip != null && ctx.observer.ip != "" - - ## Host fields. - - rename: - field: crowdstrike.ComputerName - target_field: host.hostname - ignore_missing: true - ignore_failure: true - - set: - field: host.name - copy_from: host.hostname - ignore_empty_value: true - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.name}}}" - allow_duplicates: false - if: ctx.host?.name != null - - rename: - field: crowdstrike.City - target_field: host.geo.city_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Continent - target_field: host.geo.continent_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Country - target_field: host.geo.country_name - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Timezone - target_field: host.geo.timezone - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.MachineDomain - target_field: host.domain - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## OS fields. - - set: - field: os.type - value: linux - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Lin" - - set: - field: os.type - value: macos - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Mac" - - set: - field: os.type - value: windows - if: ctx.crowdstrike?.event_platform != null && ctx.crowdstrike?.event_platform == "Win" - - rename: - field: crowdstrike.OSVersionString - target_field: os.version - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Version - target_field: os.version - ignore_missing: true - ignore_failure: true - - ## Process fields. - - rename: - field: crowdstrike.CommandLine - target_field: process.command_line - ignore_missing: true - - script: - tag: split-command-line - description: Implements Windows-like SplitCommandLine - lang: painless - if: ctx.process?.command_line != null && ctx.process.command_line != "" && ctx.os?.type != null - source: |- - // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. - def appendBSBytes(StringBuilder b, int n) { - for (; n > 0; n--) { - b.append('\\'); - } - return b; - } - - // readNextArg splits command line string cmd into next - // argument and command line remainder. - def readNextArg(String cmd) { - def b = new StringBuilder(); - boolean inquote; - int nslash; - for (; cmd.length() > 0; cmd = cmd.substring(1)) { - def c = cmd.charAt(0); - if (c == (char)' ' || c == (char)0x09) { - if (!inquote) { - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": cmd.substring(1) - ]; - } - } else if (c == (char)'"') { - b = appendBSBytes(b, nslash/2); - if (nslash%2 == 0) { - // use "Prior to 2008" rule from - // http://daviddeley.com/autohotkey/parameters/parameters.htm - // section 5.2 to deal with double double quotes - if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { - b.append(c); - cmd = cmd.substring(1); - } - inquote = !inquote; - } else { - b.append(c); - } - nslash = 0; - continue; - } else if (c == (char)'\\') { - nslash++; - continue; - } - b = appendBSBytes(b, nslash); - nslash = 0; - b.append(c); - } - return [ - "arg": appendBSBytes(b, nslash).toString(), - "rest": '' - ]; - } - - // commandLineToArgv splits a command line into individual argument - // strings, following the Windows conventions documented - // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV - // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 - def commandLineToArgv(String cmd) { - def args = new ArrayList(); - while (cmd.length() > 0) { - if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { - cmd = cmd.substring(1); - continue; - } - def next = readNextArg(cmd); - cmd = next.rest; - args.add(next.arg); - } - return args; - } - - ctx.process.args = commandLineToArgv(ctx.process.command_line); - ctx.process.args_count = ctx.process.args.length; - - - rename: - field: crowdstrike.ImageFileName - target_field: process.executable - ignore_missing: true - - convert: - field: crowdstrike.ExitCode - type: long - ignore_missing: true - - rename: - field: crowdstrike.ExitCode - target_field: process.exit_code - ignore_missing: true - - script: - tag: process-uptime - lang: painless - description: Calculate process.uptime - source: |- - def d1 = Float.parseFloat(ctx.crowdstrike?.ProcessStartTime); - def d2 = Float.parseFloat(ctx.crowdstrike?.ProcessEndTime); - if (ctx.process == null) { - ctx.process = []; - } - ctx.process.uptime = (long) ((d2-d1)/1000); - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" && ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - date: - field: crowdstrike.ProcessStartTime - target_field: crowdstrike.ProcessStartTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessStartTime != null && ctx.crowdstrike?.ProcessStartTime != "" - - rename: - field: crowdstrike.ProcessStartTime - target_field: process.start - ignore_missing: true - if: ctx.crowdstrike?.ProcessStartTime != "" - - date: - field: crowdstrike.ProcessEndTime - target_field: crowdstrike.ProcessEndTime - formats: - - UNIX - if: ctx.crowdstrike?.ProcessEndTime != null && ctx.crowdstrike?.ProcessEndTime != "" - - rename: - field: crowdstrike.ProcessEndTime - target_field: process.end - ignore_missing: true - if: ctx.crowdstrike?.ProcessEndTime != "" - - convert: - field: crowdstrike.RawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.RawProcessId - target_field: process.pid - ignore_missing: true - - rename: - field: crowdstrike.TargetProcessId - target_field: process.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentProcessId - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: crowdstrike.ParentBaseFileName - target_field: process.parent.name - ignore_missing: true - - convert: - field: crowdstrike.ProcessGroupId - type: long - ignore_missing: true - - rename: - field: crowdstrike.ProcessGroupId - target_field: process.pgid - ignore_missing: true - - rename: - field: crowdstrike.ContextProcessId - target_field: process.entity_id - ignore_missing: true - ignore_failure: true - if: ctx.process?.entity_id == null - - convert: - field: crowdstrike.ContextThreadId - type: long - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ContextThreadId - target_field: process.thread.id - ignore_missing: true - ignore_failure: true - if: ctx.process?.thread?.id == null - - convert: - field: crowdstrike.EtwRawProcessId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawProcessId - target_field: process.pid - ignore_missing: true - if: ctx.process?.pid == null - - convert: - field: crowdstrike.EtwRawThreadId - type: long - ignore_missing: true - - rename: - field: crowdstrike.EtwRawThreadId - target_field: process.thread.id - ignore_missing: true - if: ctx.process?.thread?.id == null - - rename: - field: crowdstrike.ServiceDisplayName - target_field: process.title - ignore_missing: true - - rename: - field: _temp.hashes - target_field: process.hash - if: ctx.event?.action != null && (ctx.event.action.contains("Process") || ctx.event.action.contains("Service")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## User fields. - - rename: - field: crowdstrike.UID - target_field: user.id - ignore_missing: true - - rename: - field: crowdstrike.GID - target_field: user.group.id - ignore_missing: true - - rename: - field: crowdstrike.UserSid - target_field: user.id - ignore_missing: true - if: ctx.user?.id == null || ctx.user.id == "" - - append: - field: user.roles - value: admin - if: ctx.crowdstrike?.UserIsAdmin == "1" - - rename: - field: crowdstrike.UserName - target_field: user.name - ignore_missing: true - - split: - field: crowdstrike.UserPrincipal - target_field: "_temp.user_parts" - separator: '@' - if: ctx.crowdstrike?.UserPrincipal != null - - rename: - field: crowdstrike.UserPrincipal - target_field: user.email - ignore_missing: true - - set: - field: user.domain - value: "{{{_temp.user_parts.1}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - set: - field: user.full_name - value: "{{{_temp.user_parts.0}}}" - ignore_failure: true - ignore_empty_value: true - if: ctx._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 - - append: - field: related.user - value: "{{{user.name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.name != null - - append: - field: related.user - value: "{{{user.full_name}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.user?.full_name != null - - ## Networking fields. - - convert: - field: crowdstrike.LocalAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP4 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - convert: - field: crowdstrike.LocalAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.LocalAddressIP6 - target_field: source.ip - ignore_missing: true - - set: - field: source.address - copy_from: source.ip - ignore_empty_value: true - - rename: - field: crowdstrike.LocalPort - target_field: source.port - ignore_missing: true - - convert: - field: crowdstrike.RemoteAddressIP4 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP4 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - convert: - field: crowdstrike.RemoteAddressIP6 - type: ip - ignore_missing: true - - rename: - field: crowdstrike.RemoteAddressIP6 - target_field: destination.ip - ignore_missing: true - - set: - field: destination.address - copy_from: destination.ip - ignore_empty_value: true - - rename: - field: crowdstrike.RemotePort - target_field: destination.port - ignore_missing: true - - rename: - field: crowdstrike.Protocol - target_field: network.iana_number - ignore_missing: true - - script: - tag: network-transport-lookup - lang: painless - ignore_failure: true - if: ctx.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - set: - field: network.direction - value: outbound - if: ctx.crowdstrike?.ConnectionDirection == "0" - - set: - field: network.direction - value: inbound - if: ctx.crowdstrike?.ConnectionDirection == "1" - - set: - field: network.direction - value: unknown - if: ctx.network?.direction == null && ctx.crowdstrike?.ConnectionDirection != null && ctx.crowdstrike.ConnectionDirection != "" - - community_id: - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.ip - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - append: - field: related.hosts - value: "{{{source.ip}}}" - allow_duplicates: false - if: ctx.source?.ip != null && ctx.source.ip != "" - - append: - field: related.hosts - value: "{{{destination.ip}}}" - allow_duplicates: false - if: ctx.destination?.ip != null && ctx.destination.ip != "" - - rename: - field: crowdstrike.PhysicalAddress - target_field: source.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - rename: - field: crowdstrike.DownloadServer - target_field: server.address - ignore_missing: true - - rename: - field: crowdstrike.DownloadPath - target_field: url.path - ignore_missing: true - - ## URL fields. - - set: - field: url.path - value: "/{{url.path}}" - if: ctx.url?.path != null && !ctx.url.path.startsWith("/") - - registered_domain: - field: server.address - target_field: server - ignore_missing: true - - set: - field: url.scheme - value: https - if: ctx.crowdstrike?.DownloadPort == 443 - - set: - field: url.scheme - value: http - if: ctx.crowdstrike?.DownloadPort != 443 - - set: - field: url.full - value: "{{{url.scheme}}}://{{{server.address}}}{{{url.path}}}" - if: ctx.url?.scheme != null && ctx.server?.address != null && ctx.url?.path != null - - uri_parts: - field: url.full - ignore_failure: true - if: ctx.url?.full != null - - registered_domain: - field: url.domain - target_field: url - ignore_missing: true - ignore_failure: true - - ## IP Geolocation Lookup - - geoip: - field: observer.ip - target_field: observer.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - ## IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - ## DNS fields. - - set: - field: dns.type - value: query - if: ctx.event?.action == "DnsRequest" - - registered_domain: - field: crowdstrike.DomainName - target_field: dns.question - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - if: ctx.event?.action == "DnsRequest" - - script: - tag: dns-request-type-to-name - description: Map decimal DNS request type to its name. - lang: painless - params: - "1": A - "2": NS - "5": CNAME - "6": SOA - "12": PTR - "13": HINFO - "15": MX - "16": TXT - "17": RP - "18": AFSDB - "24": SIG - "25": KEY - "28": AAAA - "29": LOC - "33": SRV - "35": NAPTR - "36": KX - "37": CERT - "39": DNAME - "42": APL - "43": DS - "44": SSHFP - "45": IPSECKEY - "46": RRSIG - "47": NSEC - "48": DNSKEY - "49": DHCID - "50": NSEC3 - "51": NSEC3PARAM - "52": TLSA - "53": SMIMEA - "55": HIP - "59": CDS - "60": CDNSKEY - "61": OPENPGPKEY - "62": CSYNC - "63": ZONEMD - "64": SVCB - "65": HTTPS - "108": EUI48 - "109": EUI64 - "249": TKEY - "250": TSIG - "256": URI - "257": CAA - "32768": TA - "32769": DLV - if: ctx.event?.action == "DnsRequest" && ctx.crowdstrike?.RequestType != null && !ctx.crowdstrike.RequestType.isEmpty() - source: |- - def t = params[ctx.crowdstrike.RequestType]; - if (t != null) { - if (ctx.dns?.question == null) { - ctx.dns.question = new HashMap(); - } - ctx.dns.question.type = t; - ctx.crowdstrike.remove("RequestType"); - } - - ## File fields. - - convert: - field: crowdstrike.Size - type: long - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.Size - target_field: file.size - ignore_missing: true - - rename: - field: crowdstrike.FileIdentifier - target_field: file.inode - ignore_missing: true - - rename: - field: crowdstrike.SourceFileName - target_field: file.path - ignore_missing: true - - rename: - field: crowdstrike.TargetFileName - target_field: file.path - ignore_missing: true - ignore_failure: true - - rename: - field: crowdstrike.DiskParentDeviceInstanceId - target_field: file.device - ignore_missing: true - - set: - field: file.type - value: file - if: ctx.file?.path != null && !ctx.event.action.contains("Directory") - - set: - field: file.type - value: dir - if: ctx.file?.path != null && (ctx.event.action.contains("Directory") || ctx.file.path.endsWith("\\") || ctx.file.path.endsWith("/")) - - script: - tag: parse-file-path - description: Adds file information. - lang: painless - if: ctx.file?.path != null && ctx.file.path.length() > 1 - source: |- - def removeSuffix(String s, String suffix) { - if (s != null && suffix != null && s.endsWith(suffix)) { - return s.substring(0, s.length() - suffix.length()); - } - return s; - } - - def path = removeSuffix(ctx.file.path, "/"); - path = removeSuffix(path, "\\"); - def idx = path.lastIndexOf("\\"); - if (idx == -1) { - idx = path.lastIndexOf("/"); - } - if (idx > -1) { - if (ctx.file == null) { - ctx.file = new HashMap(); - } - ctx.file.name = path.substring(idx+1); - ctx.file.directory = path.substring(0, idx); - - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1 && ctx.file.type == "file") { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - } - if (path.charAt(1) == ":") { - ctx.file.drive_letter = path.charAt(0).toUpperCase(); - } - - rename: - field: _temp.hashes - target_field: file.hash - if: ctx.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx._temp?.hashes != null && ctx._temp?.hashes.size() > 0 - - ## Crowdstrike fields. - - split: - field: crowdstrike.FalconGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.SensorGroupingTags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.Tags - separator: ",\\s?" - ignore_missing: true - ignore_failure: true - - split: - field: crowdstrike.CallStackModuleNames - separator: "\\|" - ignore_missing: true - ignore_failure: true - - convert: - field: crowdstrike.UserTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.KernelTime - type: long - ignore_missing: true - - convert: - field: crowdstrike.CycleTime - type: long - ignore_missing: true - - append: - field: related.hash - value: "{{{crowdstrike.ConfigStateHash}}}" - ignore_failure: true - allow_duplicates: false - if: ctx.crowdstrike?.ConfigStateHash != null && ctx.crowdstrike.ConfigStateHash != "" - - trim: - field: crowdstrike.BootArgs - ignore_missing: true - - split: - field: crowdstrike.BootArgs - separator: '\s+' - ignore_missing: true - - date: - field: crowdstrike.LogonTime - target_field: crowdstrike.LogonTime - formats: - - UNIX - if: ctx.crowdstrike?.LogonTime != null && ctx.crowdstrike?.LogonTime != "" - - date: - field: crowdstrike.LogoffTime - target_field: crowdstrike.LogoffTime - formats: - - UNIX - if: ctx.crowdstrike?.LogoffTime != null && ctx.crowdstrike?.LogoffTime != "" - - date: - field: crowdstrike.ConnectTime - target_field: crowdstrike.ConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.ConnectTime != null && ctx.crowdstrike?.ConnectTime != "" - - date: - field: crowdstrike.PreviousConnectTime - target_field: crowdstrike.PreviousConnectTime - formats: - - UNIX - if: ctx.crowdstrike?.PreviousConnectTime != null && ctx.crowdstrike?.PreviousConnectTime != "" - - date: - field: crowdstrike.AgentLocalTime - target_field: crowdstrike.AgentLocalTime - formats: - - UNIX - if: ctx.crowdstrike?.AgentLocalTime != null && ctx.crowdstrike?.AgentLocalTime != "" - - date: - field: crowdstrike.FirstSeen - target_field: crowdstrike.FirstSeen - formats: - - UNIX - if: ctx.crowdstrike?.FirstSeen != null && ctx.crowdstrike?.FirstSeen != "" - - date: - field: crowdstrike.Time - target_field: crowdstrike.Time - formats: - - UNIX - if: ctx.crowdstrike?.Time != null && ctx.crowdstrike?.Time != "" - - date: - field: crowdstrike.BiosReleaseDate - target_field: crowdstrike.BiosReleaseDate - formats: - - MM/dd/yyyy - - strict_date_optional_time - if: ctx.crowdstrike?.BiosReleaseDate != null && ctx.crowdstrike?.BiosReleaseDate != "" - - convert: - field: crowdstrike.AgentTimeOffset - target_field: crowdstrike.AgentTimeOffset - type: float - ignore_missing: true - - convert: - field: crowdstrike.Timeout - type: long - ignore_missing: true - - convert: - field: crowdstrike.PhysicalAddressLength - type: long - ignore_missing: true - - convert: - field: crowdstrike.InterfaceIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.NetLuidIndex - type: long - ignore_missing: true - - convert: - field: crowdstrike.AttemptNumber - type: long - ignore_missing: true - - convert: - field: crowdstrike.SystemTableIndex - type: long - ignore_missing: true - - split: - field: crowdstrike.NeighborList - separator: '\|' - ignore_missing: true - - split: - field: crowdstrike.ConfigStateData - separator: '\|' - ignore_missing: true - - append: - field: related.hosts - value: "{{{crowdstrike.LogonServer}}}" - allow_duplicates: false - if: ctx.crowdstrike?.LogonServer != null - - append: - field: related.hosts - value: "{{{crowdstrike.ClientComputerName}}}" - allow_duplicates: false - if: ctx.crowdstrike?.ClientComputerName != null - - ## Cleanup. - - remove: - field: crowdstrike.event_platform - ignore_missing: true - ignore_failure: true - if: ctx.os?.type != null - - remove: - field: - - _temp - - crowdstrike.timestamp - - crowdstrike._time - - crowdstrike.ContextTimeStamp - - crowdstrike.CreationTimeStamp - - crowdstrike.DomainName - - crowdstrike.ConnectionDirection - - crowdstrike.UserIsAdmin - - crowdstrike.UTCTimestamp - - crowdstrike.TargetDirectoryName - ignore_missing: true - ignore_failure: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - tag: remove-nulls - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: - - set: - field: error.message - value: "Processor '{{ _ingest.on_failure_processor_type }}' with tag '{{ _ingest.on_failure_processor_tag }}' failed with message {{ _ingest.on_failure_message }}" diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/base-fields.yml b/packages/crowdstrike/1.3.4/data_stream/fdr/fields/base-fields.yml deleted file mode 100755 index b701d8325a..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: input.type - type: keyword -- name: log.offset - type: long -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: crowdstrike -- name: event.dataset - type: constant_keyword - description: Event dataset - value: crowdstrike.fdr -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/1.3.4/data_stream/fdr/fields/ecs.yml deleted file mode 100755 index 09e7f347a7..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/ecs.yml +++ /dev/null @@ -1,509 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: host.geo.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: observer.geo.location - type: geo_point -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: os.type - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: The time the process ended. - name: process.end - type: date -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/1.3.4/data_stream/fdr/fields/fields.yml deleted file mode 100755 index 430dfe74b2..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/fields/fields.yml +++ /dev/null @@ -1,595 +0,0 @@ -- name: observer.address - type: keyword -- name: crowdstrike - type: group - fields: - - name: AgentTimeOffset - type: float - - name: AllocateVirtualMemoryCount - type: long - - name: ApiReturnValue - type: keyword - - name: ArchiveFileWrittenCount - type: long - - name: AsepWrittenCount - type: long - - name: AuthenticationId - type: keyword - - name: AuthenticationPackage - type: keyword - - name: BinaryExecutableWrittenCount - type: long - - name: BootArgs - type: keyword - - name: BundleID - type: keyword - - name: CLICreationCount - type: long - - name: CallStackModuleNames - type: keyword - - name: CallStackModuleNamesVersion - type: version - - name: ClientComputerName - type: keyword - - name: CompletionEventId - type: keyword - - name: ConfigBuild - type: keyword - - name: ConHostId - type: keyword - - name: ConHostProcessId - type: keyword - - name: ConfigStateHash - type: keyword - - name: ConnectionFlags - type: keyword - - name: ContextProcessId - type: keyword - - name: CreateProcessCount - type: long - - name: CreateProcessType - type: keyword - - name: CycleTime - type: long - - name: DesiredAccess - type: keyword - - name: DirectoryCreatedCount - type: long - - name: DirectoryEnumeratedCount - type: long - - name: DnsRequestCount - type: long - - name: DocumentFileWrittenCount - type: long - - name: DownloadPath - type: keyword - - name: DownloadPort - type: long - - name: DownloadServer - type: keyword - - name: DualRequest - type: keyword - - name: EffectiveTransmissionClass - type: keyword - - name: EnabledPrivilegesBitmask - type: keyword - - name: Entitlements - type: keyword - - name: ExeAndServiceCount - type: long - - name: ExecutableDeletedCount - type: long - - name: FalconGroupingTags - type: keyword - - name: FileAttributes - type: keyword - - name: FileDeletedCount - type: long - - name: FileEcpBitmask - type: keyword - - name: FileObject - type: keyword - - name: FirstSeen - type: date - - name: Flags - type: keyword - - name: GenericFileWrittenCount - type: long - - name: GrandParentBaseFileName - type: keyword - - name: HostHiddenStatus - type: keyword - - name: ImageSubsystem - type: keyword - - name: InContext - type: keyword - - name: Information - type: keyword - - name: InjectedDllCount - type: long - - name: InjectedThreadCount - type: long - - name: IntegrityLevel - type: keyword - - name: InterfaceGuid - type: keyword - - name: InterfaceIndex - type: long - - name: InterfaceVersion - type: keyword - - name: IrpFlags - type: keyword - - name: IsOnNetwork - type: keyword - - name: IsOnRemovableDisk - type: keyword - - name: IsTransactedFile - type: keyword - - name: KernelTime - type: long - - name: LogoffTime - type: date - - name: LogonDomain - type: keyword - - name: LogonId - type: keyword - - name: LogonServer - type: keyword - - name: LogonTime - type: date - - name: LogonType - type: keyword - - name: MachOSubType - type: keyword - - name: MajorFunction - type: keyword - - name: MaxThreadCount - type: long - - name: MinorFunction - type: keyword - - name: ModuleLoadCount - type: long - - name: NDRoot - type: keyword - - name: NetworkBindCount - type: long - - name: NetworkCapableAsepWriteCount - type: long - - name: NetworkCloseCount - type: long - - name: NetworkConnectCount - type: long - - name: NetworkConnectCountUdp - type: long - - name: NetworkListenCount - type: long - - name: NetworkModuleLoadCount - type: long - - name: NetworkRecvAcceptCount - type: long - - name: NewExecutableWrittenCount - type: long - - name: NewFileIdentifier - type: keyword - - name: OperationFlags - type: keyword - - name: Options - type: keyword - - name: OU - type: keyword - - name: ParentAuthenticationId - type: keyword - - name: PasswordLastSet - type: keyword - - name: PhysicalAddressLength - type: long - - name: PointerSize - type: keyword - - name: PrivilegedProcessHandleCount - type: long - - name: PrivilegesBitmask - type: keyword - - name: ProcessCreateFlags - type: keyword - - name: ProcessParameterFlags - type: keyword - - name: ProcessSxsFlags - type: keyword - - name: ProductType - type: keyword - - name: ProtectVirtualMemoryCount - type: long - - name: QueueApcCount - type: long - - name: RGID - type: keyword - - name: RUID - type: keyword - - name: RegKeySecurityDecreasedCount - type: long - - name: RemoteAccount - type: keyword - - name: RemovableDiskFileWrittenCount - type: long - - name: RequestType - type: keyword - - name: RpcClientProcessId - type: keyword - - name: RpcClientThreadId - type: keyword - - name: RpcNestingLevel - type: keyword - - name: RpcOpNum - type: keyword - - name: RunDllInvocationCount - type: long - - name: SVGID - type: keyword - - name: SVUID - type: keyword - - name: ScreenshotsTakenCount - type: long - - name: ScriptEngineInvocationCount - type: long - - name: SensorGroupingTags - type: keyword - - name: ServiceDisplayName - type: keyword - - name: ServiceEventCount - type: long - - name: ServicePackMajor - type: keyword - - name: SessionId - type: keyword - - name: SessionProcessId - type: keyword - - name: SetThreadContextCount - type: long - - name: ShareAccess - type: keyword - - name: Size - type: long - - name: SiteName - type: keyword - - name: SnapshotFileOpenCount - type: long - - name: SourceFileName - type: keyword - - name: SourceProcessId - type: keyword - - name: SourceThreadId - type: keyword - - name: Status - type: keyword - - name: SubStatus - type: keyword - - name: SuspectStackCount - type: long - - name: SuspiciousCredentialModuleLoadCount - type: long - - name: SuspiciousDnsRequestCount - type: long - - name: SuspiciousFontLoadCount - type: long - - name: SuspiciousRawDiskReadCount - type: long - - name: Tags - type: keyword - - name: TargetThreadId - type: keyword - - name: Time - type: date - - name: Timeout - type: long - - name: TokenType - type: keyword - - name: UnixMode - type: keyword - - name: UnsignedModuleLoadCount - type: long - - name: UserFlags - type: keyword - - name: UserGroupsBitmask - type: keyword - - name: UserLogoffType - type: keyword - - name: UserLogonFlags - type: keyword - - name: UserMemoryAllocateExecutableCount - type: long - - name: UserMemoryAllocateExecutableRemoteCount - type: long - - name: UserMemoryProtectExecutableCount - type: long - - name: UserMemoryProtectExecutableRemoteCount - type: long - - name: UserTime - type: long - - name: VnodeModificationType - type: keyword - - name: VnodeType - type: keyword - - name: VolumeDeviceCharacteristics - type: keyword - - name: VolumeDeviceObjectFlags - type: keyword - - name: VolumeDeviceType - type: keyword - - name: VolumeDriveLetter - type: keyword - - name: VolumeFileSystemDevice - type: keyword - - name: VolumeFileSystemDriver - type: keyword - - name: VolumeFileSystemType - type: keyword - - name: VolumeIsEncrypted - type: keyword - - name: VolumeIsNetwork - type: keyword - - name: VolumeMountPoint - type: keyword - - name: VolumeName - type: keyword - - name: VolumeRealDeviceName - type: keyword - - name: VolumeSectorSize - type: keyword - - name: cid - type: keyword - - name: name - type: keyword - - name: AgentLoadFlags - type: keyword - - name: AgentLocalTime - type: date - - name: AgentVersion - type: keyword - - name: AttemptNumber - type: long - - name: AuthenticationUuid - type: keyword - - name: AuthenticationUuidAsString - type: keyword - - name: BiosManufacturer - type: keyword - - name: BiosReleaseDate - type: date - - name: BiosVersion - type: keyword - - name: BootTimeFunctionalityLevel - type: keyword - - name: BoundedCount - type: long - - name: ChannelDiffStatus - type: keyword - - name: ChannelId - type: keyword - - name: ChannelVersion - type: keyword - - name: ChannelVersionRequired - type: keyword - - name: ChasisManufacturer - type: keyword - - name: ChassisType - type: keyword - - name: ConfigIDBase - type: keyword - - name: ConfigIDBuild - type: keyword - - name: ConfigIDPlatform - type: keyword - - name: ConfigStateData - type: keyword - - name: ConfigurationVersion - type: keyword - - name: ConnectTime - type: date - - name: ConnectType - type: keyword - - name: CpuClockSpeed - type: keyword - - name: CpuFeaturesMask - type: keyword - - name: CpuProcessorName - type: keyword - - name: CpuSignature - type: keyword - - name: CpuVendor - type: keyword - - name: CurrentFunctionalityLevel - type: keyword - - name: DeviceId - type: keyword - - name: ELFSubType - type: keyword - - name: ErrorCode - type: keyword - - name: ErrorStatus - type: keyword - - name: EtwRawThreadId - type: long - - name: FXFileSize - type: keyword - - name: Facility - type: keyword - - name: FailedConnectCount - type: long - - name: FeatureExtractionVersion - type: keyword - - name: FeatureVector - type: keyword - - name: File - type: keyword - - name: FirmwareAnalysisEclConsumerInterfaceVersion - type: keyword - - name: FirmwareAnalysisEclControlInterfaceVersion - type: keyword - - name: IOServiceClass - type: keyword - - name: IOServiceName - type: keyword - - name: IOServicePath - type: keyword - - name: InDiscards - type: keyword - - name: InErrors - type: keyword - - name: InMulticastPkts - type: keyword - - name: InOctets - type: keyword - - name: InUcastPkts - type: keyword - - name: InUnknownProtos - type: keyword - - name: InterfaceAlias - type: keyword - - name: InterfaceType - type: keyword - - name: LfoUploadFlags - type: keyword - - name: LightningLatencyState - type: keyword - - name: Line - type: keyword - - name: LogicalCoreCount - type: long - - name: LoginSessionId - type: keyword - - name: MLModelVersion - type: keyword - - name: MajorVersion - type: keyword - - name: Malicious - type: keyword - - name: MemoryTotal - type: keyword - - name: MicrocodeSignature - type: keyword - - name: MinorVersion - type: keyword - - name: MoboManufacturer - type: keyword - - name: MoboProductName - type: keyword - - name: ModelPrediction - type: keyword - - name: NeighborList - type: keyword - - name: NetLuidIndex - type: long - - name: NetworkContainmentState - type: keyword - - name: OSVersionFileData - type: keyword - - name: OSVersionFileName - type: keyword - - name: OutErrors - type: keyword - - name: OutMulticastPkts - type: keyword - - name: OutOctets - type: keyword - - name: OutUcastPkts - type: keyword - - name: Parameter1 - type: keyword - - name: Parameter2 - type: keyword - - name: Parameter3 - type: keyword - - name: PciAttachmentState - type: keyword - - name: PhysicalCoreCount - type: long - - name: PreviousConnectTime - type: date - - name: ProcessCount - type: long - - name: ProcessorPackageCount - type: long - - name: ProvisionState - type: keyword - - name: PupAdwareConfidence - type: keyword - - name: PupAdwareDecisionValue - type: keyword - - name: RFMState - type: keyword - - name: ReasonOfFunctionalityLevel - type: keyword - - name: SensorStateBitMap - type: keyword - - name: SuppressType - type: keyword - - name: SyntheticPR2Flags - type: keyword - - name: SystemManufacturer - type: keyword - - name: SystemProductName - type: keyword - - name: SystemSerialNumber - type: keyword - - name: SystemSku - type: keyword - - name: SystemTableIndex - type: long - - name: TargetFileName - type: keyword - - name: USN - type: keyword - - name: UploadId - type: keyword - - name: UserSid - type: keyword - - name: VerifiedCertificate - type: keyword - - name: VolumeAppearanceTime - type: keyword - - name: VolumeBusName - type: keyword - - name: VolumeBusPath - type: keyword - - name: VolumeDeviceInternal - type: keyword - - name: VolumeDeviceModel - type: keyword - - name: VolumeDevicePath - type: keyword - - name: VolumeDeviceProtocol - type: keyword - - name: VolumeDeviceRevision - type: keyword - - name: VolumeMediaBSDMajor - type: keyword - - name: VolumeMediaBSDMinor - type: keyword - - name: VolumeMediaBSDName - type: keyword - - name: VolumeMediaBSDUnit - type: keyword - - name: VolumeMediaContent - type: keyword - - name: VolumeMediaEjectable - type: keyword - - name: VolumeMediaName - type: keyword - - name: VolumeMediaPath - type: keyword - - name: VolumeMediaRemovable - type: keyword - - name: VolumeMediaSize - type: keyword - - name: VolumeMediaUUID - type: keyword - - name: VolumeMediaWhole - type: keyword - - name: VolumeMediaWritable - type: keyword - - name: VolumeType - type: keyword - - name: VolumeUUID - type: keyword - - name: WindowFlags - type: keyword diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/manifest.yml b/packages/crowdstrike/1.3.4/data_stream/fdr/manifest.yml deleted file mode 100755 index 755618e931..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/manifest.yml +++ /dev/null @@ -1,183 +0,0 @@ -title: "Falcon Data Replicator" -type: logs -streams: - - input: aws-s3 - template_path: aws-s3.yml.hbs - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using s3 input - vars: - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - - name: is_fdr_queue - type: bool - title: Is FDR queue - multi: false - required: true - show_user: true - description: | - By default the FDR queue is expected. This option must be set to `false` if you are using your own queue. - default: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: fdr_parsing_script - type: yaml - title: FDR Notification Parsing Script - multi: false - required: true - show_user: false - description: The JS script used to parse the custom format of SQS FDR notifications. - default: | - function parse(n) { - var m = JSON.parse(n); - var evts = []; - var files = m.files; - var bucket = m.bucket; - if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { - return evts; - } - files.forEach(function(f){ - var evt = new S3EventV2(); - evt.SetS3BucketName(bucket); - evt.SetS3ObjectKey(f.path); - evts.push(evt); - }); - return evts; - } - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - title: Falcon Data Replicator logs - description: Collect Falcon Data Replicator logs using a log file - vars: - - name: paths - type: text - title: Paths - multi: true - default: - - /var/log/falcon_data_replicator.log - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - crowdstrike-fdr - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/crowdstrike/1.3.4/data_stream/fdr/sample_event.json b/packages/crowdstrike/1.3.4/data_stream/fdr/sample_event.json deleted file mode 100755 index 07551bd55b..0000000000 --- a/packages/crowdstrike/1.3.4/data_stream/fdr/sample_event.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/docs/README.md b/packages/crowdstrike/1.3.4/docs/README.md deleted file mode 100755 index 77ec53e0b5..0000000000 --- a/packages/crowdstrike/1.3.4/docs/README.md +++ /dev/null @@ -1,1024 +0,0 @@ -# CrowdStrike Integration - -This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the -following datasets for receiving logs: - -- `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). -- `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). - -## Compatibility - -This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. - -## Logs - -### Falcon - -Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| crowdstrike.event.AuditKeyValues | Fields that were changed in this event. | nested | -| crowdstrike.event.CommandLine | Executable path with command line arguments. | keyword | -| crowdstrike.event.Commands | Commands run in a remote session. | keyword | -| crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword | -| crowdstrike.event.ConnectionDirection | Direction for network connection. | keyword | -| crowdstrike.event.CustomerId | Customer identifier. | keyword | -| crowdstrike.event.DetectDescription | Description of the detection. | keyword | -| crowdstrike.event.DetectId | Unique ID associated with the detection. | keyword | -| crowdstrike.event.DetectName | Name of the detection. | keyword | -| crowdstrike.event.DeviceId | Device on which the event occurred. | keyword | -| crowdstrike.event.EndTimestamp | End time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.EventType | CrowdStrike provided event type. | keyword | -| crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested | -| crowdstrike.event.FalconHostLink | URL to view the detection in Falcon. | keyword | -| crowdstrike.event.FileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.FilePath | Path of the executable associated with the detection. | keyword | -| crowdstrike.event.FineScore | Score for incident. | float | -| crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean | -| crowdstrike.event.Flags.Log | CrowdStrike log flag. | boolean | -| crowdstrike.event.Flags.Monitor | CrowdStrike monitor flag. | boolean | -| crowdstrike.event.GrandparentCommandLine | Grandparent process command line arguments. | keyword | -| crowdstrike.event.GrandparentImageFileName | Path to the grandparent process. | keyword | -| crowdstrike.event.HostName | Host name of the local machine. | keyword | -| crowdstrike.event.HostnameField | Host name of the machine for the remote session. | keyword | -| crowdstrike.event.ICMPCode | RFC2780 ICMP Code field. | keyword | -| crowdstrike.event.ICMPType | RFC2780 ICMP Type field. | keyword | -| crowdstrike.event.IOCType | CrowdStrike type for indicator of compromise. | keyword | -| crowdstrike.event.IOCValue | CrowdStrike value for indicator of compromise. | keyword | -| crowdstrike.event.ImageFileName | File name of the associated process for the detection. | keyword | -| crowdstrike.event.IncidentEndTime | End time for the incident in UTC UNIX format. | date | -| crowdstrike.event.IncidentStartTime | Start time for the incident in UTC UNIX format. | date | -| crowdstrike.event.Ipv | Protocol for network request. | keyword | -| crowdstrike.event.LateralMovement | Lateral movement field for incident. | long | -| crowdstrike.event.LocalAddress | IP address of local machine. | ip | -| crowdstrike.event.LocalIP | IP address of the host associated with the detection. | keyword | -| crowdstrike.event.LocalPort | Port of local machine. | long | -| crowdstrike.event.MACAddress | MAC address of the host associated with the detection. | keyword | -| crowdstrike.event.MD5String | MD5 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.MachineDomain | Domain for the machine associated with the detection. | keyword | -| crowdstrike.event.MatchCount | Number of firewall rule matches. | long | -| crowdstrike.event.MatchCountSinceLastReport | Number of firewall rule matches since the last report. | long | -| crowdstrike.event.NetworkProfile | CrowdStrike network profile. | keyword | -| crowdstrike.event.Objective | Method of detection. | keyword | -| crowdstrike.event.OperationName | Event subtype. | keyword | -| crowdstrike.event.PID | Associated process id for the detection. | long | -| crowdstrike.event.ParentCommandLine | Parent process command line arguments. | keyword | -| crowdstrike.event.ParentImageFileName | Path to the parent process. | keyword | -| crowdstrike.event.ParentProcessId | Parent process ID related to the detection. | integer | -| crowdstrike.event.PatternDispositionDescription | Action taken by Falcon. | keyword | -| crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.Detect | | boolean | -| crowdstrike.event.PatternDispositionFlags.FsOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.InddetMask | | boolean | -| crowdstrike.event.PatternDispositionFlags.Indicator | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillParent | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.KillSubProcess | | boolean | -| crowdstrike.event.PatternDispositionFlags.OperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.PolicyDisabled | | boolean | -| crowdstrike.event.PatternDispositionFlags.ProcessBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineFile | | boolean | -| crowdstrike.event.PatternDispositionFlags.QuarantineMachine | | boolean | -| crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked | | boolean | -| crowdstrike.event.PatternDispositionFlags.Rooting | | boolean | -| crowdstrike.event.PatternDispositionFlags.SensorOnly | | boolean | -| crowdstrike.event.PatternDispositionValue | Unique ID associated with action taken. | integer | -| crowdstrike.event.PolicyID | CrowdStrike policy id. | keyword | -| crowdstrike.event.PolicyName | CrowdStrike policy name. | keyword | -| crowdstrike.event.ProcessEndTime | The process termination time in UTC UNIX_MS format. | date | -| crowdstrike.event.ProcessId | Process ID related to the detection. | integer | -| crowdstrike.event.ProcessStartTime | The process start time in UTC UNIX_MS format. | date | -| crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword | -| crowdstrike.event.RemoteAddress | IP address of remote machine. | ip | -| crowdstrike.event.RemotePort | Port of remote machine. | long | -| crowdstrike.event.RuleAction | Firewall rule action. | keyword | -| crowdstrike.event.RuleDescription | Firewall rule description. | keyword | -| crowdstrike.event.RuleFamilyID | Firewall rule family id. | keyword | -| crowdstrike.event.RuleGroupName | Firewall rule group name. | keyword | -| crowdstrike.event.RuleId | Firewall rule id. | keyword | -| crowdstrike.event.RuleName | Firewall rule name. | keyword | -| crowdstrike.event.SHA1String | SHA1 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SHA256String | SHA256 sum of the executable associated with the detection. | keyword | -| crowdstrike.event.SensorId | Unique ID associated with the Falcon sensor. | keyword | -| crowdstrike.event.ServiceName | Service associated with this event. | keyword | -| crowdstrike.event.SessionId | Session ID of the remote response session. | keyword | -| crowdstrike.event.Severity | Severity score of the detection. | integer | -| crowdstrike.event.SeverityName | Severity score text. | keyword | -| crowdstrike.event.StartTimestamp | Start time for the remote session in UTC UNIX format. | date | -| crowdstrike.event.State | Whether the incident summary is open and ongoing or closed. | keyword | -| crowdstrike.event.Status | CrowdStrike status. | keyword | -| crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean | -| crowdstrike.event.Tactic | MITRE tactic category of the detection. | keyword | -| crowdstrike.event.Technique | MITRE technique category of the detection. | keyword | -| crowdstrike.event.Timestamp | Firewall rule triggered timestamp. | date | -| crowdstrike.event.TreeID | CrowdStrike tree id. | keyword | -| crowdstrike.event.UTCTimestamp | Timestamp associated with this event in UTC UNIX format. | date | -| crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword | -| crowdstrike.event.UserIp | IP address associated with the user. | keyword | -| crowdstrike.event.UserName | User name associated with the detection. | keyword | -| crowdstrike.metadata.customerIDString | Customer identifier | keyword | -| crowdstrike.metadata.eventCreationTime | The time this event occurred on the endpoint in UTC UNIX_MS format. | date | -| crowdstrike.metadata.eventType | DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent | keyword | -| crowdstrike.metadata.offset | Offset number that tracks the location of the event in stream. This is used to identify unique detection events. | integer | -| crowdstrike.metadata.version | Schema version | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `falcon` looks as following: - -```json -{ - "@timestamp": "2020-02-12T21:29:10.710Z", - "agent": { - "ephemeral_id": "cc9fb403-5b26-4fe7-aefc-41666b9f4575", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "event": { - "AuditKeyValues": [ - { - "Key": "APIClientID", - "ValueString": "1234567890abcdefghijklmnopqr" - }, - { - "Key": "partition", - "ValueString": "0" - }, - { - "Key": "offset", - "ValueString": "-1" - }, - { - "Key": "appId", - "ValueString": "siem-connector-v2.0.0" - }, - { - "Key": "eventType", - "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" - } - ], - "OperationName": "streamStarted", - "ServiceName": "Crowdstrike Streaming API", - "Success": true, - "UTCTimestamp": "2020-02-12T21:29:10.000Z", - "UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "UserIp": "10.10.0.8" - }, - "metadata": { - "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "eventCreationTime": "2020-02-12T21:29:10.710Z", - "eventType": "AuthActivityAuditEvent", - "offset": 0, - "version": "1.0" - } - }, - "data_stream": { - "dataset": "crowdstrike.falcon", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "dataset": "crowdstrike.falcon", - "ingested": "2022-05-09T16:35:19Z", - "kind": "event", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", - "outcome": "success", - "type": [ - "change" - ] - }, - "event.action": "stream_started", - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/falcon-audit-events.log" - }, - "flags": [ - "multiline" - ], - "offset": 910 - }, - "message": "Crowdstrike Streaming API", - "related": { - "ip": [ - "10.10.0.8" - ], - "user": [ - "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - ] - }, - "source": { - "ip": "10.10.0.8" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-falcon" - ], - "user": { - "name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - } -} -``` - -### FDR - -The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike -managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is -available in S3. - -This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed -SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket -and the integration can read from there. - -In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic -Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. - -#### Use with CrowdStrike managed S3/SQS - -This is the simplest way to setup the integration, and also the default. - -You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. -Ensure the `Is FDR queue` option is enabled. - -#### Use with FDR tool and data replicated to a self-managed S3 bucket - -This option can be used if you want to archive the raw CrowdStrike data. - -You need to follow the steps below: - -- Create a S3 bucket to receive the logs. -- Create a SQS queue. -- Configure your S3 bucket to send object created notifications to your SQS queue. -- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. -- Configure the integration to read from your self-managed SQS topic. -- Disable the `Is FDR queue` option in the integration. - -> NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. - -#### Configuration for the S3 input - -AWS credentials are required for running this integration if you want to use the S3 input. - -##### Configuration parameters -* `access_key_id`: first part of access key. -* `secret_access_key`: second part of access key. -* `session_token`: required when using temporary security credentials. -* `credential_profile_name`: profile name in shared credentials file. -* `shared_credential_file`: directory of the shared credentials file. -* `endpoint`: URL of the entry point for an AWS web service. -* `role_arn`: AWS IAM Role to assume. - -##### Credential Types -There are three types of AWS credentials can be used: - -- access keys, -- temporary security credentials, and -- IAM role ARN. - -##### Access keys - -`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. -They are long-term credentials for an IAM user, or the AWS account root user. -Please see [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) -for more details. - -##### Temporary security credentials - -Temporary security credentials has a limited lifetime and consists of an -access key ID, a secret access key, and a security token which typically returned -from `GetSessionToken`. - -MFA-enabled IAM users would need to submit an MFA code -while calling `GetSessionToken`. `default_region` identifies the AWS Region -whose servers you want to send your first API request to by default. - -This is typically the Region closest to you, but it can be any Region. Please see -[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) -for more details. - -`sts get-session-token` AWS CLI can be used to generate temporary credentials. -For example. with MFA-enabled: -```js -aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 -``` - -Because temporary security credentials are short term, after they expire, the -user needs to generate new ones and manually update the package configuration in -order to continue collecting `aws` metrics. - -This will cause data loss if the configuration is not updated with new credentials before the old ones expire. - -##### IAM role ARN - -An IAM role is an IAM identity that you can create in your account that has -specific permissions that determine what the identity can and cannot do in AWS. - -A role does not have standard long-term credentials such as a password or access -keys associated with it. Instead, when you assume a role, it provides you with -temporary security credentials for your role session. -IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate -temporary credentials. - -Please see [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. - -##### Supported Formats -1. Use access keys: Access keys include `access_key_id`, `secret_access_key` -and/or `session_token`. -2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume - for generating temporary credentials. - If `role_arn` is given, the package will check if access keys are given. - If not, the package will check for credential profile name. - If neither is given, default credential profile will be used. - - Please make sure credentials are given under either a credential profile or - access keys. -3. Use `credential_profile_name` and/or `shared_credential_file`: - If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then - the package will check for `credential_profile_name`. - If you use different credentials for different tools or applications, you can use profiles to - configure multiple access keys in the same configuration file. - If there is no `credential_profile_name` given, the default profile will be used. - `shared_credential_file` is optional to specify the directory of your shared - credentials file. - If it's empty, the default directory will be used. - In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. - For Linux, macOS or Unix, the file locates at `~/.aws/credentials`. - Please see[Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) - for more details. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| crowdstrike.AgentLoadFlags | | keyword | -| crowdstrike.AgentLocalTime | | date | -| crowdstrike.AgentTimeOffset | | float | -| crowdstrike.AgentVersion | | keyword | -| crowdstrike.AllocateVirtualMemoryCount | | long | -| crowdstrike.ApiReturnValue | | keyword | -| crowdstrike.ArchiveFileWrittenCount | | long | -| crowdstrike.AsepWrittenCount | | long | -| crowdstrike.AttemptNumber | | long | -| crowdstrike.AuthenticationId | | keyword | -| crowdstrike.AuthenticationPackage | | keyword | -| crowdstrike.AuthenticationUuid | | keyword | -| crowdstrike.AuthenticationUuidAsString | | keyword | -| crowdstrike.BinaryExecutableWrittenCount | | long | -| crowdstrike.BiosManufacturer | | keyword | -| crowdstrike.BiosReleaseDate | | date | -| crowdstrike.BiosVersion | | keyword | -| crowdstrike.BootArgs | | keyword | -| crowdstrike.BootTimeFunctionalityLevel | | keyword | -| crowdstrike.BoundedCount | | long | -| crowdstrike.BundleID | | keyword | -| crowdstrike.CLICreationCount | | long | -| crowdstrike.CallStackModuleNames | | keyword | -| crowdstrike.CallStackModuleNamesVersion | | version | -| crowdstrike.ChannelDiffStatus | | keyword | -| crowdstrike.ChannelId | | keyword | -| crowdstrike.ChannelVersion | | keyword | -| crowdstrike.ChannelVersionRequired | | keyword | -| crowdstrike.ChasisManufacturer | | keyword | -| crowdstrike.ChassisType | | keyword | -| crowdstrike.ClientComputerName | | keyword | -| crowdstrike.CompletionEventId | | keyword | -| crowdstrike.ConHostId | | keyword | -| crowdstrike.ConHostProcessId | | keyword | -| crowdstrike.ConfigBuild | | keyword | -| crowdstrike.ConfigIDBase | | keyword | -| crowdstrike.ConfigIDBuild | | keyword | -| crowdstrike.ConfigIDPlatform | | keyword | -| crowdstrike.ConfigStateData | | keyword | -| crowdstrike.ConfigStateHash | | keyword | -| crowdstrike.ConfigurationVersion | | keyword | -| crowdstrike.ConnectTime | | date | -| crowdstrike.ConnectType | | keyword | -| crowdstrike.ConnectionFlags | | keyword | -| crowdstrike.ContextProcessId | | keyword | -| crowdstrike.CpuClockSpeed | | keyword | -| crowdstrike.CpuFeaturesMask | | keyword | -| crowdstrike.CpuProcessorName | | keyword | -| crowdstrike.CpuSignature | | keyword | -| crowdstrike.CpuVendor | | keyword | -| crowdstrike.CreateProcessCount | | long | -| crowdstrike.CreateProcessType | | keyword | -| crowdstrike.CurrentFunctionalityLevel | | keyword | -| crowdstrike.CycleTime | | long | -| crowdstrike.DesiredAccess | | keyword | -| crowdstrike.DeviceId | | keyword | -| crowdstrike.DirectoryCreatedCount | | long | -| crowdstrike.DirectoryEnumeratedCount | | long | -| crowdstrike.DnsRequestCount | | long | -| crowdstrike.DocumentFileWrittenCount | | long | -| crowdstrike.DownloadPath | | keyword | -| crowdstrike.DownloadPort | | long | -| crowdstrike.DownloadServer | | keyword | -| crowdstrike.DualRequest | | keyword | -| crowdstrike.ELFSubType | | keyword | -| crowdstrike.EffectiveTransmissionClass | | keyword | -| crowdstrike.EnabledPrivilegesBitmask | | keyword | -| crowdstrike.Entitlements | | keyword | -| crowdstrike.ErrorCode | | keyword | -| crowdstrike.ErrorStatus | | keyword | -| crowdstrike.EtwRawThreadId | | long | -| crowdstrike.ExeAndServiceCount | | long | -| crowdstrike.ExecutableDeletedCount | | long | -| crowdstrike.FXFileSize | | keyword | -| crowdstrike.Facility | | keyword | -| crowdstrike.FailedConnectCount | | long | -| crowdstrike.FalconGroupingTags | | keyword | -| crowdstrike.FeatureExtractionVersion | | keyword | -| crowdstrike.FeatureVector | | keyword | -| crowdstrike.File | | keyword | -| crowdstrike.FileAttributes | | keyword | -| crowdstrike.FileDeletedCount | | long | -| crowdstrike.FileEcpBitmask | | keyword | -| crowdstrike.FileObject | | keyword | -| crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | -| crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | -| crowdstrike.FirstSeen | | date | -| crowdstrike.Flags | | keyword | -| crowdstrike.GenericFileWrittenCount | | long | -| crowdstrike.GrandParentBaseFileName | | keyword | -| crowdstrike.HostHiddenStatus | | keyword | -| crowdstrike.IOServiceClass | | keyword | -| crowdstrike.IOServiceName | | keyword | -| crowdstrike.IOServicePath | | keyword | -| crowdstrike.ImageSubsystem | | keyword | -| crowdstrike.InContext | | keyword | -| crowdstrike.InDiscards | | keyword | -| crowdstrike.InErrors | | keyword | -| crowdstrike.InMulticastPkts | | keyword | -| crowdstrike.InOctets | | keyword | -| crowdstrike.InUcastPkts | | keyword | -| crowdstrike.InUnknownProtos | | keyword | -| crowdstrike.Information | | keyword | -| crowdstrike.InjectedDllCount | | long | -| crowdstrike.InjectedThreadCount | | long | -| crowdstrike.IntegrityLevel | | keyword | -| crowdstrike.InterfaceAlias | | keyword | -| crowdstrike.InterfaceGuid | | keyword | -| crowdstrike.InterfaceIndex | | long | -| crowdstrike.InterfaceType | | keyword | -| crowdstrike.InterfaceVersion | | keyword | -| crowdstrike.IrpFlags | | keyword | -| crowdstrike.IsOnNetwork | | keyword | -| crowdstrike.IsOnRemovableDisk | | keyword | -| crowdstrike.IsTransactedFile | | keyword | -| crowdstrike.KernelTime | | long | -| crowdstrike.LfoUploadFlags | | keyword | -| crowdstrike.LightningLatencyState | | keyword | -| crowdstrike.Line | | keyword | -| crowdstrike.LogicalCoreCount | | long | -| crowdstrike.LoginSessionId | | keyword | -| crowdstrike.LogoffTime | | date | -| crowdstrike.LogonDomain | | keyword | -| crowdstrike.LogonId | | keyword | -| crowdstrike.LogonServer | | keyword | -| crowdstrike.LogonTime | | date | -| crowdstrike.LogonType | | keyword | -| crowdstrike.MLModelVersion | | keyword | -| crowdstrike.MachOSubType | | keyword | -| crowdstrike.MajorFunction | | keyword | -| crowdstrike.MajorVersion | | keyword | -| crowdstrike.Malicious | | keyword | -| crowdstrike.MaxThreadCount | | long | -| crowdstrike.MemoryTotal | | keyword | -| crowdstrike.MicrocodeSignature | | keyword | -| crowdstrike.MinorFunction | | keyword | -| crowdstrike.MinorVersion | | keyword | -| crowdstrike.MoboManufacturer | | keyword | -| crowdstrike.MoboProductName | | keyword | -| crowdstrike.ModelPrediction | | keyword | -| crowdstrike.ModuleLoadCount | | long | -| crowdstrike.NDRoot | | keyword | -| crowdstrike.NeighborList | | keyword | -| crowdstrike.NetLuidIndex | | long | -| crowdstrike.NetworkBindCount | | long | -| crowdstrike.NetworkCapableAsepWriteCount | | long | -| crowdstrike.NetworkCloseCount | | long | -| crowdstrike.NetworkConnectCount | | long | -| crowdstrike.NetworkConnectCountUdp | | long | -| crowdstrike.NetworkContainmentState | | keyword | -| crowdstrike.NetworkListenCount | | long | -| crowdstrike.NetworkModuleLoadCount | | long | -| crowdstrike.NetworkRecvAcceptCount | | long | -| crowdstrike.NewExecutableWrittenCount | | long | -| crowdstrike.NewFileIdentifier | | keyword | -| crowdstrike.OSVersionFileData | | keyword | -| crowdstrike.OSVersionFileName | | keyword | -| crowdstrike.OU | | keyword | -| crowdstrike.OperationFlags | | keyword | -| crowdstrike.Options | | keyword | -| crowdstrike.OutErrors | | keyword | -| crowdstrike.OutMulticastPkts | | keyword | -| crowdstrike.OutOctets | | keyword | -| crowdstrike.OutUcastPkts | | keyword | -| crowdstrike.Parameter1 | | keyword | -| crowdstrike.Parameter2 | | keyword | -| crowdstrike.Parameter3 | | keyword | -| crowdstrike.ParentAuthenticationId | | keyword | -| crowdstrike.PasswordLastSet | | keyword | -| crowdstrike.PciAttachmentState | | keyword | -| crowdstrike.PhysicalAddressLength | | long | -| crowdstrike.PhysicalCoreCount | | long | -| crowdstrike.PointerSize | | keyword | -| crowdstrike.PreviousConnectTime | | date | -| crowdstrike.PrivilegedProcessHandleCount | | long | -| crowdstrike.PrivilegesBitmask | | keyword | -| crowdstrike.ProcessCount | | long | -| crowdstrike.ProcessCreateFlags | | keyword | -| crowdstrike.ProcessParameterFlags | | keyword | -| crowdstrike.ProcessSxsFlags | | keyword | -| crowdstrike.ProcessorPackageCount | | long | -| crowdstrike.ProductType | | keyword | -| crowdstrike.ProtectVirtualMemoryCount | | long | -| crowdstrike.ProvisionState | | keyword | -| crowdstrike.PupAdwareConfidence | | keyword | -| crowdstrike.PupAdwareDecisionValue | | keyword | -| crowdstrike.QueueApcCount | | long | -| crowdstrike.RFMState | | keyword | -| crowdstrike.RGID | | keyword | -| crowdstrike.RUID | | keyword | -| crowdstrike.ReasonOfFunctionalityLevel | | keyword | -| crowdstrike.RegKeySecurityDecreasedCount | | long | -| crowdstrike.RemoteAccount | | keyword | -| crowdstrike.RemovableDiskFileWrittenCount | | long | -| crowdstrike.RequestType | | keyword | -| crowdstrike.RpcClientProcessId | | keyword | -| crowdstrike.RpcClientThreadId | | keyword | -| crowdstrike.RpcNestingLevel | | keyword | -| crowdstrike.RpcOpNum | | keyword | -| crowdstrike.RunDllInvocationCount | | long | -| crowdstrike.SVGID | | keyword | -| crowdstrike.SVUID | | keyword | -| crowdstrike.ScreenshotsTakenCount | | long | -| crowdstrike.ScriptEngineInvocationCount | | long | -| crowdstrike.SensorGroupingTags | | keyword | -| crowdstrike.SensorStateBitMap | | keyword | -| crowdstrike.ServiceDisplayName | | keyword | -| crowdstrike.ServiceEventCount | | long | -| crowdstrike.ServicePackMajor | | keyword | -| crowdstrike.SessionId | | keyword | -| crowdstrike.SessionProcessId | | keyword | -| crowdstrike.SetThreadContextCount | | long | -| crowdstrike.ShareAccess | | keyword | -| crowdstrike.SiteName | | keyword | -| crowdstrike.Size | | long | -| crowdstrike.SnapshotFileOpenCount | | long | -| crowdstrike.SourceFileName | | keyword | -| crowdstrike.SourceProcessId | | keyword | -| crowdstrike.SourceThreadId | | keyword | -| crowdstrike.Status | | keyword | -| crowdstrike.SubStatus | | keyword | -| crowdstrike.SuppressType | | keyword | -| crowdstrike.SuspectStackCount | | long | -| crowdstrike.SuspiciousCredentialModuleLoadCount | | long | -| crowdstrike.SuspiciousDnsRequestCount | | long | -| crowdstrike.SuspiciousFontLoadCount | | long | -| crowdstrike.SuspiciousRawDiskReadCount | | long | -| crowdstrike.SyntheticPR2Flags | | keyword | -| crowdstrike.SystemManufacturer | | keyword | -| crowdstrike.SystemProductName | | keyword | -| crowdstrike.SystemSerialNumber | | keyword | -| crowdstrike.SystemSku | | keyword | -| crowdstrike.SystemTableIndex | | long | -| crowdstrike.Tags | | keyword | -| crowdstrike.TargetFileName | | keyword | -| crowdstrike.TargetThreadId | | keyword | -| crowdstrike.Time | | date | -| crowdstrike.Timeout | | long | -| crowdstrike.TokenType | | keyword | -| crowdstrike.USN | | keyword | -| crowdstrike.UnixMode | | keyword | -| crowdstrike.UnsignedModuleLoadCount | | long | -| crowdstrike.UploadId | | keyword | -| crowdstrike.UserFlags | | keyword | -| crowdstrike.UserGroupsBitmask | | keyword | -| crowdstrike.UserLogoffType | | keyword | -| crowdstrike.UserLogonFlags | | keyword | -| crowdstrike.UserMemoryAllocateExecutableCount | | long | -| crowdstrike.UserMemoryAllocateExecutableRemoteCount | | long | -| crowdstrike.UserMemoryProtectExecutableCount | | long | -| crowdstrike.UserMemoryProtectExecutableRemoteCount | | long | -| crowdstrike.UserSid | | keyword | -| crowdstrike.UserTime | | long | -| crowdstrike.VerifiedCertificate | | keyword | -| crowdstrike.VnodeModificationType | | keyword | -| crowdstrike.VnodeType | | keyword | -| crowdstrike.VolumeAppearanceTime | | keyword | -| crowdstrike.VolumeBusName | | keyword | -| crowdstrike.VolumeBusPath | | keyword | -| crowdstrike.VolumeDeviceCharacteristics | | keyword | -| crowdstrike.VolumeDeviceInternal | | keyword | -| crowdstrike.VolumeDeviceModel | | keyword | -| crowdstrike.VolumeDeviceObjectFlags | | keyword | -| crowdstrike.VolumeDevicePath | | keyword | -| crowdstrike.VolumeDeviceProtocol | | keyword | -| crowdstrike.VolumeDeviceRevision | | keyword | -| crowdstrike.VolumeDeviceType | | keyword | -| crowdstrike.VolumeDriveLetter | | keyword | -| crowdstrike.VolumeFileSystemDevice | | keyword | -| crowdstrike.VolumeFileSystemDriver | | keyword | -| crowdstrike.VolumeFileSystemType | | keyword | -| crowdstrike.VolumeIsEncrypted | | keyword | -| crowdstrike.VolumeIsNetwork | | keyword | -| crowdstrike.VolumeMediaBSDMajor | | keyword | -| crowdstrike.VolumeMediaBSDMinor | | keyword | -| crowdstrike.VolumeMediaBSDName | | keyword | -| crowdstrike.VolumeMediaBSDUnit | | keyword | -| crowdstrike.VolumeMediaContent | | keyword | -| crowdstrike.VolumeMediaEjectable | | keyword | -| crowdstrike.VolumeMediaName | | keyword | -| crowdstrike.VolumeMediaPath | | keyword | -| crowdstrike.VolumeMediaRemovable | | keyword | -| crowdstrike.VolumeMediaSize | | keyword | -| crowdstrike.VolumeMediaUUID | | keyword | -| crowdstrike.VolumeMediaWhole | | keyword | -| crowdstrike.VolumeMediaWritable | | keyword | -| crowdstrike.VolumeMountPoint | | keyword | -| crowdstrike.VolumeName | | keyword | -| crowdstrike.VolumeRealDeviceName | | keyword | -| crowdstrike.VolumeSectorSize | | keyword | -| crowdstrike.VolumeType | | keyword | -| crowdstrike.VolumeUUID | | keyword | -| crowdstrike.WindowFlags | | keyword | -| crowdstrike.cid | | keyword | -| crowdstrike.name | | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.address | | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| os.version | Operating system version as a raw string. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.end | The time the process ended. | date | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `fdr` looks as following: - -```json -{ - "@timestamp": "2020-11-08T09:58:32.519Z", - "agent": { - "ephemeral_id": "8cb3a21e-5542-440a-a909-8a2f161001ba", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "crowdstrike": { - "ConfigStateHash": "1763245019", - "DesiredAccess": "1179785", - "EffectiveTransmissionClass": "3", - "Entitlements": "15", - "FileAttributes": "0", - "FileObject": "18446670458156489088", - "Information": "1", - "IrpFlags": "2180", - "MajorFunction": "0", - "MinorFunction": "0", - "OperationFlags": "0", - "Options": "16777312", - "ShareAccess": "5", - "Status": "0", - "cid": "ffffffff30a3407dae27d0503611022d", - "name": "RansomwareOpenFileV4" - }, - "data_stream": { - "dataset": "crowdstrike.fdr", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "RansomwareOpenFile", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2020-11-08T17:07:22.091Z", - "dataset": "crowdstrike.fdr", - "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2022-05-09T16:39:37Z", - "kind": "alert", - "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", - "outcome": "success", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "file": { - "directory": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads", - "extension": "pptx", - "inode": "7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00", - "name": "file.pptx", - "path": "\\Device\\HarddiskVolume3\\Users\\user11\\Downloads\\file.pptx", - "type": "file" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fdr-sample.log" - }, - "offset": 95203 - }, - "observer": { - "address": "67.43.156.14", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "serial_number": "ffffffffac4148947ed68497e89f3308", - "type": "agent", - "vendor": "crowdstrike", - "version": "1007.3.0011603.1" - }, - "os": { - "type": "windows" - }, - "process": { - "entity_id": "1016182570608", - "thread": { - "id": 37343520154472 - } - }, - "related": { - "hash": [ - "1763245019" - ], - "hosts": [ - "67.43.156.14" - ], - "ip": [ - "67.43.156.14" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "crowdstrike-fdr" - ], - "url": { - "scheme": "http" - } -} -``` diff --git a/packages/crowdstrike/1.3.4/img/fdr-overview.png b/packages/crowdstrike/1.3.4/img/fdr-overview.png deleted file mode 100755 index a960bc3781..0000000000 Binary files a/packages/crowdstrike/1.3.4/img/fdr-overview.png and /dev/null differ diff --git a/packages/crowdstrike/1.3.4/img/logo-integrations-crowdstrike.svg b/packages/crowdstrike/1.3.4/img/logo-integrations-crowdstrike.svg deleted file mode 100755 index 1b2195a224..0000000000 --- a/packages/crowdstrike/1.3.4/img/logo-integrations-crowdstrike.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/img/siem-alerts-cs.jpg b/packages/crowdstrike/1.3.4/img/siem-alerts-cs.jpg deleted file mode 100755 index b74edfe229..0000000000 Binary files a/packages/crowdstrike/1.3.4/img/siem-alerts-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.3.4/img/siem-events-cs.jpg b/packages/crowdstrike/1.3.4/img/siem-events-cs.jpg deleted file mode 100755 index 9839f73821..0000000000 Binary files a/packages/crowdstrike/1.3.4/img/siem-events-cs.jpg and /dev/null differ diff --git a/packages/crowdstrike/1.3.4/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/1.3.4/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json deleted file mode 100755 index a8960ff152..0000000000 --- a/packages/crowdstrike/1.3.4/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "Summarised overview for Crowdstrike FDR events.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"0307e118-9fac-4923-ad6e-b588a8bd939f\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"observer.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"4c8af7e5-4ec6-43de-84ea-8df092cea5f8\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"6b7c69d1-9248-4af3-b437-0abcef344b67\\\",\\\"label\\\":\\\"Agent locations\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"0314931e-5e8d-4609-be8a-b478a6afed11\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#494193\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"1b3c966b-6756-41dc-8875-a936e36dd0c2\\\",\\\"label\\\":\\\"Connections\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15M\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":25.7461,\"lon\":0,\"zoom\":0.73},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"26961648-cc31-4ed6-a378-698523307b21\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"26961648-cc31-4ed6-a378-698523307b21\",\"title\":\"Agents and connections\",\"type\":\"map\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1928976e-020d-48bd-9887-d9fd1925f69e\":{\"columnOrder\":[\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"5ec733a8-d11d-472d-9328-3c48b41a17ac\"],\"columns\":{\"5ec733a8-d11d-472d-9328-3c48b41a17ac\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7aaadac8-55b7-4979-9bf1-b02a9673b502\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top events\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":true,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7aaadac8-55b7-4979-9bf1-b02a9673b502\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"5ec733a8-d11d-472d-9328-3c48b41a17ac\",\"isTransposed\":false,\"summaryRow\":\"none\"}],\"layerId\":\"1928976e-020d-48bd-9887-d9fd1925f69e\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"w\":10,\"x\":16,\"y\":0},\"panelIndex\":\"7564f2a4-7167-4d71-8ce2-ece32f217487\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"085f4952-432b-4bd3-9740-e99f42a7877b\":{\"columnOrder\":[\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"0a3ada5d-923b-461b-8885-e7fdcd948034\"],\"columns\":{\"0a3ada5d-923b-461b-8885-e7fdcd948034\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"DnsRequest\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"DnsRequest\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20a2e92b-1ebe-4ed0-b3ab-b446bd60edfd\",\"isTransposed\":false},{\"alignment\":\"center\",\"columnId\":\"0a3ada5d-923b-461b-8885-e7fdcd948034\",\"isTransposed\":false}],\"layerId\":\"085f4952-432b-4bd3-9740-e99f42a7877b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"w\":9,\"x\":26,\"y\":9},\"panelIndex\":\"396c3ab7-572c-41dc-af21-e8d3d6ad3fe0\",\"title\":\"Top DNS queries\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"880420b9-97fb-4f5a-8dd2-36f95cb02182\":{\"columnOrder\":[\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"c90d7c88-034f-42f4-94d2-605ae294940e\"],\"columns\":{\"45f3413c-e658-43ec-bf3a-ad25977fb32c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"c90d7c88-034f-42f4-94d2-605ae294940e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"45f3413c-e658-43ec-bf3a-ad25977fb32c\",\"isTransposed\":false},{\"columnId\":\"c90d7c88-034f-42f4-94d2-605ae294940e\",\"hidden\":false,\"isTransposed\":false}],\"layerId\":\"880420b9-97fb-4f5a-8dd2-36f95cb02182\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e48dfc31-ef5f-4696-904c-c5320e8dcac9\",\"title\":\"Top users\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\":{\"columnOrder\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\",\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\"],\"columns\":{\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of dns.question.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\"},\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3f895fa6-e7e2-4ad8-83bc-e476954007b0\"],\"layerId\":\"a3aa7199-d806-4c69-afd1-ae1cbfa7865e\",\"legendDisplay\":\"default\",\"metric\":\"ce4ef8ef-9113-46dc-9026-40fe66f609aa\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"757dd906-982e-437f-aac0-b090310b9288\",\"w\":9,\"x\":26,\"y\":20},\"panelIndex\":\"757dd906-982e-437f-aac0-b090310b9288\",\"title\":\"DNS query types\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8088761-74a6-433a-a405-f26c709cebe3\":{\"columnOrder\":[\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\"],\"columns\":{\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"97e2d50d-d871-4922-b0f8-2d50b2ace84a\",\"isTransposed\":false},{\"columnId\":\"bbbbf917-0caa-41ee-89dc-18ea0f8bcfe3\",\"isTransposed\":false}],\"layerId\":\"c8088761-74a6-433a-a405-f26c709cebe3\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"w\":13,\"x\":35,\"y\":12},\"panelIndex\":\"355965cd-eb00-4357-bdd8-1640627d1191\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"911bafb0-aeb7-4830-8a40-6166c96fb123\":{\"columnOrder\":[\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\",\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"columns\":{\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2c75b3a9-1b14-42d5-a8d0-44e461d4afab\"],\"layerId\":\"911bafb0-aeb7-4830-8a40-6166c96fb123\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3c0eeb61-8b82-44b3-aba7-66c5b08fe8a9\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"w\":26,\"x\":0,\"y\":17},\"panelIndex\":\"0325f703-a3cc-4a43-b621-974baae08c00\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\":{\"columnOrder\":[\"b00df131-3742-4fa3-8645-032847f0266b\",\"b89debc2-4203-43c7-ba15-6612030f67bd\"],\"columns\":{\"b00df131-3742-4fa3-8645-032847f0266b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top alerts\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"b89debc2-4203-43c7-ba15-6612030f67bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"crowdstrike.fdr\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b00df131-3742-4fa3-8645-032847f0266b\",\"isTransposed\":false},{\"columnId\":\"b89debc2-4203-43c7-ba15-6612030f67bd\",\"isTransposed\":false}],\"layerId\":\"35e353f8-fd89-43a0-ad8c-c5d202f098d2\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"w\":9,\"x\":26,\"y\":0},\"panelIndex\":\"32c13eb0-f12d-44d8-8ec4-ea778840fabf\",\"type\":\"lens\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Crowdstrike] FDR Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26961648-cc31-4ed6-a378-698523307b21:layer_2_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:indexpattern-datasource-layer-1928976e-020d-48bd-9887-d9fd1925f69e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7564f2a4-7167-4d71-8ce2-ece32f217487:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:indexpattern-datasource-layer-085f4952-432b-4bd3-9740-e99f42a7877b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "396c3ab7-572c-41dc-af21-e8d3d6ad3fe0:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e48dfc31-ef5f-4696-904c-c5320e8dcac9:indexpattern-datasource-layer-880420b9-97fb-4f5a-8dd2-36f95cb02182", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "757dd906-982e-437f-aac0-b090310b9288:indexpattern-datasource-layer-a3aa7199-d806-4c69-afd1-ae1cbfa7865e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "355965cd-eb00-4357-bdd8-1640627d1191:indexpattern-datasource-layer-c8088761-74a6-433a-a405-f26c709cebe3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0325f703-a3cc-4a43-b621-974baae08c00:indexpattern-datasource-layer-911bafb0-aeb7-4830-8a40-6166c96fb123", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:indexpattern-datasource-layer-35e353f8-fd89-43a0-ad8c-c5d202f098d2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32c13eb0-f12d-44d8-8ec4-ea778840fabf:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/crowdstrike/1.3.4/manifest.yml b/packages/crowdstrike/1.3.4/manifest.yml deleted file mode 100755 index d188e5438b..0000000000 --- a/packages/crowdstrike/1.3.4/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: crowdstrike -title: CrowdStrike Logs -version: "1.3.4" -description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -release: ga -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -icons: - - src: /img/logo-integrations-crowdstrike.svg - title: CrowdStrike - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/siem-alerts-cs.jpg - title: CrowdStrike SIEM Alerts - size: 3360x1776 - type: image/jpg - - src: /img/siem-events-cs.jpg - title: CrowdStrike SIEM Events - size: 3360x1776 - type: image/jpg - - src: /img/fdr-overview.png - title: CrowdStrike FDR Overview - size: 1535x626 - type: image/png -policy_templates: - - name: crowdstrike - title: CrowdStrike - description: Collect logs from CrowdStrike Falcon and FDR - inputs: - - type: logfile - title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)" - description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)" - - type: aws-s3 - title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)" - description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)" -owner: - github: elastic/security-external-integrations diff --git a/packages/fireeye/1.4.0/changelog.yml b/packages/fireeye/1.4.0/changelog.yml deleted file mode 100755 index 7acd6dcf3c..0000000000 --- a/packages/fireeye/1.4.0/changelog.yml +++ /dev/null @@ -1,60 +0,0 @@ -- version: "1.4.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.3.1" - changes: - - description: Move invalid field value in sample event file - type: bugfix - link: https://github.com/elastic/integrations/pull/3331 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.2.4" - changes: - - description: Move invalid field values - type: bugfix - link: https://github.com/elastic/integrations/pull/3099 -- version: "1.2.3" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Fix field mappings for `dns.id` and `network.iana_number` - type: enhancement - link: https://github.com/elastic/integrations/pull/2892 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2404 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2225 -- version: "1.0.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/1887 diff --git a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/stream.yml.hbs b/packages/fireeye/1.4.0/data_stream/nx/agent/stream/stream.yml.hbs deleted file mode 100755 index 2926520e1b..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,17 +0,0 @@ -paths: -{{#each paths as |path i|}} -- {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/tcp.yml.hbs b/packages/fireeye/1.4.0/data_stream/nx/agent/stream/tcp.yml.hbs deleted file mode 100755 index 4cd8124d92..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/udp.yml.hbs b/packages/fireeye/1.4.0/data_stream/nx/agent/stream/udp.yml.hbs deleted file mode 100755 index 405544b01a..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4e8f31ac8e..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- -description: Pipeline for processing FireEye NX logs -processors: - - set: - field: ecs.version - value: "8.2.0" - - set: - field: observer.vendor - value: "Fireeye" - - set: - field: observer.product - value: "NX" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - json: - field: json.rawmsg - target_field: rawmsg - ignore_failure: true - # rename raw fields - - pipeline: - name: '{{ IngestPipeline "renaming-raws" }}' - - date: - field: temp_ts - formats: - - strict_date_optional_time_nanos - - remove: - field: temp_ts - - geoip: - field: destination.address - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.address - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.address - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.address - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - - append: - field: event.category - value: network - if: "['dns', 'flow', 'tls'].contains(ctx?.event?.type)" - - append: - field: event.category - value: [web, network] - if: ctx?.event?.type == 'http' - - append: - field: event.category - value: [file, network] - if: ctx?.event?.type == 'fileinfo' - - set: - field: event.type - value: [info] - - # - # Normalize protocol names - # - - lowercase: - field: "network.transport" - ignore_missing: true - - lowercase: - field: "network.protocol" - ignore_missing: true - - lowercase: - field: "network.direction" - ignore_missing: true - - lowercase: - field: "network.type" - ignore_missing: true - # - # Populate network.iana_number from network.transport. Also does reverse - # mapping in case network.transport contains the iana_number. - # - - script: - if: "ctx?.network?.transport != null" - lang: painless - params: - icmp: '1' - igmp: '2' - ipv4: '4' - tcp: '6' - egp: '8' - igp: '9' - pup: '12' - udp: '17' - rdp: '27' - irtp: '28' - dccp: '33' - idpr: '35' - ipv6: '41' - ipv6-route: '43' - ipv6-frag: '44' - rsvp: '46' - gre: '47' - esp: '50' - ipv6-icmp: '58' - ipv6-nonxt: '59' - ipv6-opts: '60' - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } - - community_id: - target_field: network.community_id - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx.destination?.ip != null - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - remove: - field: - - rawmsg - - json - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml b/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml deleted file mode 100755 index 6009b81d76..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml +++ /dev/null @@ -1,464 +0,0 @@ ---- -description: Pipeline for renaming raw fields from incoming event original. -processors: - - rename: - field: rawmsg.timestamp - target_field: temp_ts - ignore_missing: true - - rename: - field: rawmsg.proto - target_field: network.transport - ignore_missing: true - - rename: - field: rawmsg.app_proto - target_field: network.protocol - ignore_missing: true - - rename: - field: rawmsg.flow_id - target_field: fireeye.nx.flow_id - ignore_missing: true - - rename: - field: rawmsg.event_type - target_field: event.type - ignore_missing: true - - rename: - field: rawmsg.src_ip - target_field: source.address - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - ignore_empty_value: true - - rename: - field: rawmsg.src_port - target_field: source.port - ignore_missing: true - - rename: - field: rawmsg.dest_ip - target_field: destination.address - ignore_missing: true - - set: - field: destination.ip - copy_from: destination.address - ignore_empty_value: true - - rename: - field: rawmsg.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: meta_sip4 - target_field: fireeye.nx.device_ip - ignore_missing: true - - rename: - field: meta_oml - target_field: fireeye.nx.device_oml - ignore_missing: true - - rename: - field: deviceid - target_field: fireeye.nx.deviceid - ignore_missing: true - - rename: - field: meta_cbname - target_field: fireeye.nx.hostname - ignore_missing: true - # flow event type fields - - rename: - field: rawmsg.proto_number - target_field: network.iana_number - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.pkts_toserver - target_field: source.packets - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.pkts_toclient - target_field: destination.packets - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.bytes_toserver - target_field: source.bytes - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.bytes_toclient - target_field: destination.bytes - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.start - target_field: fireeye.nx.flow.starttime - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.end - target_field: fireeye.nx.flow.endtime - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.age - target_field: fireeye.nx.flow.age - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.state - target_field: fireeye.nx.flow.state - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.reason - target_field: fireeye.nx.flow.reason - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.flow.alerted - target_field: fireeye.nx.flow.alerted - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.tcp - target_field: fireeye.nx.tcp - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.icmp_code - target_field: fireeye.nx.flow.icmp_code - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.icmp_type - target_field: fireeye.nx.flow.icmp_type - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.response_icmp_code - target_field: fireeye.nx.flow.response_icmp_code - if: ctx?.event?.type == 'flow' - ignore_missing: true - - rename: - field: rawmsg.response_icmp_type - target_field: fireeye.nx.flow.response_icmp_type - if: ctx?.event?.type == 'flow' - ignore_missing: true - # fileinfo event type fields - - rename: - field: rawmsg.fileinfo.filename - target_field: fireeye.nx.fileinfo.filename - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.magic - target_field: fireeye.nx.fileinfo.magic - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.md5 - target_field: fireeye.nx.fileinfo.md5 - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.size - target_field: fireeye.nx.fileinfo.size - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.state - target_field: fireeye.nx.fileinfo.state - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.fileinfo.stored - target_field: fireeye.nx.fileinfo.stored - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'fileinfo' - ignore_missing: true - # http event type fields - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'http' - ignore_missing: true - # http event type fields - - rename: - field: rawmsg.http.hostname - target_field: url.domain - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_content_type - target_field: http.request.mime_type - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_method - target_field: http.request.method - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_refer - target_field: http.request.referrer - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.http_user_agent - target_field: user_agent.original - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.length - target_field: http.response.bytes - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.protocol - target_field: http.version - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.status - target_field: http.response.status_code - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.http.url - target_field: url.path - if: ctx?.event?.type == 'http' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'http' - ignore_missing: true - # dns event type fields - - convert: - field: rawmsg.dns.id - target_field: dns.id - type: string - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rcode - target_field: dns.response_code - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rdata - target_field: dns.resolved_data - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rrname - target_field: dns.question.name - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.rrtype - target_field: dns.question.type - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.ttl - target_field: dns.answers.ttl - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.dns.type - target_field: dns.type - if: ctx?.event?.type == 'dns' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'dns' - ignore_missing: true - # tls event type fields - - rename: - field: rawmsg.tls.client_ciphersuites - target_field: tls.client.ciphersuites - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.client_tls_exts - target_field: tls.client.tls_exts - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.fingerprint - target_field: tls.client.fingerprint - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.issuerdn - target_field: tls.client.issuer - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3.hash - target_field: tls.client.ja3 - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3.string - target_field: tls.client.ja3_string - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3s.hash - target_field: tls.server.ja3s - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.ja3s.string - target_field: tls.server.ja3s_string - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.notbefore - target_field: tls.client.not_before - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.notafter - target_field: tls.client.not_after - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.pubkeylength - target_field: tls.public_keylength - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.server_ciphersuite - target_field: tls.server.ciphersuite - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.server_tls_exts - target_field: tls.server.tls_exts - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.sni - target_field: tls.client.server_name - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.subject - target_field: tls.client.subject - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.version - target_field: tls.version - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.tls.fatal_alert - target_field: fireeye.nx.tls.fetal_alert - if: ctx?.event?.type == 'tls' - ignore_missing: true - - rename: - field: rawmsg.iface - target_field: interface.name - if: ctx?.event?.type == 'tls' - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.4.0/data_stream/nx/fields/agent.yml b/packages/fireeye/1.4.0/data_stream/nx/fields/agent.yml deleted file mode 100755 index a371c03d96..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/fireeye/1.4.0/data_stream/nx/fields/base-fields.yml b/packages/fireeye/1.4.0/data_stream/nx/fields/base-fields.yml deleted file mode 100755 index cdff14cc88..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: fireeye -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fireeye.nx diff --git a/packages/fireeye/1.4.0/data_stream/nx/fields/ecs.yml b/packages/fireeye/1.4.0/data_stream/nx/fields/ecs.yml deleted file mode 100755 index 7e31cb79ea..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/fields/ecs.yml +++ /dev/null @@ -1,302 +0,0 @@ -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Mime type of the body of the request. - This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - name: http.request.mime_type - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Port of the destination. - name: destination.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Interface name as reported by the system. - name: interface.name - type: keyword -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword diff --git a/packages/fireeye/1.4.0/data_stream/nx/fields/fields.yml b/packages/fireeye/1.4.0/data_stream/nx/fields/fields.yml deleted file mode 100755 index 8a25bb461f..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/fields/fields.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: fireeye.nx - type: group - fields: - - name: flow_id - type: long - description: Flow ID of the event. - - name: flow - type: group - fields: - - name: age - type: long - description: Flow age. - - name: alerted - type: boolean - description: Flow alerted or not. - - name: endtime - type: date - description: Flow endtime. - - name: reason - type: keyword - description: Flow reason. - - name: starttime - type: date - description: Flow start time. - - name: state - type: keyword - description: Flow state. - - name: tcp - type: group - fields: - - name: ack - type: boolean - description: TCP acknowledgement. - - name: psh - type: boolean - description: TCP PSH. - - name: state - type: keyword - description: TCP connectin state. - - name: syn - type: boolean - description: TCP SYN. - - name: tcp_flags - type: keyword - description: TCP flags. - - name: tcp_flags_tc - type: keyword - description: TCP flags. - - name: tcp_flags_ts - type: keyword - description: TCP flags. - - name: fileinfo - type: group - fields: - - name: filename - type: keyword - description: File name. - - name: magic - type: keyword - description: Fileinfo magic. - - name: md5 - type: keyword - description: File hash. - - name: size - type: long - description: File size. - - name: state - type: keyword - description: File state. - - name: stored - type: boolean - description: File stored or not. -- name: tls - type: group - fields: - - name: client - type: group - fields: - - name: ciphersuites - type: array - description: TLS cipher suites by client. - - name: fingerprint - type: keyword - description: TLS fingerprint. - - name: ja3_string - type: keyword - description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - - name: tls_exts - type: array - description: TLS extensions set by client. - - name: server - type: group - fields: - - name: ciphersuite - type: array - description: TLS cipher suites by server. - - name: ja3s_string - type: keyword - description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - - name: tls_exts - type: array - description: TLS extensions set by server. - - name: public_keylength - type: long - description: TLS public key length. -- name: log.source.address - type: keyword - description: Logs Source Raw address. diff --git a/packages/fireeye/1.4.0/data_stream/nx/manifest.yml b/packages/fireeye/1.4.0/data_stream/nx/manifest.yml deleted file mode 100755 index c52d2799be..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/manifest.yml +++ /dev/null @@ -1,149 +0,0 @@ -title: Fireeye NX -type: logs -streams: - - input: logfile - template_path: stream.yml.hbs - title: Fireeye NX logs - description: Collect fireye nx logs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fireeye-nx* - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: udp - title: Fireeye NX logs - description: Collect Fireeye NX logs using udp input - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fireeye NX logs - description: Collect Fireeye NX logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fireeye-nx - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9523 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fireeye/1.4.0/data_stream/nx/sample_event.json b/packages/fireeye/1.4.0/data_stream/nx/sample_event.json deleted file mode 100755 index 272ffcf621..0000000000 --- a/packages/fireeye/1.4.0/data_stream/nx/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2020-09-22T08:34:44.991Z", - "agent": { - "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "fireeye.nx", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "bytes": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", - "packets": 0, - "port": 10001 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "fireeye.nx", - "ingested": "2022-05-12T06:20:01Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "fireeye": { - "nx": { - "flow": { - "age": 0, - "alerted": false, - "endtime": "2020-09-22T08:34:12.761348+0000", - "reason": "timeout", - "starttime": "2020-09-22T08:34:12.761326+0000", - "state": "new" - }, - "flow_id": 721570461162990 - } - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.16.7" - ], - "mac": [ - "02:42:c0:a8:10:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fireeye-nx.log" - }, - "offset": 0 - }, - "network": { - "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", - "iana_number": "17", - "protocol": "failed", - "transport": "udp" - }, - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] - }, - "source": { - "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "bytes": 1680, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "packets": 8, - "port": 45944 - }, - "tags": [ - "fireeye-nx" - ] -} \ No newline at end of file diff --git a/packages/fireeye/1.4.0/docs/README.md b/packages/fireeye/1.4.0/docs/README.md deleted file mode 100755 index 81b7470f20..0000000000 --- a/packages/fireeye/1.4.0/docs/README.md +++ /dev/null @@ -1,287 +0,0 @@ -# FireEye Integration - -This integration periodically fetches logs from [FireEye Network Security](https://www.fireeye.com/products/network-security.html) devices. - -## Compatibility - -The FireEye `nx` integration has been developed against FireEye Network Security 9.0.0.916432 but is expected to work with other versions. - -## Logs - -### NX - -The `nx` integration ingests network security logs from FireEye NX through TCP/UDP and file. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| fireeye.nx.fileinfo.filename | File name. | keyword | -| fireeye.nx.fileinfo.magic | Fileinfo magic. | keyword | -| fireeye.nx.fileinfo.md5 | File hash. | keyword | -| fireeye.nx.fileinfo.size | File size. | long | -| fireeye.nx.fileinfo.state | File state. | keyword | -| fireeye.nx.fileinfo.stored | File stored or not. | boolean | -| fireeye.nx.flow.age | Flow age. | long | -| fireeye.nx.flow.alerted | Flow alerted or not. | boolean | -| fireeye.nx.flow.endtime | Flow endtime. | date | -| fireeye.nx.flow.reason | Flow reason. | keyword | -| fireeye.nx.flow.starttime | Flow start time. | date | -| fireeye.nx.flow.state | Flow state. | keyword | -| fireeye.nx.flow_id | Flow ID of the event. | long | -| fireeye.nx.tcp.ack | TCP acknowledgement. | boolean | -| fireeye.nx.tcp.psh | TCP PSH. | boolean | -| fireeye.nx.tcp.state | TCP connectin state. | keyword | -| fireeye.nx.tcp.syn | TCP SYN. | boolean | -| fireeye.nx.tcp.tcp_flags | TCP flags. | keyword | -| fireeye.nx.tcp.tcp_flags_tc | TCP flags. | keyword | -| fireeye.nx.tcp.tcp_flags_ts | TCP flags. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| interface.name | Interface name as reported by the system. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| log.source.address | Logs Source Raw address. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.ciphersuites | TLS cipher suites by client. | array | -| tls.client.fingerprint | TLS fingerprint. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.ja3_string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.tls_exts | TLS extensions set by client. | array | -| tls.public_keylength | TLS public key length. | long | -| tls.server.ciphersuite | TLS cipher suites by server. | array | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.ja3s_string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.tls_exts | TLS extensions set by server. | array | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `nx` looks as following: - -```json -{ - "@timestamp": "2020-09-22T08:34:44.991Z", - "agent": { - "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "fireeye.nx", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "ff02:0000:0000:0000:0000:0000:0000:0001", - "bytes": 0, - "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", - "packets": 0, - "port": 10001 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "fireeye.nx", - "ingested": "2022-05-12T06:20:01Z", - "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", - "timezone": "+00:00", - "type": [ - "info" - ] - }, - "fireeye": { - "nx": { - "flow": { - "age": 0, - "alerted": false, - "endtime": "2020-09-22T08:34:12.761348+0000", - "reason": "timeout", - "starttime": "2020-09-22T08:34:12.761326+0000", - "state": "new" - }, - "flow_id": 721570461162990 - } - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.16.7" - ], - "mac": [ - "02:42:c0:a8:10:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/fireeye-nx.log" - }, - "offset": 0 - }, - "network": { - "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", - "iana_number": "17", - "protocol": "failed", - "transport": "udp" - }, - "observer": { - "product": "NX", - "vendor": "Fireeye" - }, - "related": { - "ip": [ - "fe80:0000:0000:0000:feec:daff:fe31:b706", - "ff02:0000:0000:0000:0000:0000:0000:0001" - ] - }, - "source": { - "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "bytes": 1680, - "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", - "packets": 8, - "port": 45944 - }, - "tags": [ - "fireeye-nx" - ] -} -``` \ No newline at end of file diff --git a/packages/fireeye/1.4.0/img/FireEye-logo.svg b/packages/fireeye/1.4.0/img/FireEye-logo.svg deleted file mode 100755 index 50906981f0..0000000000 --- a/packages/fireeye/1.4.0/img/FireEye-logo.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/fireeye/1.4.0/manifest.yml b/packages/fireeye/1.4.0/manifest.yml deleted file mode 100755 index ff214315ad..0000000000 --- a/packages/fireeye/1.4.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: fireeye -title: "Fireeye" -version: 1.4.0 -license: basic -description: "This Elastic integration collects Fireeye NX logs." -type: integration -categories: - - monitoring - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/FireEye-logo.svg - title: Fireeye logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: fireeye - title: Fireeye NX logs - description: Collect Fireeye NX logs - inputs: - - type: logfile - title: Collect Fireeye NX logs from instances - description: Collecting Fireeye NX logs - - type: udp - title: Collect logs from Fireeye NXtwork Security via UDP - description: Collecting Fireeye NX logs via UDP - - type: tcp - title: Collect logs from Fireeye NXtwork Security via TCP - description: Collecting Fireeye NX logs via TCP -owner: - github: elastic/security-external-integrations diff --git a/packages/fortinet/1.6.2/changelog.yml b/packages/fortinet/1.6.2/changelog.yml deleted file mode 100755 index fb461917b2..0000000000 --- a/packages/fortinet/1.6.2/changelog.yml +++ /dev/null @@ -1,144 +0,0 @@ -# newer versions go on top -- version: "1.6.2" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3090 -- version: "1.6.1" - changes: - - description: Format source.mac and destination.mac as per ECS for the Fortimanager data stream. - type: bugfix - link: https://github.com/elastic/integrations/pull/3401 -- version: "1.6.0" - changes: - - description: Add TLS and custom options to TCP input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3319 -- version: "1.5.0" - changes: - - description: Update to ECS 8.2.0 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2800 -- version: "1.4.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.4.2" - changes: - - description: Clarify description for listen address and port. - type: bugfix - link: https://github.com/elastic/integrations/pull/2685 -- version: "1.4.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2585 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2277 -- version: "1.2.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2107 -- version: "1.2.3" - changes: - - description: Update title and description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 -- version: "1.2.2" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1817 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1660 -- version: "1.1.5" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "1.1.4" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1477 -- version: '1.1.3' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1384 -- version: "1.1.2" - changes: - - description: Remove `experimental` label from manifest - type: bugfix - link: https://github.com/elastic/integrations/pull/1433 -- version: "1.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1223 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1223 -- version: "0.9.1" - changes: - - description: use `wildcard` field type for the relevant ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1183 -- version: "0.9.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1092 -- version: "0.8.2" - changes: - - description: make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/1075 -- version: "0.8.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/845 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/228 diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/log.yml.hbs b/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/log.yml.hbs deleted file mode 100755 index 4e1e97257d..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/log.yml.hbs +++ /dev/null @@ -1,2774 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiClient" - type: "Anti-Virus" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/tcp.yml.hbs deleted file mode 100755 index cca5a4017d..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,2771 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiClient" - type: "Anti-Virus" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/udp.yml.hbs deleted file mode 100755 index 59e1db4ecd..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,2771 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiClient" - type: "Anti-Virus" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" proto="), - field("hprotocol"), - constant(" service="), - field("messageid"), - constant(" status="), - field("haction"), - constant(" src="), - field("hsaddr"), - constant(" dst="), - field("hdaddr"), - constant(" src_port="), - field("hsport"), - constant(" dst_port="), - field("hdport"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(" times in last "), - field("hfld6"), - constant(") "), - field("hfld7"), - constant(" "), - field("hfld8"), - constant("::"), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hmonth"), - constant(" "), - field("hday"), - constant(" "), - field("htime"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(" "), - field("hfld5"), - constant("::"), - field("p0"), - ], - }), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - ]); - - var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg1 = msg("enter", part1); - - var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ - dup1, - dup2, - ])); - - var msg2 = msg("repeated", part2); - - var msg3 = msg("ms-wbt-server", dup9); - - var msg4 = msg("http", dup9); - - var msg5 = msg("https", dup9); - - var msg6 = msg("smtp", dup9); - - var msg7 = msg("pop3", dup9); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "enter": msg1, - "http": msg4, - "https": msg5, - "ms-wbt-server": msg3, - "pop3": msg7, - "repeated": msg2, - "smtp": msg6, - }), - ]); - - var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup2, - dup8, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cf996f9818..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Fortinet FortiClient Endpoint Security - -processors: - - set: - field: ecs.version - value: '8.2.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/agent.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/base-fields.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/base-fields.yml deleted file mode 100755 index 82f0133692..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.clientendpoint -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/ecs.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/ecs.yml deleted file mode 100755 index 78ddffacce..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/ecs.yml +++ /dev/null @@ -1,541 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/fields.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/manifest.yml b/packages/fortinet/1.6.2/data_stream/clientendpoint/manifest.yml deleted file mode 100755 index ab7a3686d6..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/manifest.yml +++ /dev/null @@ -1,212 +0,0 @@ -title: Fortinet FortiClient Endpoint Security logs -release: experimental -type: logs -streams: - - input: udp - enabled: true - title: Fortinet FortiClient Endpoint Security logs - description: Collect Fortinet FortiClient Endpoint Security logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9509 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - enabled: false - title: Fortinet FortiClient Endpoint Security logs - description: Collect Fortinet FortiClient Endpoint Security logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9509 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet FortiClient Endpoint Security logs - template_path: log.yml.hbs - description: Collect Fortinet FortiClient Endpoint Security logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: false - default: - - /var/log/fortinet-clientendpoint.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-clientendpoint - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet/1.6.2/data_stream/clientendpoint/sample_event.json b/packages/fortinet/1.6.2/data_stream/clientendpoint/sample_event.json deleted file mode 100755 index f10a0048c6..0000000000 --- a/packages/fortinet/1.6.2/data_stream/clientendpoint/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.clientendpoint", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": [ - "10.102.123.34" - ], - "port": 3994 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "deny", - "agent_id_status": "verified", - "code": "http", - "dataset": "fortinet.clientendpoint", - "ingested": "2022-01-25T12:25:45Z", - "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", - "outcome": "failure", - "timezone": "+00:00" - }, - "host": { - "name": "boNemoe4402.www.invalid" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:54478" - } - }, - "network": { - "direction": "external", - "protocol": "udp" - }, - "observer": { - "product": "FortiClient", - "type": "Anti-Virus", - "vendor": "Fortinet" - }, - "process": { - "pid": 7880 - }, - "related": { - "hosts": [ - "litesse6379.api.domain", - "boNemoe4402.www.invalid" - ], - "ip": [ - "10.150.92.220", - "10.102.123.34" - ], - "user": [ - "sumdo" - ] - }, - "rsa": { - "counters": { - "dclass_c1": 5286, - "dclass_c1_str": "block_count" - }, - "internal": { - "messageid": "http" - }, - "investigations": { - "ec_outcome": "Failure", - "ec_subject": "NetworkComm", - "ec_theme": "ALM" - }, - "misc": { - "action": [ - "deny" - ], - "result": "failure\n" - }, - "network": { - "alias_host": [ - "boNemoe4402.www.invalid" - ], - "domain": "litesse6379.api.domain", - "network_service": "http" - }, - "time": { - "event_time": "2021-01-29T06:09:59.000Z" - } - }, - "server": { - "domain": "litesse6379.api.domain", - "registered_domain": "api.domain", - "subdomain": "litesse6379", - "top_level_domain": "domain" - }, - "source": { - "ip": [ - "10.150.92.220" - ], - "port": 7178 - }, - "tags": [ - "preserve_original_event", - "fortinet-clientendpoint", - "forwarded" - ], - "user": { - "name": "sumdo" - } -} \ No newline at end of file diff --git a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/log.yml.hbs b/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/log.yml.hbs deleted file mode 100755 index 225500de9f..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/log.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6ca58d4fa8..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/udp.yml.hbs deleted file mode 100755 index 852d6d18f0..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if internal_interfaces.length}} -processors: -{{else}} -{{#if external_interfaces.length}} -processors: -{{else}} -{{#if processors}} -processors: -{{/if}} -{{/if}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} -{{#if internal_interfaces.length}} - - add_fields: - target: _temp - fields: - internal_interfaces: - {{#each internal_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} -{{#if external_interfaces.length}} - - add_fields: - target: _temp - fields: - external_interfaces: - {{#each external_interfaces as |interface i|}} - - {{interface}} - {{/each}} -{{/if}} diff --git a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 30892ee32f..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,431 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - - grok: - field: event.original - patterns: - - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" - - kv: - field: syslog5424_sd - field_split: " (?=[a-z\\_\\-]+=)" - value_split: "=" - prefix: "fortinet.firewall." - ignore_missing: true - ignore_failure: false - trim_value: '"' - - script: - lang: painless - source: | - def fw = ctx?.fortinet?.firewall; - if (fw != null) { - fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); - } - - set: - field: observer.vendor - value: Fortinet - - set: - field: observer.product - value: Fortigate - - set: - field: observer.type - value: firewall - - set: - field: event.timezone - value: "{{fortinet.firewall.tz}}" - ignore_empty_value: true - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - set: - field: _temp.time - value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" - if: "ctx.fortinet?.firewall?.tz == null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" - - date: - field: _temp.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - if: "ctx.fortinet?.firewall?.tz == null" - - gsub: - field: fortinet.firewall.eventtime - pattern: "\\d{6}$" - replacement: "" - if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - timezone: "{{fortinet.firewall.tz}}" - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX_MS - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - - date: - field: fortinet.firewall.eventtime - target_field: event.start - formats: - - UNIX - if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - - rename: - field: fortinet.firewall.devname - target_field: observer.name - ignore_missing: true - - script: - lang: painless - source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" - if: "ctx.fortinet?.firewall?.duration != null" - - rename: - field: fortinet.firewall.devid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: fortinet.firewall.dstintf - target_field: observer.egress.interface.name - ignore_missing: true - if: "ctx.observer?.egress?.interface?.name == null" - - rename: - field: fortinet.firewall.srcintf - target_field: observer.ingress.interface.name - ignore_missing: true - if: "ctx.observer?.ingress?.interface?.name == null" - - rename: - field: fortinet.firewall.dst_int - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.src_int - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - append: - field: email.cc.address - value: "{{{fortinet.firewall.cc}}}" - if: "ctx?.fortinet?.cc?.address != null" - - set: - field: email.subject - copy_from: fortinet.firewall.subject - if: "ctx?.fortinet?.firewall?.subject != null" - - # Handle interface-based network directionality - - set: - field: network.direction - value: inbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - - set: - field: network.direction - value: outbound - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: internal - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: external - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.ingress?.interface?.name != null && - ctx?.observer?.egress?.interface?.name != null && - ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) - - set: - field: network.direction - value: unknown - if: > - ctx?._temp?.external_interfaces != null && - ctx?._temp?.internal_interfaces != null && - ctx?.observer?.egress?.interface?.name != null && - ctx?.observer?.ingress?.interface?.name != null && - ( - ( - !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) - ) || - ( - !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && - !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) - ) - ) - - remove: - field: - - _temp.time - - _temp - - syslog5424_sd - - syslog5424_pri - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.devid - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.fortinet?.firewall?.type == 'event'" - - pipeline: - name: '{{ IngestPipeline "traffic" }}' - if: "ctx.fortinet?.firewall?.type == 'traffic'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" - - convert: - field: fortinet.firewall.quotamax - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.quotaused - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.size - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.disklograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.fazlograte - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.lanout - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.setuprate - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanin - type: long - ignore_missing: true - - convert: - field: fortinet.firewall.wanout - type: long - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" - - geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true - - script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - allow_duplicates: false - - append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{destination.address}}" - if: "ctx.destination?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{source.address}}" - if: "ctx.source?.address != null" - allow_duplicates: false - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: "ctx.dns?.question?.name != null" - allow_duplicates: false - - script: - lang: painless - source: | - def dnsIPs = ctx?.dns?.resolved_ip; - if (dnsIPs != null && dnsIPs instanceof List) { - if (ctx?.related?.ip == null) { - ctx.related.ip = []; - } - for (ip in dnsIPs) { - if (!ctx.related.ip.contains(ip)) { - ctx.related.ip.add(ip); - } - } - } - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 19f29c3b99..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,267 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (event pipeline) -processors: - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: failure - if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - start - if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: - - user - - end - if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: connection - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.category - value: network - if: "ctx.fortinet?.firewall?.subtype == 'vpn'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.category - value: host - if: "ctx.fortinet?.firewall?.action == 'perf-stats'" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: - - host - - malware - if: "ctx.fortinet?.firewall?.subtype == 'update'" - - append: - field: event.category - value: authentication - if: "ctx.fortinet?.firewall?.subtype == 'user'" - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.daddr - target_field: destination.address - ignore_missing: true - - rename: - field: fortinet.firewall.dst_host - target_field: destination.address - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.dst_host - target_field: destination.domain - ignore_missing: true - if: "ctx.destination?.address == null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.source_mac - target_field: source.mac - ignore_missing: true - if: "ctx.source?.mac == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.saddr - target_field: source.address - ignore_missing: true - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.file - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.error_num - target_field: error.code - ignore_missing: true - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.logdesc - target_field: rule.description - ignore_missing: true - - rename: - field: fortinet.firewall.addr - target_field: fortinet.firewall.addrgrp - if: ctx.rule?.description == 'Dynamic address updated' - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - convert: - field: fortinet.firewall.sess_duration - type: long - target_field: event.duration - ignore_failure: true - ignore_missing: true - if: "ctx.event?.duration == null" - - convert: - field: fortinet.firewall.mem - type: integer - ignore_failure: true - ignore_missing: true - - remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.remport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.locport - - fortinet.firewall.filesize - - fortinet.firewall.sess_duration - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml deleted file mode 100755 index 90f65f53a0..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/traffic.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (traffic pipeline) -processors: -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{fortinet.firewall.action}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" -- append: - field: event.category - value: network -- append: - field: event.type - value: connection -- append: - field: event.type - value: start - if: "ctx.fortinet?.firewall?.action == 'start'" -- append: - field: event.type - value: end - if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" -- append: - field: event.type - value: protocol - if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: allowed - if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" -- append: - field: event.type - value: denied - if: "ctx.fortinet?.firewall?.utmaction == 'block'" -- rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true -- rename: - field: fortinet.firewall.tranip - target_field: destination.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.tranport - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true -- convert: - field: fortinet.firewall.rcvdpkt - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true -- append: - field: email.to.address - value: "{{fortinet.firewall.dstcollectedemail}}" - if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" -- rename: - field: fortinet.firewall.dstname - target_field: destination.address - ignore_missing: true -- rename: - field: fortinet.firewall.dstunauthuser - target_field: destination.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true -- convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true -- rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true -- rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true -- convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true -- rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" -- append: - field: email.from.address - value: "{{fortinet.firewall.collectedemail}}" - if: "ctx?.fortinet?.firewall?.collectedemail != null" -- convert: - field: fortinet.firewall.sentpkt - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.transip - target_field: source.nat.ip - ignore_missing: true -- convert: - field: fortinet.firewall.transport - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true -- rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true -- rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true -- rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" -- rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true -- rename: - field: fortinet.firewall.comment - target_field: rule.description - ignore_missing: true -- rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: fortinet.firewall.poluuid - target_field: rule.uuid - ignore_missing: true -- rename: - field: fortinet.firewall.policytype - target_field: rule.ruleset - ignore_missing: true -- rename: - field: fortinet.firewall.policyname - target_field: rule.name - ignore_missing: true -- rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true -- gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true -- rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true -- rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true -- lowercase: - field: network.protocol - ignore_missing: true -- rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true -- remove: - field: - - fortinet.firewall.dstport - - fortinet.firewall.tranport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.rcvdpkt - - fortinet.firewall.sentbyte - - fortinet.firewall.srcport - - fortinet.firewall.sentpkt - - fortinet.firewall.transport - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index 02e7f1fa83..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,380 +0,0 @@ ---- -description: Pipeline for parsing fortinet firewall logs (utm pipeline) -processors: - - set: - field: event.kind - value: event - - append: - field: event.type - value: denied - if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" - - append: - field: event.type - value: info - if: "ctx.fortinet?.firewall?.subtype == 'dns'" - - append: - field: event.type - value: allowed - if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" - - set: - field: event.outcome - value: success - if: "ctx.fortinet?.firewall?.action != null" - - append: - field: event.category - value: network - - rename: - field: fortinet.firewall.dstip - target_field: destination.ip - ignore_missing: true - - rename: - field: fortinet.firewall.remip - target_field: destination.ip - ignore_missing: true - if: "ctx.destination?.ip == null" - - convert: - field: fortinet.firewall.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.remport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.dstport - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.destination?.port == null" - - convert: - field: fortinet.firewall.rcvdbyte - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.recipient - target_field: email.to.address - ignore_missing: true - - append: - field: email.to.address - value: "{{fortinet.firewall.recipient}}" - if: "ctx?.fortinet?.firewall?.recipient != null" - - rename: - field: fortinet.firewall.group - target_field: source.user.group.name - ignore_missing: true - - rename: - field: fortinet.firewall.locip - target_field: source.ip - ignore_missing: true - - convert: - field: fortinet.firewall.locport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - - convert: - field: fortinet.firewall.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.srcport - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.source?.port == null" - - convert: - field: fortinet.firewall.sentbyte - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.srcdomain - target_field: source.domain - ignore_missing: true - - rename: - field: fortinet.firewall.srcip - target_field: source.ip - ignore_missing: true - if: "ctx.source?.ip == null" - - rename: - field: fortinet.firewall.srcmac - target_field: source.mac - ignore_missing: true - - rename: - field: fortinet.firewall.unauthuser - target_field: source.user.name - ignore_missing: true - - rename: - field: fortinet.firewall.user - target_field: source.user.name - ignore_missing: true - if: "ctx.source?.user?.name == null" - - append: - field: email.sender.address - value: "{{fortinet.firewall.sender}}" - if: "ctx?.fortinet?.firewall?.sender != null" - - append: - field: email.from.address - value: "{{fortinet.firewall.from}}" - if: "ctx?.fortinet?.firewall?.from != null" - - rename: - field: fortinet.firewall.from - target_field: email.from.address - ignore_missing: true - - rename: - field: fortinet.firewall.agent - target_field: user_agent.original - ignore_missing: true - - rename: - field: fortinet.firewall.app - target_field: network.application - ignore_missing: true - - rename: - field: fortinet.firewall.appcat - target_field: rule.category - ignore_missing: true - - rename: - field: fortinet.firewall.applist - target_field: rule.ruleset - ignore_missing: true - - rename: - field: fortinet.firewall.catdesc - target_field: rule.category - ignore_missing: true - if: "ctx.rule?.category == null" - - gsub: - field: rule.category - pattern: "\\." - replacement: "-" - ignore_missing: true - if: "ctx.rule?.category != null" - - rename: - field: fortinet.firewall.dir - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - - rename: - field: fortinet.firewall.direction - target_field: network.direction - ignore_missing: true - if: "ctx.network?.direction == null" - # Normalize the network direction - - script: - lang: painless - ignore_failure: true - params: - outgoing: outbound - incoming: inbound - source: >- - if (ctx.network?.direction == null) { - return; - } - def k = ctx.network?.direction.toLowerCase(); - def normalized = params.get(k); - if (normalized != null) { - ctx.network.direction = normalized; - return - } - ctx.network.direction = k; - - rename: - field: fortinet.firewall.error - target_field: event.message - ignore_missing: true - - rename: - field: fortinet.firewall.errorcode - target_field: event.code - ignore_missing: true - - rename: - field: fortinet.firewall.event_id - target_field: event.id - ignore_missing: true - - rename: - field: fortinet.firewall.eventid - target_field: event.id - ignore_missing: true - if: "ctx.event?.id == null" - - rename: - field: fortinet.firewall.eventtype - target_field: event.action - ignore_missing: true - - rename: - field: fortinet.firewall.filename - target_field: file.name - ignore_missing: true - - convert: - field: fortinet.firewall.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - - rename: - field: fortinet.firewall.filetype - target_field: file.extension - ignore_missing: true - - rename: - field: fortinet.firewall.infectedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.infectedfilesize - target_field: file.size - ignore_missing: true - if: "ctx.file?.size == null" - - rename: - field: fortinet.firewall.infectedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.matchedfilename - target_field: file.name - ignore_missing: true - if: "ctx.file?.name == null" - - rename: - field: fortinet.firewall.matchedfiletype - target_field: file.extension - ignore_missing: true - if: "ctx.file?.extension == null" - - rename: - field: fortinet.firewall.hostname - target_field: url.domain - ignore_missing: true - - rename: - field: fortinet.firewall.ipaddr - target_field: dns.resolved_ip - ignore_missing: true - - split: - field: dns.resolved_ip - separator: ", " - ignore_missing: true - - rename: - field: fortinet.firewall.level - target_field: log.level - ignore_missing: true - - rename: - field: fortinet.firewall.logid - target_field: event.code - ignore_missing: true - if: "ctx.event?.code == null" - - rename: - field: fortinet.firewall.msg - target_field: message - ignore_missing: true - - rename: - field: fortinet.firewall.policy_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.policyid - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - - rename: - field: fortinet.firewall.profile - target_field: rule.ruleset - ignore_missing: true - if: "ctx.rule?.ruleset == null" - - rename: - field: fortinet.firewall.proto - target_field: network.iana_number - ignore_missing: true - - rename: - field: fortinet.firewall.qclass - target_field: dns.question.class - ignore_missing: true - - rename: - field: fortinet.firewall.qname - target_field: dns.question.name - ignore_missing: true - - rename: - field: fortinet.firewall.qtype - target_field: dns.question.type - ignore_missing: true - - rename: - field: fortinet.firewall.service - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: fortinet.firewall.url - target_field: url.path - ignore_missing: true - - rename: - field: fortinet.firewall.xid - target_field: dns.id - ignore_missing: true - - rename: - field: fortinet.firewall.scertcname - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: fortinet.firewall.scertissuer - target_field: tls.server.issuer - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{tls.server.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.ccertissuer - target_field: tls.client.issuer - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{tls.client.issuer}}" - ignore_empty_value: true - - rename: - field: fortinet.firewall.sender - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: fortinet.firewall.dtype - target_field: vulnerability.category - ignore_missing: true - - rename: - field: fortinet.firewall.ref - target_field: event.reference - ignore_missing: true - - rename: - field: fortinet.firewall.filehash - target_field: fortinet.file.hash.crc32 - ignore_missing: true - - append: - field: related.hash - value: "{{fortinet.file.hash.crc32}}" - if: "ctx.fortinet?.file?.hash?.crc32 != null" - - remove: - field: - - fortinet.firewall.dst_port - - fortinet.firewall.remport - - fortinet.firewall.dstport - - fortinet.firewall.rcvdbyte - - fortinet.firewall.locport - - fortinet.firewall.src_port - - fortinet.firewall.srcport - - fortinet.firewall.sentbyte - - fortinet.firewall.filesize - - fortinet.firewall.dir - - fortinet.firewall.direction - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/firewall/fields/agent.yml b/packages/fortinet/1.6.2/data_stream/firewall/fields/agent.yml deleted file mode 100755 index f6127c3e22..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,183 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet/1.6.2/data_stream/firewall/fields/base-fields.yml b/packages/fortinet/1.6.2/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 40a2535111..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.firewall -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/fortinet/1.6.2/data_stream/firewall/fields/beats.yml b/packages/fortinet/1.6.2/data_stream/firewall/fields/beats.yml deleted file mode 100755 index 05a6db4740..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: Path to the log file. - name: log.file.path - type: keyword -- description: Log message optimized for viewing in a log viewer. - name: event.message - type: text diff --git a/packages/fortinet/1.6.2/data_stream/firewall/fields/ecs.yml b/packages/fortinet/1.6.2/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 125795c4d6..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,443 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of CC recipient - name: email.cc.address - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/firewall/fields/fields.yml b/packages/fortinet/1.6.2/data_stream/firewall/fields/fields.yml deleted file mode 100755 index d7fa9c281c..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,1727 +0,0 @@ -- name: fortinet - type: group - fields: - - name: file.hash.crc32 - type: keyword - description: | - CRC32 Hash of file - - name: firewall - type: group - release: beta - fields: - - name: acct_stat - type: keyword - description: | - Accounting state (RADIUS) - - name: acktime - type: keyword - description: | - Alarm Acknowledge Time - - name: act - type: keyword - description: | - Action - - name: action - type: keyword - description: | - Status of the session - - name: activity - type: keyword - description: | - HA activity message - - name: addr - type: ip - description: | - IP Address - - name: addr_type - type: keyword - description: | - Address Type - - name: addrgrp - type: keyword - description: | - Address Group - - name: adgroup - type: keyword - description: | - AD Group Name - - name: admin - type: keyword - description: | - Admin User - - name: age - type: integer - description: | - Time in seconds - time passed since last seen - - name: agent - type: keyword - description: | - User agent - eg. agent="Mozilla/5.0" - - name: alarmid - type: integer - description: | - Alarm ID - - name: alert - type: keyword - description: | - Alert - - name: analyticscksum - type: keyword - description: | - The checksum of the file submitted for analytics - - name: analyticssubmit - type: keyword - description: | - The flag for analytics submission - - name: ap - type: keyword - description: | - Access Point - - name: app-type - type: keyword - description: | - Address Type - - name: appact - type: keyword - description: | - The security action from app control - - name: appid - type: integer - description: | - Application ID - - name: applist - type: keyword - description: | - Application Control profile - - name: apprisk - type: keyword - description: | - Application Risk Level - - name: apscan - type: keyword - description: | - The name of the AP, which scanned and detected the rogue AP - - name: apsn - type: keyword - description: | - Access Point - - name: apstatus - type: keyword - description: | - Access Point status - - name: aptype - type: keyword - description: | - Access Point type - - name: assigned - type: ip - description: | - Assigned IP Address - - name: assignip - type: ip - description: | - Assigned IP Address - - name: attachment - type: keyword - description: | - The flag for email attachement - - name: attack - type: keyword - description: | - Attack Name - - name: attackcontext - type: keyword - description: | - The trigger patterns and the packetdata with base64 encoding - - name: attackcontextid - type: keyword - description: | - Attack context id / total - - name: attackid - type: integer - description: | - Attack ID - - name: auditid - type: long - description: | - Audit ID - - name: auditscore - type: keyword - description: | - The Audit Score - - name: audittime - type: long - description: | - The time of the audit - - name: authgrp - type: keyword - description: | - Authorization Group - - name: authid - type: keyword - description: | - Authentication ID - - name: authproto - type: keyword - description: | - The protocol that initiated the authentication - - name: authserver - type: keyword - description: | - Authentication server - - name: bandwidth - type: keyword - description: | - Bandwidth - - name: banned_rule - type: keyword - description: | - NAC quarantine Banned Rule Name - - name: banned_src - type: keyword - description: | - NAC quarantine Banned Source IP - - name: banword - type: keyword - description: | - Banned word - - name: botnetdomain - type: keyword - description: | - Botnet Domain Name - - name: botnetip - type: ip - description: | - Botnet IP Address - - name: bssid - type: keyword - description: | - Service Set ID - - name: call_id - type: keyword - description: | - Caller ID - - name: carrier_ep - type: keyword - description: | - The FortiOS Carrier end-point identification - - name: cat - type: integer - description: | - DNS category ID - - name: category - type: keyword - description: | - Authentication category - - name: cc - type: keyword - description: | - CC Email Address - - name: cdrcontent - type: keyword - description: | - Cdrcontent - - name: centralnatid - type: integer - description: | - Central NAT ID - - name: cert - type: keyword - description: | - Certificate - - name: cert-type - type: keyword - description: | - Certificate type - - name: certhash - type: keyword - description: | - Certificate hash - - name: cfgattr - type: keyword - description: | - Configuration attribute - - name: cfgobj - type: keyword - description: | - Configuration object - - name: cfgpath - type: keyword - description: | - Configuration path - - name: cfgtid - type: keyword - description: | - Configuration transaction ID - - name: cfgtxpower - type: integer - description: | - Configuration TX power - - name: channel - type: integer - description: | - Wireless Channel - - name: channeltype - type: keyword - description: | - SSH channel type - - name: chassisid - type: integer - description: | - Chassis ID - - name: checksum - type: keyword - description: | - The checksum of the scanned file - - name: chgheaders - type: keyword - description: | - HTTP Headers - - name: cldobjid - type: keyword - description: | - Connector object ID - - name: client_addr - type: keyword - description: | - Wifi client address - - name: cloudaction - type: keyword - description: | - Cloud Action - - name: clouduser - type: keyword - description: | - Cloud User - - name: column - type: integer - description: | - VOIP Column - - name: command - type: keyword - description: | - CLI Command - - name: community - type: keyword - description: | - SNMP Community - - name: configcountry - type: keyword - description: | - Configuration country - - name: connection_type - type: keyword - description: | - FortiClient Connection Type - - name: conserve - type: keyword - description: | - Flag for conserve mode - - name: constraint - type: keyword - description: | - WAF http protocol restrictions - - name: contentdisarmed - type: keyword - description: | - Email scanned content - - name: contenttype - type: keyword - description: | - Content Type from HTTP header - - name: cookies - type: keyword - description: | - VPN Cookie - - name: count - type: integer - description: | - Counts of action type - - name: countapp - type: integer - description: | - Number of App Ctrl logs associated with the session - - name: countav - type: integer - description: | - Number of AV logs associated with the session - - name: countcifs - type: integer - description: | - Number of CIFS logs associated with the session - - name: countdlp - type: integer - description: | - Number of DLP logs associated with the session - - name: countdns - type: integer - description: | - Number of DNS logs associated with the session - - name: countemail - type: integer - description: | - Number of email logs associated with the session - - name: countff - type: integer - description: | - Number of ff logs associated with the session - - name: countips - type: integer - description: | - Number of IPS logs associated with the session - - name: countssh - type: integer - description: | - Number of SSH logs associated with the session - - name: countssl - type: integer - description: | - Number of SSL logs associated with the session - - name: countwaf - type: integer - description: | - Number of WAF logs associated with the session - - name: countweb - type: integer - description: | - Number of Web filter logs associated with the session - - name: cpu - type: integer - description: | - CPU Usage - - name: craction - type: integer - description: | - Client Reputation Action - - name: criticalcount - type: integer - description: | - Number of critical ratings - - name: crl - type: keyword - description: | - Client Reputation Level - - name: crlevel - type: keyword - description: | - Client Reputation Level - - name: crscore - type: integer - description: | - Some description - - name: cveid - type: keyword - description: | - CVE ID - - name: daemon - type: keyword - description: | - Daemon name - - name: datarange - type: keyword - description: | - Data range for reports - - name: date - type: keyword - description: | - Date - - name: ddnsserver - type: ip - description: | - DDNS server - - name: desc - type: keyword - description: | - Description - - name: detectionmethod - type: keyword - description: | - Detection method - - name: devcategory - type: keyword - description: | - Device category - - name: devintfname - type: keyword - description: | - HA device Interface Name - - name: devtype - type: keyword - description: | - Device type - - name: dhcp_msg - type: keyword - description: | - DHCP Message - - name: dintf - type: keyword - description: | - Destination interface - - name: disk - type: keyword - description: | - Assosciated disk - - name: disklograte - type: long - description: | - Disk logging rate - - name: dlpextra - type: keyword - description: | - DLP extra information - - name: docsource - type: keyword - description: | - DLP fingerprint document source - - name: domainctrlauthstate - type: integer - description: | - CIFS domain auth state - - name: domainctrlauthtype - type: integer - description: | - CIFS domain auth type - - name: domainctrldomain - type: keyword - description: | - CIFS domain auth domain - - name: domainctrlip - type: ip - description: | - CIFS Domain IP - - name: domainctrlname - type: keyword - description: | - CIFS Domain name - - name: domainctrlprotocoltype - type: integer - description: | - CIFS Domain connection protocol - - name: domainctrlusername - type: keyword - description: | - CIFS Domain username - - name: domainfilteridx - type: integer - description: | - Domain filter ID - - name: domainfilterlist - type: keyword - description: | - Domain filter name - - name: ds - type: keyword - description: | - Direction with distribution system - - name: dst_int - type: keyword - description: | - Destination interface - - name: dstintfrole - type: keyword - description: | - Destination interface role - - name: dstcountry - type: keyword - description: | - Destination country - - name: dstdevcategory - type: keyword - description: | - Destination device category - - name: dstdevtype - type: keyword - description: | - Destination device type - - name: dstfamily - type: keyword - description: | - Destination OS family - - name: dsthwvendor - type: keyword - description: | - Destination HW vendor - - name: dsthwversion - type: keyword - description: | - Destination HW version - - name: dstinetsvc - type: keyword - description: | - Destination interface service - - name: dstosname - type: keyword - description: | - Destination OS name - - name: dstosversion - type: keyword - description: | - Destination OS version - - name: dstserver - type: integer - description: | - Destination server - - name: dstssid - type: keyword - description: | - Destination SSID - - name: dstswversion - type: keyword - description: | - Destination software version - - name: dstunauthusersource - type: keyword - description: | - Destination unauthenticated source - - name: dstuuid - type: keyword - description: | - UUID of the Destination IP address - - name: duid - type: keyword - description: | - DHCP UID - - name: eapolcnt - type: integer - description: | - EAPOL packet count - - name: eapoltype - type: keyword - description: | - EAPOL packet type - - name: encrypt - type: integer - description: | - Whether the packet is encrypted or not - - name: encryption - type: keyword - description: | - Encryption method - - name: epoch - type: integer - description: | - Epoch used for locating file - - name: espauth - type: keyword - description: | - ESP Authentication - - name: esptransform - type: keyword - description: | - ESP Transform - - name: exch - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: exchange - type: keyword - description: | - Mail Exchanges from DNS response answer section - - name: expectedsignature - type: keyword - description: | - Expected SSL signature - - name: expiry - type: keyword - description: | - FortiGuard override expiry timestamp - - name: fams_pause - type: integer - description: | - Fortinet Analysis and Management Service Pause - - name: fazlograte - type: long - description: | - FortiAnalyzer Logging Rate - - name: fctemssn - type: keyword - description: | - FortiClient Endpoint SSN - - name: fctuid - type: keyword - description: | - FortiClient UID - - name: field - type: keyword - description: | - NTP status field - - name: filefilter - type: keyword - description: | - The filter used to identify the affected file - - name: filehashsrc - type: keyword - description: | - Filehash source - - name: filtercat - type: keyword - description: | - DLP filter category - - name: filteridx - type: integer - description: | - DLP filter ID - - name: filtername - type: keyword - description: | - DLP rule name - - name: filtertype - type: keyword - description: | - DLP filter type - - name: fortiguardresp - type: keyword - description: | - Antispam ESP value - - name: forwardedfor - type: keyword - description: | - Email address forwarded - - name: fqdn - type: keyword - description: | - FQDN - - name: frametype - type: keyword - description: | - Wireless frametype - - name: freediskstorage - type: integer - description: | - Free disk integer - - name: from - type: keyword - description: | - From email address - - name: from_vcluster - type: integer - description: | - Source virtual cluster number - - name: fsaverdict - type: keyword - description: | - FSA verdict - - name: fwserver_name - type: keyword - description: | - Web proxy server name - - name: gateway - type: ip - description: | - Gateway ip address for PPPoE status report - - name: green - type: keyword - description: | - Memory status - - name: groupid - type: integer - description: | - User Group ID - - name: ha-prio - type: integer - description: | - HA Priority - - name: ha_group - type: keyword - description: | - HA Group - - name: ha_role - type: keyword - description: | - HA Role - - name: handshake - type: keyword - description: | - SSL Handshake - - name: hash - type: keyword - description: | - Hash value of downloaded file - - name: hbdn_reason - type: keyword - description: | - Heartbeat down reason - - name: highcount - type: integer - description: | - Highcount fabric summary - - name: host - type: keyword - description: | - Hostname - - name: iaid - type: keyword - description: | - DHCPv6 id - - name: icmpcode - type: keyword - description: | - Destination Port of the ICMP message - - name: icmpid - type: keyword - description: | - Source port of the ICMP message - - name: icmptype - type: keyword - description: | - The type of ICMP message - - name: identifier - type: integer - description: | - Network traffic identifier - - name: in_spi - type: keyword - description: | - IPSEC inbound SPI - - name: incidentserialno - type: integer - description: | - Incident serial number - - name: infected - type: integer - description: | - Infected MMS - - name: infectedfilelevel - type: integer - description: | - DLP infected file level - - name: informationsource - type: keyword - description: | - Information source - - name: init - type: keyword - description: | - IPSEC init stage - - name: initiator - type: keyword - description: | - Original login user name for Fortiguard override - - name: interface - type: keyword - description: | - Related interface - - name: intf - type: keyword - description: | - Related interface - - name: invalidmac - type: keyword - description: | - The MAC address with invalid OUI - - name: ip - type: ip - description: | - Related IP - - name: iptype - type: keyword - description: | - Related IP type - - name: keyword - type: keyword - description: | - Keyword used for search - - name: kind - type: keyword - description: | - VOIP kind - - name: lanin - type: long - description: | - LAN incoming traffic in bytes - - name: lanout - type: long - description: | - LAN outbound traffic in bytes - - name: lease - type: integer - description: | - DHCP lease - - name: license_limit - type: keyword - description: | - Maximum Number of FortiClients for the License - - name: limit - type: integer - description: | - Virtual Domain Resource Limit - - name: line - type: keyword - description: | - VOIP line - - name: live - type: integer - description: | - Time in seconds - - name: local - type: ip - description: | - Local IP for a PPPD Connection - - name: log - type: keyword - description: | - Log message - - name: login - type: keyword - description: | - SSH login - - name: lowcount - type: integer - description: | - Fabric lowcount - - name: mac - type: keyword - description: | - DHCP mac address - - name: malform_data - type: integer - description: | - VOIP malformed data - - name: malform_desc - type: keyword - description: | - VOIP malformed data description - - name: manuf - type: keyword - description: | - Manufacturer name - - name: masterdstmac - type: keyword - description: | - Master mac address for a host with multiple network interfaces - - name: mastersrcmac - type: keyword - description: | - The master MAC address for a host that has multiple network interfaces - - name: mediumcount - type: integer - description: | - Fabric medium count - - name: mem - type: integer - description: | - Memory usage system statistics - - name: meshmode - type: keyword - description: | - Wireless mesh mode - - name: message_type - type: keyword - description: | - VOIP message type - - name: method - type: keyword - description: | - HTTP method - - name: mgmtcnt - type: integer - description: | - The number of unauthorized client flooding managemet frames - - name: mode - type: keyword - description: | - IPSEC mode - - name: module - type: keyword - description: | - PCI-DSS module - - name: monitor-name - type: keyword - description: | - Health Monitor Name - - name: monitor-type - type: keyword - description: | - Health Monitor Type - - name: mpsk - type: keyword - description: | - Wireless MPSK - - name: msgproto - type: keyword - description: | - Message Protocol Number - - name: mtu - type: integer - description: | - Max Transmission Unit Value - - name: name - type: keyword - description: | - Name - - name: nat - type: keyword - description: | - NAT IP Address - - name: netid - type: keyword - description: | - Connector NetID - - name: new_status - type: keyword - description: | - New status on user change - - name: new_value - type: keyword - description: | - New Virtual Domain Name - - name: newchannel - type: integer - description: | - New Channel Number - - name: newchassisid - type: integer - description: | - New Chassis ID - - name: newslot - type: integer - description: | - New Slot Number - - name: nextstat - type: integer - description: | - Time interval in seconds for the next statistics. - - name: nf_type - type: keyword - description: | - Notification Type - - name: noise - type: integer - description: | - Wifi Noise - - name: old_status - type: keyword - description: | - Original Status - - name: old_value - type: keyword - description: | - Original Virtual Domain name - - name: oldchannel - type: integer - description: | - Original channel - - name: oldchassisid - type: integer - description: | - Original Chassis Number - - name: oldslot - type: integer - description: | - Original Slot Number - - name: oldsn - type: keyword - description: | - Old Serial number - - name: oldwprof - type: keyword - description: | - Old Web Filter Profile - - name: onwire - type: keyword - description: | - A flag to indicate if the AP is onwire or not - - name: opercountry - type: keyword - description: | - Operating Country - - name: opertxpower - type: integer - description: | - Operating TX power - - name: osname - type: keyword - description: | - Operating System name - - name: osversion - type: keyword - description: | - Operating System version - - name: out_spi - type: keyword - description: | - Out SPI - - name: outintf - type: keyword - description: | - Out interface - - name: passedcount - type: integer - description: | - Fabric passed count - - name: passwd - type: keyword - description: | - Changed user password information - - name: path - type: keyword - description: | - Path of looped configuration for security fabric - - name: peer - type: keyword - description: | - WAN optimization peer - - name: peer_notif - type: keyword - description: | - VPN peer notification - - name: phase2_name - type: keyword - description: | - VPN phase2 name - - name: phone - type: keyword - description: | - VOIP Phone - - name: pid - type: integer - description: | - Process ID - - name: policytype - type: keyword - description: | - Policy Type - - name: poolname - type: keyword - description: | - IP Pool name - - name: port - type: integer - description: | - Log upload error port - - name: portbegin - type: integer - description: | - IP Pool port number to begin - - name: portend - type: integer - description: | - IP Pool port number to end - - name: probeproto - type: keyword - description: | - Link Monitor Probe Protocol - - name: process - type: keyword - description: | - URL Filter process - - name: processtime - type: integer - description: | - Process time for reports - - name: profile - type: keyword - description: | - Profile Name - - name: profile_vd - type: keyword - description: | - Virtual Domain Name - - name: profilegroup - type: keyword - description: | - Profile Group Name - - name: profiletype - type: keyword - description: | - Profile Type - - name: qtypeval - type: integer - description: | - DNS question type value - - name: quarskip - type: keyword - description: | - Quarantine skip explanation - - name: quotaexceeded - type: keyword - description: | - If quota has been exceeded - - name: quotamax - type: long - description: | - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - name: quotatype - type: keyword - description: | - Quota type - - name: quotaused - type: long - description: | - Quota used - in seconds if time-based - in bytes if trafficbased) - - name: radioband - type: keyword - description: | - Radio band - - name: radioid - type: integer - description: | - Radio ID - - name: radioidclosest - type: integer - description: | - Radio ID on the AP closest the rogue AP - - name: radioiddetected - type: integer - description: | - Radio ID on the AP which detected the rogue AP - - name: rate - type: keyword - description: | - Wireless rogue rate value - - name: rawdata - type: keyword - description: | - Raw data value - - name: rawdataid - type: keyword - description: | - Raw data ID - - name: rcvddelta - type: keyword - description: | - Received bytes delta - - name: reason - type: keyword - description: | - Alert reason - - name: received - type: integer - description: | - Server key exchange received - - name: receivedsignature - type: keyword - description: | - Server key exchange received signature - - name: red - type: keyword - description: | - Memory information in red - - name: referralurl - type: keyword - description: | - Web filter referralurl - - name: remote - type: ip - description: | - Remote PPP IP address - - name: remotewtptime - type: keyword - description: | - Remote Wifi Radius authentication time - - name: reporttype - type: keyword - description: | - Report type - - name: reqtype - type: keyword - description: | - Request type - - name: request_name - type: keyword - description: | - VOIP request name - - name: result - type: keyword - description: | - VPN phase result - - name: role - type: keyword - description: | - VPN Phase 2 role - - name: rssi - type: integer - description: | - Received signal strength indicator - - name: rsso_key - type: keyword - description: | - RADIUS SSO attribute value - - name: ruledata - type: keyword - description: | - Rule data - - name: ruletype - type: keyword - description: | - Rule type - - name: scanned - type: integer - description: | - Number of Scanned MMSs - - name: scantime - type: long - description: | - Scanned time - - name: scope - type: keyword - description: | - FortiGuard Override Scope - - name: security - type: keyword - description: | - Wireless rogue security - - name: sensitivity - type: keyword - description: | - Sensitivity for document fingerprint - - name: sensor - type: keyword - description: | - NAC Sensor Name - - name: sentdelta - type: keyword - description: | - Sent bytes delta - - name: seq - type: keyword - description: | - Sequence number - - name: serial - type: keyword - description: | - WAN optimisation serial - - name: serialno - type: keyword - description: | - Serial number - - name: server - type: keyword - description: | - AD server FQDN or IP - - name: session_id - type: keyword - description: | - Session ID - - name: sessionid - type: integer - description: | - WAD Session ID - - name: setuprate - type: long - description: | - Session Setup Rate - - name: severity - type: keyword - description: | - Severity - - name: shaperdroprcvdbyte - type: integer - description: | - Received bytes dropped by shaper - - name: shaperdropsentbyte - type: integer - description: | - Sent bytes dropped by shaper - - name: shaperperipdropbyte - type: integer - description: | - Dropped bytes per IP by shaper - - name: shaperperipname - type: keyword - description: | - Traffic shaper name (per IP) - - name: shaperrcvdname - type: keyword - description: | - Traffic shaper name for received traffic - - name: shapersentname - type: keyword - description: | - Traffic shaper name for sent traffic - - name: shapingpolicyid - type: integer - description: | - Traffic shaper policy ID - - name: signal - type: integer - description: | - Wireless rogue API signal - - name: size - type: long - description: | - Email size in bytes - - name: slot - type: integer - description: | - Slot number - - name: sn - type: keyword - description: | - Security fabric serial number - - name: snclosest - type: keyword - description: | - SN of the AP closest to the rogue AP - - name: sndetected - type: keyword - description: | - SN of the AP which detected the rogue AP - - name: snmeshparent - type: keyword - description: | - SN of the mesh parent - - name: spi - type: keyword - description: | - IPSEC SPI - - name: src_int - type: keyword - description: | - Source interface - - name: srcintfrole - type: keyword - description: | - Source interface role - - name: srccountry - type: keyword - description: | - Source country - - name: srcfamily - type: keyword - description: | - Source family - - name: srchwvendor - type: keyword - description: | - Source hardware vendor - - name: srchwversion - type: keyword - description: | - Source hardware version - - name: srcinetsvc - type: keyword - description: | - Source interface service - - name: srcname - type: keyword - description: | - Source name - - name: srcserver - type: integer - description: | - Source server - - name: srcssid - type: keyword - description: | - Source SSID - - name: srcswversion - type: keyword - description: | - Source software version - - name: srcuuid - type: keyword - description: | - Source UUID - - name: sscname - type: keyword - description: | - SSC name - - name: ssid - type: keyword - description: | - Base Service Set ID - - name: sslaction - type: keyword - description: | - SSL Action - - name: ssllocal - type: keyword - description: | - WAD SSL local - - name: sslremote - type: keyword - description: | - WAD SSL remote - - name: stacount - type: integer - description: | - Number of stations/clients - - name: stage - type: keyword - description: | - IPSEC stage - - name: stamac - type: keyword - description: | - 802.1x station mac - - name: state - type: keyword - description: | - Admin login state - - name: status - type: keyword - description: | - Status - - name: stitch - type: keyword - description: | - Automation stitch triggered - - name: subject - type: keyword - description: | - Email subject - - name: submodule - type: keyword - description: | - Configuration Sub-Module Name - - name: subservice - type: keyword - description: | - AV subservice - - name: subtype - type: keyword - description: | - Log subtype - - name: suspicious - type: integer - description: | - Number of Suspicious MMSs - - name: switchproto - type: keyword - description: | - Protocol change information - - name: sync_status - type: keyword - description: | - The sync status with the master - - name: sync_type - type: keyword - description: | - The sync type with the master - - name: sysuptime - type: keyword - description: | - System uptime - - name: tamac - type: keyword - description: | - the MAC address of Transmitter, if none, then Receiver - - name: threattype - type: keyword - description: | - WIDS threat type - - name: time - type: keyword - description: | - Time of the event - - name: to - type: keyword - description: | - Email to field - - name: to_vcluster - type: integer - description: | - destination virtual cluster number - - name: total - type: integer - description: | - Total memory - - name: totalsession - type: integer - description: | - Total Number of Sessions - - name: trace_id - type: keyword - description: | - Session clash trace ID - - name: trandisp - type: keyword - description: | - NAT translation type - - name: transid - type: integer - description: | - HTTP transaction ID - - name: translationid - type: keyword - description: | - DNS filter transaltion ID - - name: trigger - type: keyword - description: | - Automation stitch trigger - - name: trueclntip - type: ip - description: | - File filter true client IP - - name: tunnelid - type: integer - description: | - IPSEC tunnel ID - - name: tunnelip - type: ip - description: | - IPSEC tunnel IP - - name: tunneltype - type: keyword - description: | - IPSEC tunnel type - - name: type - type: keyword - description: | - Module type - - name: ui - type: keyword - description: | - Admin authentication UI type - - name: unauthusersource - type: keyword - description: | - Unauthenticated user source - - name: unit - type: integer - description: | - Power supply unit - - name: urlfilteridx - type: integer - description: | - URL filter ID - - name: urlfilterlist - type: keyword - description: | - URL filter list - - name: urlsource - type: keyword - description: | - URL filter source - - name: urltype - type: keyword - description: | - URL filter type - - name: used - type: integer - description: | - Number of Used IPs - - name: used_for_type - type: integer - description: | - Connection for the type - - name: utmaction - type: keyword - description: | - Security action performed by UTM - - name: vap - type: keyword - description: | - Virtual AP - - name: vapmode - type: keyword - description: | - Virtual AP mode - - name: vcluster - type: integer - description: | - virtual cluster id - - name: vcluster_member - type: integer - description: | - Virtual cluster member - - name: vcluster_state - type: keyword - description: | - Virtual cluster state - - name: vd - type: keyword - description: | - Virtual Domain Name - - name: vdname - type: keyword - description: | - Virtual Domain Name - - name: vendorurl - type: keyword - description: | - Vulnerability scan vendor name - - name: version - type: keyword - description: | - Version - - name: vip - type: keyword - description: | - Virtual IP - - name: virus - type: keyword - description: | - Virus name - - name: virusid - type: integer - description: | - Virus ID (unique virus identifier) - - name: voip_proto - type: keyword - description: | - VOIP protocol - - name: vpn - type: keyword - description: | - VPN description - - name: vpntunnel - type: keyword - description: | - IPsec Vpn Tunnel Name - - name: vpntype - type: keyword - description: | - The type of the VPN tunnel - - name: vrf - type: integer - description: | - VRF number - - name: vulncat - type: keyword - description: | - Vulnerability Category - - name: vulnid - type: integer - description: | - Vulnerability ID - - name: vulnname - type: keyword - description: | - Vulnerability name - - name: vwlid - type: integer - description: | - VWL ID - - name: vwlquality - type: keyword - description: | - VWL quality - - name: vwlservice - type: keyword - description: | - VWL service - - name: vwpvlanid - type: integer - description: | - VWP VLAN ID - - name: wanin - type: long - description: | - WAN incoming traffic in bytes - - name: wanoptapptype - type: keyword - description: | - WAN Optimization Application type - - name: wanout - type: long - description: | - WAN outgoing traffic in bytes - - name: weakwepiv - type: keyword - description: | - Weak Wep Initiation Vector - - name: xauthgroup - type: keyword - description: | - XAuth Group Name - - name: xauthuser - type: keyword - description: | - XAuth User Name - - name: xid - type: integer - description: | - Wireless X ID diff --git a/packages/fortinet/1.6.2/data_stream/firewall/manifest.yml b/packages/fortinet/1.6.2/data_stream/firewall/manifest.yml deleted file mode 100755 index e7b1e8797e..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,189 +0,0 @@ -type: logs -title: Fortinet firewall logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Fortinet firewall logs (tcp) - description: Collect Fortinet firewall logs using tcp input - - input: udp - vars: - - name: syslog_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9004 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Fortinet firewall logs (udp) - description: Collect Fortinet firewall logs using udp input - - input: logfile - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - /var/log/fortinet-firewall.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-firewall - - forwarded - - name: internal_interfaces - type: text - title: Internal Interfaces - multi: true - required: false - show_user: false - - name: external_interfaces - type: text - title: External Interfaces - multi: true - required: false - show_user: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Fortinet firewall logs (log) - description: Collect Fortinet firewall logs using log input diff --git a/packages/fortinet/1.6.2/data_stream/firewall/sample_event.json b/packages/fortinet/1.6.2/data_stream/firewall/sample_event.json deleted file mode 100755 index c783c2938f..0000000000 --- a/packages/fortinet/1.6.2/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet.firewall", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/log.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/log.yml.hbs deleted file mode 100755 index ebfe27d7c1..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/log.yml.hbs +++ /dev/null @@ -1,4300 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiMail" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/tcp.yml.hbs deleted file mode 100755 index e7783c73ac..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,4297 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiMail" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/udp.yml.hbs deleted file mode 100755 index 2cd8466da0..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,4297 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiMail" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} ui=%{p0}"); - - var dup3 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var dup4 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var dup5 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var dup6 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var dup7 = setc("eventcategory","1401000000"); - - var dup8 = setf("msg","$MSG"); - - var dup9 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup10 = setf("hardware_id","hfld1"); - - var dup11 = setf("id","hfld2"); - - var dup12 = setf("id1","hfld3"); - - var dup13 = setf("event_type","msgIdPart1"); - - var dup14 = setf("category","msgIdPart2"); - - var dup15 = setf("severity","hseverity"); - - var dup16 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var dup17 = setc("eventcategory","1602000000"); - - var dup18 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var dup19 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var dup20 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var dup21 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var dup22 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var dup23 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var dup24 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var dup25 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var dup26 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var dup27 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var dup28 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var dup29 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var dup30 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var dup31 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var dup32 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var dup33 = setc("eventcategory","1003010000"); - - var dup34 = setf("event_type","messageid"); - - var dup35 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var dup36 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var dup37 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var dup38 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var dup39 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var dup40 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var dup41 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var dup42 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var dup43 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var dup44 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var dup45 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var dup46 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var dup47 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var dup48 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var dup49 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var dup50 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var dup51 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var dup52 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var dup53 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var dup54 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var dup55 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var dup56 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var dup57 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var dup58 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var dup59 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var dup60 = setc("eventcategory","1207000000"); - - var dup61 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var dup62 = setc("eventcategory","1207040000"); - - var dup63 = linear_select([ - dup3, - dup4, - ]); - - var dup64 = linear_select([ - dup5, - dup6, - ]); - - var dup65 = linear_select([ - dup19, - dup20, - ]); - - var dup66 = linear_select([ - dup22, - dup23, - ]); - - var dup67 = linear_select([ - dup3, - dup20, - ]); - - var dup68 = linear_select([ - dup24, - dup25, - ]); - - var dup69 = linear_select([ - dup27, - dup28, - ]); - - var dup70 = linear_select([ - dup29, - dup30, - ]); - - var dup71 = linear_select([ - dup36, - dup37, - ]); - - var dup72 = linear_select([ - dup38, - dup39, - ]); - - var dup73 = linear_select([ - dup40, - dup41, - ]); - - var dup74 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var dup75 = linear_select([ - dup45, - dup46, - ]); - - var dup76 = linear_select([ - dup47, - dup48, - ]); - - var dup77 = linear_select([ - dup49, - dup50, - ]); - - var dup78 = linear_select([ - dup52, - dup53, - ]); - - var dup79 = linear_select([ - dup54, - dup55, - ]); - - var dup80 = linear_select([ - dup56, - dup57, - ]); - - var dup81 = linear_select([ - dup58, - dup59, - ]); - - var dup82 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - dup1, - ])); - - var hdr2 = match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); - - var all1 = all_match({ - processors: [ - dup2, - dup63, - part1, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg1 = msg("event_admin", all1); - - var msg2 = msg("event_pop3", dup82); - - var all2 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup7, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg3 = msg("event_webmail", all2); - - var msg4 = msg("event_system", dup82); - - var msg5 = msg("event_imap", dup82); - - var part2 = match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); - - var part3 = match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); - - var part4 = match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); - - var select2 = linear_select([ - part3, - part4, - ]); - - var part5 = match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); - - var all3 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part2, - select2, - part5, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg6 = msg("event_smtp:01", all3); - - var part6 = match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); - - var all4 = all_match({ - processors: [ - dup18, - dup65, - dup21, - dup66, - part6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg7 = msg("event_smtp:02", all4); - - var part7 = match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); - - var all5 = all_match({ - processors: [ - dup18, - dup65, - part7, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg8 = msg("event_smtp:03", all5); - - var part8 = match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); - - var part9 = match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); - - var part10 = match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); - - var select3 = linear_select([ - part9, - part10, - ]); - - var part11 = match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); - - var part12 = match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); - - var part13 = match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); - - var part14 = match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); - - var select4 = linear_select([ - part12, - part13, - part14, - ]); - - var all6 = all_match({ - processors: [ - part8, - select3, - part11, - select4, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg9 = msg("event_smtp:04", all6); - - var part15 = match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); - - var all7 = all_match({ - processors: [ - dup18, - dup67, - part15, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg10 = msg("event_smtp:05", all7); - - var part16 = match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); - - var part17 = match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); - - var part18 = match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); - - var select5 = linear_select([ - part17, - part18, - ]); - - var part19 = match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); - - var all8 = all_match({ - processors: [ - dup18, - dup65, - part16, - select5, - part19, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg11 = msg("event_smtp:06", all8); - - var part20 = match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); - - var all9 = all_match({ - processors: [ - dup18, - dup67, - part20, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg12 = msg("event_smtp:07", all9); - - var part21 = match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); - - var all10 = all_match({ - processors: [ - dup18, - dup67, - part21, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg13 = msg("event_smtp:08", all10); - - var part22 = match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); - - var all11 = all_match({ - processors: [ - dup18, - dup65, - part22, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg14 = msg("event_smtp:09", all11); - - var part23 = match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); - - var all12 = all_match({ - processors: [ - dup18, - dup65, - part23, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - setc("dclass_counter1_string","count"), - ]), - }); - - var msg15 = msg("event_smtp:10", all12); - - var part24 = match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); - - var part25 = match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); - - var part26 = match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); - - var part27 = match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); - - var part28 = match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); - - var select6 = linear_select([ - part25, - part26, - part27, - part28, - ]); - - var all13 = all_match({ - processors: [ - dup18, - dup65, - part24, - select6, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg16 = msg("event_smtp:11", all13); - - var part29 = match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); - - var all14 = all_match({ - processors: [ - dup2, - dup63, - part29, - dup68, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg17 = msg("event_smtp", all14); - - var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { - "action": "action", - "log_part": "id1", - "msg": "info", - "session_id": "sessionid", - "status": "event_state", - "ui": "network_service", - "user": "username", - }, processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ])); - - var msg18 = msg("event_smtp:12", part30); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - ]); - - var part31 = match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); - - var all15 = all_match({ - processors: [ - part31, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg19 = msg("event_update", all15); - - var part32 = match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); - - var part33 = match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); - - var select8 = linear_select([ - part32, - part33, - ]); - - var part34 = match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); - - var all16 = all_match({ - processors: [ - dup2, - select8, - part34, - dup64, - ], - on_success: processor_chain([ - setc("eventcategory","1701000000"), - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - - var msg20 = msg("event_config", all16); - - var select9 = linear_select([ - dup31, - dup32, - ]); - - var all17 = all_match({ - processors: [ - dup26, - dup69, - dup70, - select9, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg21 = msg("virus", all17); - - var part35 = match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); - - var part36 = match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); - - var select10 = linear_select([ - part35, - part36, - ]); - - var part37 = match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); - - var all18 = all_match({ - processors: [ - dup26, - dup69, - select10, - part37, - dup68, - dup64, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup15, - ]), - }); - - var msg22 = msg("virus_infected", all18); - - var part38 = match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); - - var part39 = match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); - - var select11 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); - - var part41 = match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); - - var part42 = match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); - - var part43 = match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); - - var select12 = linear_select([ - part40, - part41, - part42, - part43, - dup31, - dup32, - ]); - - var part44 = match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); - - var select13 = linear_select([ - part44, - dup5, - dup6, - ]); - - var all19 = all_match({ - processors: [ - select11, - dup70, - select12, - dup68, - select13, - ], - on_success: processor_chain([ - dup33, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg23 = msg("virus_file-signature", all19); - - var part45 = match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); - - var all20 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - part45, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg24 = msg("statistics", all20); - - var all21 = all_match({ - processors: [ - dup35, - dup71, - dup72, - dup73, - dup74, - dup61, - dup75, - dup76, - dup77, - dup51, - dup78, - dup79, - dup80, - dup81, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg25 = msg("statistics:01", all21); - - var part46 = match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); - - var part47 = match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); - - var select14 = linear_select([ - part46, - part47, - ]); - - var part48 = match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); - - var part49 = match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); - - var select15 = linear_select([ - part48, - part49, - ]); - - var part50 = match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); - - var part51 = match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); - - var select16 = linear_select([ - part50, - part51, - ]); - - var part52 = match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); - - var part53 = match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); - - var select17 = linear_select([ - part52, - part53, - ]); - - var part54 = match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); - - var part55 = match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); - - var select18 = linear_select([ - part54, - part55, - ]); - - var part56 = match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); - - var part57 = match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); - - var select19 = linear_select([ - part56, - part57, - ]); - - var part58 = match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); - - var all22 = all_match({ - processors: [ - dup35, - dup71, - dup69, - dup76, - select14, - select15, - select16, - select17, - dup74, - dup61, - select18, - select19, - part58, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg26 = msg("statistics:02", all22); - - var part59 = match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); - - var part60 = match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); - - var part61 = match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); - - var part62 = match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); - - var select20 = linear_select([ - part60, - part61, - part62, - ]); - - var part63 = match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); - - var part64 = match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); - - var part65 = match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); - - var select21 = linear_select([ - part64, - part65, - ]); - - var part66 = match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); - - var all23 = all_match({ - processors: [ - part59, - select20, - part63, - select21, - part66, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg27 = msg("statistics:03", all23); - - var part67 = match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); - - var part68 = match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var part69 = match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); - - var part70 = match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); - - var part71 = match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); - - var part72 = match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); - - var part73 = match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); - - var part74 = match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); - - var select23 = linear_select([ - part69, - part70, - part71, - part72, - part73, - part74, - ]); - - var part75 = match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); - - var part76 = match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); - - var select24 = linear_select([ - part75, - part76, - ]); - - var part77 = match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); - - var part78 = match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); - - var select25 = linear_select([ - part77, - part78, - ]); - - var part79 = match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); - - var part80 = match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); - - var select26 = linear_select([ - part79, - part80, - ]); - - var part81 = match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); - - var part82 = match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); - - var select27 = linear_select([ - part81, - part82, - ]); - - var part83 = match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); - - var part84 = match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); - - var select28 = linear_select([ - part83, - part84, - ]); - - var part85 = match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); - - var part86 = match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); - - var select29 = linear_select([ - part85, - part86, - ]); - - var part87 = match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); - - var part88 = match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); - - var select30 = linear_select([ - part87, - part88, - ]); - - var part89 = match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); - - var part90 = match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); - - var select31 = linear_select([ - part89, - part90, - ]); - - var part91 = match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); - - var part92 = match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); - - var select32 = linear_select([ - part91, - part92, - ]); - - var part93 = match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); - - var part94 = match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); - - var select33 = linear_select([ - part93, - part94, - ]); - - var part95 = match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); - - var part96 = match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); - - var select34 = linear_select([ - part95, - part96, - ]); - - var part97 = match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); - - var part98 = match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); - - var select35 = linear_select([ - part97, - part98, - ]); - - var all24 = all_match({ - processors: [ - dup35, - select22, - select23, - select24, - select25, - select26, - select27, - select28, - select29, - select30, - select31, - select32, - select33, - dup78, - dup79, - select34, - select35, - ], - on_success: processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg28 = msg("statistics:04", all24); - - var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { - "classifier": "filter", - "client_ip": "saddr", - "client_name": "fqdn", - "direction": "direction", - "disposition": "disposition", - "domain": "domain", - "dst_ip": "daddr", - "from": "from", - "hfrom": "fld3", - "mailer": "agent", - "message_length": "fld6", - "polid": "fld5", - "resolved": "context", - "session_id": "sessionid", - "src_type": "fld7", - "subject": "subject", - "to": "to", - "virus": "virusname", - }, processor_chain([ - dup60, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg29 = msg("statistics:05", part99); - - var select36 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - ]); - - var part100 = match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); - - var part101 = match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); - - var select37 = linear_select([ - part100, - part101, - ]); - - var part102 = match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); - - var part103 = match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); - - var part104 = match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); - - var select38 = linear_select([ - part103, - part104, - ]); - - var part105 = match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); - - var part106 = match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); - - var select39 = linear_select([ - part105, - part106, - ]); - - var all25 = all_match({ - processors: [ - dup35, - select37, - dup74, - part102, - dup69, - select38, - select39, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg30 = msg("spam", all25); - - var part107 = match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg31 = msg("spam:04", part107); - - var part108 = match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); - - var part109 = match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); - - var part110 = match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); - - var select40 = linear_select([ - part109, - part110, - ]); - - var part111 = match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); - - var all26 = all_match({ - processors: [ - part108, - select40, - part111, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg32 = msg("spam:03", all26); - - var part112 = match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ])); - - var msg33 = msg("spam:02", part112); - - var part113 = match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); - - var part114 = match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); - - var select41 = linear_select([ - part113, - part114, - ]); - - var all27 = all_match({ - processors: [ - dup35, - dup71, - dup69, - select41, - dup64, - ], - on_success: processor_chain([ - dup62, - dup8, - dup9, - dup10, - dup11, - dup12, - dup34, - dup15, - ]), - }); - - var msg34 = msg("spam:01", all27); - - var select42 = linear_select([ - msg30, - msg31, - msg32, - msg33, - msg34, - ]); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_admin": msg1, - "event_config": msg20, - "event_imap": msg5, - "event_pop3": msg2, - "event_smtp": select7, - "event_system": msg4, - "event_update": msg19, - "event_webmail": msg3, - "spam": select42, - "statistics": select36, - "virus": msg21, - "virus_file-signature": msg23, - "virus_infected": msg22, - }), - ]); - - var part115 = match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); - - var part116 = match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); - - var part117 = match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); - - var part118 = match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); - - var part119 = match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); - - var part120 = match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); - - var part121 = match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); - - var part122 = match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); - - var part123 = match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); - - var part124 = match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); - - var part125 = match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); - - var part126 = match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); - - var part127 = match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); - - var part128 = match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); - - var part129 = match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); - - var part130 = match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); - - var part131 = match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); - - var part132 = match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); - - var part133 = match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); - - var part134 = match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); - - var part135 = match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); - - var part136 = match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); - - var part137 = match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); - - var part138 = match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); - - var part139 = match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); - - var part140 = match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); - - var part141 = match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); - - var part142 = match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); - - var part143 = match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); - - var part144 = match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); - - var part145 = match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); - - var part146 = match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); - - var part147 = match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); - - var part148 = match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); - - var part149 = match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); - - var part150 = match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); - - var part151 = match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); - - var part152 = match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); - - var part153 = match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); - - var part154 = match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); - - var part155 = match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); - - var part156 = match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); - - var part157 = match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); - - var part158 = match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); - - var part159 = match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); - - var part160 = match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); - - var part161 = match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); - - var select43 = linear_select([ - dup3, - dup4, - ]); - - var select44 = linear_select([ - dup5, - dup6, - ]); - - var select45 = linear_select([ - dup19, - dup20, - ]); - - var select46 = linear_select([ - dup22, - dup23, - ]); - - var select47 = linear_select([ - dup3, - dup20, - ]); - - var select48 = linear_select([ - dup24, - dup25, - ]); - - var select49 = linear_select([ - dup27, - dup28, - ]); - - var select50 = linear_select([ - dup29, - dup30, - ]); - - var select51 = linear_select([ - dup36, - dup37, - ]); - - var select52 = linear_select([ - dup38, - dup39, - ]); - - var select53 = linear_select([ - dup40, - dup41, - ]); - - var select54 = linear_select([ - dup42, - dup43, - dup44, - ]); - - var select55 = linear_select([ - dup45, - dup46, - ]); - - var select56 = linear_select([ - dup47, - dup48, - ]); - - var select57 = linear_select([ - dup49, - dup50, - ]); - - var select58 = linear_select([ - dup52, - dup53, - ]); - - var select59 = linear_select([ - dup54, - dup55, - ]); - - var select60 = linear_select([ - dup56, - dup57, - ]); - - var select61 = linear_select([ - dup58, - dup59, - ]); - - var all28 = all_match({ - processors: [ - dup2, - dup63, - dup16, - dup64, - ], - on_success: processor_chain([ - dup17, - dup8, - dup9, - dup10, - dup11, - dup12, - dup13, - dup14, - dup15, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.2/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 56700b8b63..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -description: Pipeline for Fortinet FortiMail - -processors: - - set: - field: ecs.version - value: '8.2.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/fields/agent.yml b/packages/fortinet/1.6.2/data_stream/fortimail/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/1.6.2/data_stream/fortimail/fields/base-fields.yml deleted file mode 100755 index 50a37950c4..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.fortimail -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/fields/ecs.yml b/packages/fortinet/1.6.2/data_stream/fortimail/fields/ecs.yml deleted file mode 100755 index 78ddffacce..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/fields/ecs.yml +++ /dev/null @@ -1,541 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/fields/fields.yml b/packages/fortinet/1.6.2/data_stream/fortimail/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/manifest.yml b/packages/fortinet/1.6.2/data_stream/fortimail/manifest.yml deleted file mode 100755 index 4acfba2e32..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/manifest.yml +++ /dev/null @@ -1,210 +0,0 @@ -title: Fortinet FortiMail logs -release: experimental -type: logs -streams: - - input: udp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9529 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet FortiMail logs - description: Collect Fortinet FortiMail logs from file - template_path: log.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fortinet-fortimail.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimail - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet/1.6.2/data_stream/fortimail/sample_event.json b/packages/fortinet/1.6.2/data_stream/fortimail/sample_event.json deleted file mode 100755 index c9970b456a..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimail/sample_event.json +++ /dev/null @@ -1,70 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.fortimail", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet.fortimail", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/log.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/log.yml.hbs deleted file mode 100755 index eadb30c3f8..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/log.yml.hbs +++ /dev/null @@ -1,3100 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiManager" - type: "Configuration" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/tcp.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/tcp.yml.hbs deleted file mode 100755 index 3f83a27af8..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,3097 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiManager" - type: "Configuration" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/udp.yml.hbs b/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/udp.yml.hbs deleted file mode 100755 index a27a4bacc3..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,3097 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Fortinet" - product: "FortiManager" - type: "Configuration" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("hfld2"), - constant("_fortinetmgr"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0002"), - dup1, - ])); - - var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup1, - ])); - - var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup2, - ])); - - var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ - setc("header_id","0005"), - dup2, - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - ]); - - var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg1 = msg("fortinetmgr:01", part1); - - var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg2 = msg("fortinetmgr", part2); - - var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); - - var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); - - var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); - - var select2 = linear_select([ - part4, - part5, - ]); - - var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); - - var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); - - var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); - - var select3 = linear_select([ - part7, - part8, - ]); - - var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); - - var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); - - var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); - - var select4 = linear_select([ - part10, - part11, - ]); - - var all1 = all_match({ - processors: [ - part3, - select2, - part6, - select3, - part9, - select4, - ], - on_success: processor_chain([ - dup11, - dup4, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("fld5"), - }), - dup22, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg3 = msg("fortinetmgr:04", all1); - - var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ])); - - var msg4 = msg("fortinetmgr:02", part12); - - var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - lookup({ - dest: "nwparser.event_cat", - map: map_getEventLegacyCategory, - key: field("result"), - }), - dup22, - ])); - - var msg5 = msg("fortinetmgr:03", part13); - - var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); - - var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); - - var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - - var select5 = linear_select([ - part15, - part16, - ]); - - var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); - - var all2 = all_match({ - processors: [ - part14, - select5, - part17, - ], - on_success: processor_chain([ - dup13, - dup4, - dup5, - dup6, - dup7, - dup8, - dup9, - dup10, - ]), - }); - - var msg6 = msg("fortinetmgr:05", all2); - - var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { - "action": "action", - "adom": "domain", - "desc": "event_description", - "msg": "info", - "session_id": "sessionid", - "user": "username", - "userfrom": "fld1", - }, processor_chain([ - dup11, - dup4, - dup5, - dup6, - dup7, - setf("event_type","hfld2"), - dup9, - dup10, - ])); - - var msg7 = msg("event_fortinetmgr_tvm", part18); - - var select6 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - ]); - - var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { - "action": "action", - "adminprof": "fld13", - "cat": "fcatnum", - "catdesc": "filter", - "cipher_suite": "fld24", - "content_switch_name": "fld15", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "dev_id": "fld100", - "device_id": "hardware_id", - "devid": "hardware_id", - "devname": "event_source", - "devtype": "fld7", - "direction": "direction", - "dst": "daddr", - "dst_port": "dport", - "dstintf": "dinterface", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtype": "vendor_event_cat", - "false_positive_mitigation": "fld17", - "ftp_cmd": "fld23", - "ftp_mode": "fld22", - "history_threat_weight": "fld21", - "hostname": "hostname", - "http_agent": "agent", - "http_host": "web_ref_domain", - "http_method": "web_method", - "http_refer": "web_referer", - "http_session_id": "sessionid", - "http_url": "web_query", - "http_version": "fld19", - "level": "severity", - "log_id": "id", - "logid": "id", - "main_type": "fld37", - "mastersrcmac": "fld8", - "method": "fld12", - "monitor_status": "fld18", - "msg": "event_description", - "msg_id": "fld25", - "osname": "os", - "osversion": "version", - "policy": "policyname", - "policyid": "policy_id", - "poluuid": "fld5", - "pri": "severity", - "profile": "rulename", - "proto": "fld6", - "rcvdbyte": "rbytes", - "reqtype": "fld11", - "sentbyte": "sbytes", - "server_pool_name": "fld16", - "service": "network_service", - "sessionid": "sessionid", - "severity_level": "fld101", - "signature_id": "sigid", - "signature_subclass": "fld14", - "src": "saddr", - "src_port": "sport", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub_type": "category", - "subtype": "category", - "threat_level": "threat_val", - "threat_weight": "fld20", - "timezone": "timezone", - "trandisp": "context", - "trigger_policy": "fld39", - "type": "event_type", - "url": "url", - "user": "username", - "user_name": "username", - "userfrom": "fld30", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - dup5, - dup14, - dup23, - ])); - - var msg8 = msg("generic_fortinetmgr", part19); - - var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { - "action": "action", - "app": "obj_name", - "appcat": "fld33", - "craction": "fld9", - "crlevel": "fld10", - "crscore": "reputation_num", - "date": "fld1", - "dstcountry": "location_dst", - "dstintf": "dinterface", - "dstintfrole": "fld31", - "dstip": "daddr", - "dstport": "dport", - "duration": "duration", - "eventtime": "event_time_string", - "level": "severity", - "logid": "id", - "logtime": "fld35", - "policyid": "policy_id", - "policytype": "fld34", - "poluuid": "fld5", - "proto": "fld6", - "rcvdbyte": "rbytes", - "sentbyte": "sbytes", - "sentpkt": "fld15", - "service": "network_service", - "sessionid": "sessionid", - "srccountry": "location_src", - "srcintf": "sinterface", - "srcintfrole": "fld30", - "srcip": "saddr", - "srcport": "sport", - "subtype": "category", - "time": "fld2", - "trandisp": "context", - "tranip": "dtransaddr", - "tranport": "dtransport", - "type": "event_type", - "vd": "vsys", - }, processor_chain([ - dup13, - dup4, - date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }), - dup6, - setf("hardware_id","hfld2"), - dup14, - dup23, - ])); - - var msg9 = msg("generic_fortinetmgr_1", part20); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "event_fortinetmgr": select6, - "generic_fortinetmgr": msg8, - "generic_fortinetmgr_1": msg9, - }), - ]); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd4990b756..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,108 +0,0 @@ ---- -description: Pipeline for Fortinet Manager/Analyzer - -processors: - - set: - field: ecs.version - value: '8.2.0' - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # URL - - uri_parts: - field: url.original - target_field: _temp_.url - ignore_failure: true - if: ctx?.url?.original != null - - script: - lang: painless - description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings - if: ctx?._temp_?.url != null - source: | - for (entry in ctx._temp_.url.entrySet()) { - if (entry != null && entry.getValue() != null) { - if(ctx.url[entry.getKey()] == null) { - ctx.url[entry.getKey()] = entry.getValue(); - } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { - ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; - ctx.url[entry.getKey()].add(entry.getValue()); - } - } - } - - remove: - field: _temp_ - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/agent.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/fields/base-fields.yml deleted file mode 100755 index bbad94843b..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.fortimanager -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/ecs.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/fields/ecs.yml deleted file mode 100755 index 2257c57972..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/ecs.yml +++ /dev/null @@ -1,558 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/fields.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/manifest.yml b/packages/fortinet/1.6.2/data_stream/fortimanager/manifest.yml deleted file mode 100755 index c6aacc111a..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/manifest.yml +++ /dev/null @@ -1,210 +0,0 @@ -title: Fortinet Manager/Analyzer logs -release: experimental -type: logs -streams: - - input: udp - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: udp_host - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9530 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: tcp_host - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9530 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Fortinet Manager/Analyzer logs - description: Collect Fortinet Manager/Analyzer logs from file - template_path: log.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/fortinet-fortimanager.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - fortinet-fortimanager - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/fortinet/1.6.2/data_stream/fortimanager/sample_event.json b/packages/fortinet/1.6.2/data_stream/fortimanager/sample_event.json deleted file mode 100755 index 3eac8bb75e..0000000000 --- a/packages/fortinet/1.6.2/data_stream/fortimanager/sample_event.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.fortimanager", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 449, - "geo": { - "country_name": "sequa" - }, - "ip": [ - "10.44.173.44" - ], - "nat": { - "ip": "10.189.58.145", - "port": 5273 - }, - "port": 6125 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "allow", - "agent_id_status": "verified", - "code": "sse", - "dataset": "fortinet.fortimanager", - "ingested": "2022-01-25T12:33:50Z", - "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "very-high", - "source": { - "address": "172.30.0.4:60997" - } - }, - "network": { - "bytes": 8329 - }, - "observer": { - "egress": { - "interface": { - "name": "enp0s3068" - } - }, - "ingress": { - "interface": { - "name": "eth5722" - } - }, - "product": "FortiManager", - "type": "Configuration", - "vendor": "Fortinet" - }, - "related": { - "hosts": [ - "modtempo" - ], - "ip": [ - "10.189.58.145", - "10.20.234.169", - "10.44.173.44" - ] - }, - "rsa": { - "internal": { - "messageid": "generic_fortinetmgr_1" - }, - "misc": { - "action": [ - "allow" - ], - "category": "der", - "context": "abo", - "event_source": "modtempo", - "event_type": "exercita", - "hardware_id": "olab", - "log_session_id": "psa", - "policy_id": "ntium", - "reference_id": "sse", - "severity": "very-high", - "vsys": "nto" - }, - "network": { - "dinterface": "enp0s3068", - "network_service": "lupt", - "sinterface": "eth5722" - }, - "time": { - "duration_time": 14.119, - "event_time": "2016-01-29T06:09:59.000Z", - "event_time_str": "odoco" - }, - "web": { - "reputation_num": 13.8 - } - }, - "source": { - "bytes": 7880, - "geo": { - "country_name": "dolore" - }, - "ip": [ - "10.20.234.169" - ], - "port": 1001 - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimanager", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/fortinet/1.6.2/docs/README.md b/packages/fortinet/1.6.2/docs/README.md deleted file mode 100755 index f83b79b677..0000000000 --- a/packages/fortinet/1.6.2/docs/README.md +++ /dev/null @@ -1,3633 +0,0 @@ -# Fortinet Integration - -This integration is for Fortinet [FortiOS](https://docs.fortinet.com/product/fortigate/6.2) and [FortiClient](https://docs.fortinet.com/product/forticlient/) Endpoint logs sent in the syslog format. It includes the following datasets for receiving logs: - -- `firewall` dataset: consists of Fortinet FortiGate logs. -- `clientendpoint` dataset: supports Fortinet FortiClient Endpoint Security logs. -- `fortimail` dataset: supports Fortinet FortiMail logs. -- `fortimanager` dataset: supports Fortinet Manager/Analyzer logs. - -## Compatibility - -This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. - -## Logs - -### Firewall - -Contains log entries from Fortinet FortiGate applicances. - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-05-15T18:03:36.000Z", - "agent": { - "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", - "hostname": "docker-fleet-agent", - "id": "2164018d-05cd-45b4-979d-4032bdd775f6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.14.0" - }, - "data_stream": { - "dataset": "fortinet.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 41690, - "organization": { - "name": "Dailymotion S.A." - } - }, - "geo": { - "continent_name": "Europe", - "country_iso_code": "FR", - "country_name": "France", - "location": { - "lat": 48.8582, - "lon": 2.3387 - } - }, - "ip": "195.8.215.136", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", - "snapshot": true, - "version": "7.14.0" - }, - "event": { - "action": "app-ctrl-all", - "category": [ - "network" - ], - "code": "1059028704", - "dataset": "fortinet.firewall", - "ingested": "2021-06-03T12:38:44.458586716Z", - "kind": "event", - "module": "fortinet", - "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", - "outcome": "success", - "start": "2019-05-16T01:03:35.000Z", - "type": [ - "allowed" - ] - }, - "fortinet": { - "firewall": { - "action": "pass", - "appid": "40568", - "apprisk": "medium", - "dstintfrole": "wan", - "incidentserialno": "1962906680", - "sessionid": "4414", - "srcintfrole": "lan", - "subtype": "app-ctrl", - "type": "utm", - "vd": "root" - } - }, - "input": { - "type": "udp" - }, - "log": { - "level": "information", - "source": { - "address": "192.168.240.4:54617" - } - }, - "message": "Web.Client: HTTPS.BROWSER,", - "network": { - "application": "HTTPS.BROWSER", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "protocol": "https" - }, - "observer": { - "egress": { - "interface": { - "name": "port9" - } - }, - "ingress": { - "interface": { - "name": "port10" - } - }, - "product": "Fortigate", - "type": "firewall", - "vendor": "Fortinet" - }, - "related": { - "ip": [ - "10.1.100.22", - "195.8.215.136" - ] - }, - "rule": { - "category": "Web-Client", - "id": "1", - "ruleset": "block-social.media" - }, - "source": { - "ip": "10.1.100.22", - "port": 50798 - }, - "tags": [ - "fortinet-firewall", - "forwarded", - "preserve_original_event" - ], - "tls": { - "server": { - "issuer": "DigiCert SHA2 High Assurance Server CA", - "x509": { - "issuer": { - "common_name": "DigiCert SHA2 High Assurance Server CA" - }, - "subject": { - "common_name": "*.dailymotion.com" - } - } - } - }, - "url": { - "domain": "www.dailymotion.com", - "path": "/" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.message | Log message optimized for viewing in a log viewer. | text | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | -| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | -| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | -| fortinet.firewall.act | Action | keyword | -| fortinet.firewall.action | Status of the session | keyword | -| fortinet.firewall.activity | HA activity message | keyword | -| fortinet.firewall.addr | IP Address | ip | -| fortinet.firewall.addr_type | Address Type | keyword | -| fortinet.firewall.addrgrp | Address Group | keyword | -| fortinet.firewall.adgroup | AD Group Name | keyword | -| fortinet.firewall.admin | Admin User | keyword | -| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | -| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | -| fortinet.firewall.alarmid | Alarm ID | integer | -| fortinet.firewall.alert | Alert | keyword | -| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | -| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | -| fortinet.firewall.ap | Access Point | keyword | -| fortinet.firewall.app-type | Address Type | keyword | -| fortinet.firewall.appact | The security action from app control | keyword | -| fortinet.firewall.appid | Application ID | integer | -| fortinet.firewall.applist | Application Control profile | keyword | -| fortinet.firewall.apprisk | Application Risk Level | keyword | -| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | -| fortinet.firewall.apsn | Access Point | keyword | -| fortinet.firewall.apstatus | Access Point status | keyword | -| fortinet.firewall.aptype | Access Point type | keyword | -| fortinet.firewall.assigned | Assigned IP Address | ip | -| fortinet.firewall.assignip | Assigned IP Address | ip | -| fortinet.firewall.attachment | The flag for email attachement | keyword | -| fortinet.firewall.attack | Attack Name | keyword | -| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | -| fortinet.firewall.attackcontextid | Attack context id / total | keyword | -| fortinet.firewall.attackid | Attack ID | integer | -| fortinet.firewall.auditid | Audit ID | long | -| fortinet.firewall.auditscore | The Audit Score | keyword | -| fortinet.firewall.audittime | The time of the audit | long | -| fortinet.firewall.authgrp | Authorization Group | keyword | -| fortinet.firewall.authid | Authentication ID | keyword | -| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | -| fortinet.firewall.authserver | Authentication server | keyword | -| fortinet.firewall.bandwidth | Bandwidth | keyword | -| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | -| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | -| fortinet.firewall.banword | Banned word | keyword | -| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | -| fortinet.firewall.botnetip | Botnet IP Address | ip | -| fortinet.firewall.bssid | Service Set ID | keyword | -| fortinet.firewall.call_id | Caller ID | keyword | -| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | -| fortinet.firewall.cat | DNS category ID | integer | -| fortinet.firewall.category | Authentication category | keyword | -| fortinet.firewall.cc | CC Email Address | keyword | -| fortinet.firewall.cdrcontent | Cdrcontent | keyword | -| fortinet.firewall.centralnatid | Central NAT ID | integer | -| fortinet.firewall.cert | Certificate | keyword | -| fortinet.firewall.cert-type | Certificate type | keyword | -| fortinet.firewall.certhash | Certificate hash | keyword | -| fortinet.firewall.cfgattr | Configuration attribute | keyword | -| fortinet.firewall.cfgobj | Configuration object | keyword | -| fortinet.firewall.cfgpath | Configuration path | keyword | -| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | -| fortinet.firewall.cfgtxpower | Configuration TX power | integer | -| fortinet.firewall.channel | Wireless Channel | integer | -| fortinet.firewall.channeltype | SSH channel type | keyword | -| fortinet.firewall.chassisid | Chassis ID | integer | -| fortinet.firewall.checksum | The checksum of the scanned file | keyword | -| fortinet.firewall.chgheaders | HTTP Headers | keyword | -| fortinet.firewall.cldobjid | Connector object ID | keyword | -| fortinet.firewall.client_addr | Wifi client address | keyword | -| fortinet.firewall.cloudaction | Cloud Action | keyword | -| fortinet.firewall.clouduser | Cloud User | keyword | -| fortinet.firewall.column | VOIP Column | integer | -| fortinet.firewall.command | CLI Command | keyword | -| fortinet.firewall.community | SNMP Community | keyword | -| fortinet.firewall.configcountry | Configuration country | keyword | -| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | -| fortinet.firewall.conserve | Flag for conserve mode | keyword | -| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | -| fortinet.firewall.contentdisarmed | Email scanned content | keyword | -| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | -| fortinet.firewall.cookies | VPN Cookie | keyword | -| fortinet.firewall.count | Counts of action type | integer | -| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | -| fortinet.firewall.countav | Number of AV logs associated with the session | integer | -| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | -| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | -| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | -| fortinet.firewall.countemail | Number of email logs associated with the session | integer | -| fortinet.firewall.countff | Number of ff logs associated with the session | integer | -| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | -| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | -| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | -| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | -| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | -| fortinet.firewall.cpu | CPU Usage | integer | -| fortinet.firewall.craction | Client Reputation Action | integer | -| fortinet.firewall.criticalcount | Number of critical ratings | integer | -| fortinet.firewall.crl | Client Reputation Level | keyword | -| fortinet.firewall.crlevel | Client Reputation Level | keyword | -| fortinet.firewall.crscore | Some description | integer | -| fortinet.firewall.cveid | CVE ID | keyword | -| fortinet.firewall.daemon | Daemon name | keyword | -| fortinet.firewall.datarange | Data range for reports | keyword | -| fortinet.firewall.date | Date | keyword | -| fortinet.firewall.ddnsserver | DDNS server | ip | -| fortinet.firewall.desc | Description | keyword | -| fortinet.firewall.detectionmethod | Detection method | keyword | -| fortinet.firewall.devcategory | Device category | keyword | -| fortinet.firewall.devintfname | HA device Interface Name | keyword | -| fortinet.firewall.devtype | Device type | keyword | -| fortinet.firewall.dhcp_msg | DHCP Message | keyword | -| fortinet.firewall.dintf | Destination interface | keyword | -| fortinet.firewall.disk | Assosciated disk | keyword | -| fortinet.firewall.disklograte | Disk logging rate | long | -| fortinet.firewall.dlpextra | DLP extra information | keyword | -| fortinet.firewall.docsource | DLP fingerprint document source | keyword | -| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | -| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | -| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | -| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | -| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | -| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | -| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | -| fortinet.firewall.domainfilteridx | Domain filter ID | integer | -| fortinet.firewall.domainfilterlist | Domain filter name | keyword | -| fortinet.firewall.ds | Direction with distribution system | keyword | -| fortinet.firewall.dst_int | Destination interface | keyword | -| fortinet.firewall.dstcountry | Destination country | keyword | -| fortinet.firewall.dstdevcategory | Destination device category | keyword | -| fortinet.firewall.dstdevtype | Destination device type | keyword | -| fortinet.firewall.dstfamily | Destination OS family | keyword | -| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | -| fortinet.firewall.dsthwversion | Destination HW version | keyword | -| fortinet.firewall.dstinetsvc | Destination interface service | keyword | -| fortinet.firewall.dstintfrole | Destination interface role | keyword | -| fortinet.firewall.dstosname | Destination OS name | keyword | -| fortinet.firewall.dstosversion | Destination OS version | keyword | -| fortinet.firewall.dstserver | Destination server | integer | -| fortinet.firewall.dstssid | Destination SSID | keyword | -| fortinet.firewall.dstswversion | Destination software version | keyword | -| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | -| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | -| fortinet.firewall.duid | DHCP UID | keyword | -| fortinet.firewall.eapolcnt | EAPOL packet count | integer | -| fortinet.firewall.eapoltype | EAPOL packet type | keyword | -| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | -| fortinet.firewall.encryption | Encryption method | keyword | -| fortinet.firewall.epoch | Epoch used for locating file | integer | -| fortinet.firewall.espauth | ESP Authentication | keyword | -| fortinet.firewall.esptransform | ESP Transform | keyword | -| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | -| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | -| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | -| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | -| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | -| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | -| fortinet.firewall.fctuid | FortiClient UID | keyword | -| fortinet.firewall.field | NTP status field | keyword | -| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | -| fortinet.firewall.filehashsrc | Filehash source | keyword | -| fortinet.firewall.filtercat | DLP filter category | keyword | -| fortinet.firewall.filteridx | DLP filter ID | integer | -| fortinet.firewall.filtername | DLP rule name | keyword | -| fortinet.firewall.filtertype | DLP filter type | keyword | -| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | -| fortinet.firewall.forwardedfor | Email address forwarded | keyword | -| fortinet.firewall.fqdn | FQDN | keyword | -| fortinet.firewall.frametype | Wireless frametype | keyword | -| fortinet.firewall.freediskstorage | Free disk integer | integer | -| fortinet.firewall.from | From email address | keyword | -| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | -| fortinet.firewall.fsaverdict | FSA verdict | keyword | -| fortinet.firewall.fwserver_name | Web proxy server name | keyword | -| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | -| fortinet.firewall.green | Memory status | keyword | -| fortinet.firewall.groupid | User Group ID | integer | -| fortinet.firewall.ha-prio | HA Priority | integer | -| fortinet.firewall.ha_group | HA Group | keyword | -| fortinet.firewall.ha_role | HA Role | keyword | -| fortinet.firewall.handshake | SSL Handshake | keyword | -| fortinet.firewall.hash | Hash value of downloaded file | keyword | -| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | -| fortinet.firewall.highcount | Highcount fabric summary | integer | -| fortinet.firewall.host | Hostname | keyword | -| fortinet.firewall.iaid | DHCPv6 id | keyword | -| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | -| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | -| fortinet.firewall.icmptype | The type of ICMP message | keyword | -| fortinet.firewall.identifier | Network traffic identifier | integer | -| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | -| fortinet.firewall.incidentserialno | Incident serial number | integer | -| fortinet.firewall.infected | Infected MMS | integer | -| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | -| fortinet.firewall.informationsource | Information source | keyword | -| fortinet.firewall.init | IPSEC init stage | keyword | -| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | -| fortinet.firewall.interface | Related interface | keyword | -| fortinet.firewall.intf | Related interface | keyword | -| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | -| fortinet.firewall.ip | Related IP | ip | -| fortinet.firewall.iptype | Related IP type | keyword | -| fortinet.firewall.keyword | Keyword used for search | keyword | -| fortinet.firewall.kind | VOIP kind | keyword | -| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | -| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | -| fortinet.firewall.lease | DHCP lease | integer | -| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | -| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | -| fortinet.firewall.line | VOIP line | keyword | -| fortinet.firewall.live | Time in seconds | integer | -| fortinet.firewall.local | Local IP for a PPPD Connection | ip | -| fortinet.firewall.log | Log message | keyword | -| fortinet.firewall.login | SSH login | keyword | -| fortinet.firewall.lowcount | Fabric lowcount | integer | -| fortinet.firewall.mac | DHCP mac address | keyword | -| fortinet.firewall.malform_data | VOIP malformed data | integer | -| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | -| fortinet.firewall.manuf | Manufacturer name | keyword | -| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | -| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | -| fortinet.firewall.mediumcount | Fabric medium count | integer | -| fortinet.firewall.mem | Memory usage system statistics | integer | -| fortinet.firewall.meshmode | Wireless mesh mode | keyword | -| fortinet.firewall.message_type | VOIP message type | keyword | -| fortinet.firewall.method | HTTP method | keyword | -| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | -| fortinet.firewall.mode | IPSEC mode | keyword | -| fortinet.firewall.module | PCI-DSS module | keyword | -| fortinet.firewall.monitor-name | Health Monitor Name | keyword | -| fortinet.firewall.monitor-type | Health Monitor Type | keyword | -| fortinet.firewall.mpsk | Wireless MPSK | keyword | -| fortinet.firewall.msgproto | Message Protocol Number | keyword | -| fortinet.firewall.mtu | Max Transmission Unit Value | integer | -| fortinet.firewall.name | Name | keyword | -| fortinet.firewall.nat | NAT IP Address | keyword | -| fortinet.firewall.netid | Connector NetID | keyword | -| fortinet.firewall.new_status | New status on user change | keyword | -| fortinet.firewall.new_value | New Virtual Domain Name | keyword | -| fortinet.firewall.newchannel | New Channel Number | integer | -| fortinet.firewall.newchassisid | New Chassis ID | integer | -| fortinet.firewall.newslot | New Slot Number | integer | -| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | -| fortinet.firewall.nf_type | Notification Type | keyword | -| fortinet.firewall.noise | Wifi Noise | integer | -| fortinet.firewall.old_status | Original Status | keyword | -| fortinet.firewall.old_value | Original Virtual Domain name | keyword | -| fortinet.firewall.oldchannel | Original channel | integer | -| fortinet.firewall.oldchassisid | Original Chassis Number | integer | -| fortinet.firewall.oldslot | Original Slot Number | integer | -| fortinet.firewall.oldsn | Old Serial number | keyword | -| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | -| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | -| fortinet.firewall.opercountry | Operating Country | keyword | -| fortinet.firewall.opertxpower | Operating TX power | integer | -| fortinet.firewall.osname | Operating System name | keyword | -| fortinet.firewall.osversion | Operating System version | keyword | -| fortinet.firewall.out_spi | Out SPI | keyword | -| fortinet.firewall.outintf | Out interface | keyword | -| fortinet.firewall.passedcount | Fabric passed count | integer | -| fortinet.firewall.passwd | Changed user password information | keyword | -| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | -| fortinet.firewall.peer | WAN optimization peer | keyword | -| fortinet.firewall.peer_notif | VPN peer notification | keyword | -| fortinet.firewall.phase2_name | VPN phase2 name | keyword | -| fortinet.firewall.phone | VOIP Phone | keyword | -| fortinet.firewall.pid | Process ID | integer | -| fortinet.firewall.policytype | Policy Type | keyword | -| fortinet.firewall.poolname | IP Pool name | keyword | -| fortinet.firewall.port | Log upload error port | integer | -| fortinet.firewall.portbegin | IP Pool port number to begin | integer | -| fortinet.firewall.portend | IP Pool port number to end | integer | -| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | -| fortinet.firewall.process | URL Filter process | keyword | -| fortinet.firewall.processtime | Process time for reports | integer | -| fortinet.firewall.profile | Profile Name | keyword | -| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | -| fortinet.firewall.profilegroup | Profile Group Name | keyword | -| fortinet.firewall.profiletype | Profile Type | keyword | -| fortinet.firewall.qtypeval | DNS question type value | integer | -| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | -| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | -| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | -| fortinet.firewall.quotatype | Quota type | keyword | -| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | -| fortinet.firewall.radioband | Radio band | keyword | -| fortinet.firewall.radioid | Radio ID | integer | -| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | -| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | -| fortinet.firewall.rate | Wireless rogue rate value | keyword | -| fortinet.firewall.rawdata | Raw data value | keyword | -| fortinet.firewall.rawdataid | Raw data ID | keyword | -| fortinet.firewall.rcvddelta | Received bytes delta | keyword | -| fortinet.firewall.reason | Alert reason | keyword | -| fortinet.firewall.received | Server key exchange received | integer | -| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | -| fortinet.firewall.red | Memory information in red | keyword | -| fortinet.firewall.referralurl | Web filter referralurl | keyword | -| fortinet.firewall.remote | Remote PPP IP address | ip | -| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | -| fortinet.firewall.reporttype | Report type | keyword | -| fortinet.firewall.reqtype | Request type | keyword | -| fortinet.firewall.request_name | VOIP request name | keyword | -| fortinet.firewall.result | VPN phase result | keyword | -| fortinet.firewall.role | VPN Phase 2 role | keyword | -| fortinet.firewall.rssi | Received signal strength indicator | integer | -| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | -| fortinet.firewall.ruledata | Rule data | keyword | -| fortinet.firewall.ruletype | Rule type | keyword | -| fortinet.firewall.scanned | Number of Scanned MMSs | integer | -| fortinet.firewall.scantime | Scanned time | long | -| fortinet.firewall.scope | FortiGuard Override Scope | keyword | -| fortinet.firewall.security | Wireless rogue security | keyword | -| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | -| fortinet.firewall.sensor | NAC Sensor Name | keyword | -| fortinet.firewall.sentdelta | Sent bytes delta | keyword | -| fortinet.firewall.seq | Sequence number | keyword | -| fortinet.firewall.serial | WAN optimisation serial | keyword | -| fortinet.firewall.serialno | Serial number | keyword | -| fortinet.firewall.server | AD server FQDN or IP | keyword | -| fortinet.firewall.session_id | Session ID | keyword | -| fortinet.firewall.sessionid | WAD Session ID | integer | -| fortinet.firewall.setuprate | Session Setup Rate | long | -| fortinet.firewall.severity | Severity | keyword | -| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | -| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | -| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | -| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | -| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | -| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | -| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | -| fortinet.firewall.signal | Wireless rogue API signal | integer | -| fortinet.firewall.size | Email size in bytes | long | -| fortinet.firewall.slot | Slot number | integer | -| fortinet.firewall.sn | Security fabric serial number | keyword | -| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | -| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | -| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | -| fortinet.firewall.spi | IPSEC SPI | keyword | -| fortinet.firewall.src_int | Source interface | keyword | -| fortinet.firewall.srccountry | Source country | keyword | -| fortinet.firewall.srcfamily | Source family | keyword | -| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | -| fortinet.firewall.srchwversion | Source hardware version | keyword | -| fortinet.firewall.srcinetsvc | Source interface service | keyword | -| fortinet.firewall.srcintfrole | Source interface role | keyword | -| fortinet.firewall.srcname | Source name | keyword | -| fortinet.firewall.srcserver | Source server | integer | -| fortinet.firewall.srcssid | Source SSID | keyword | -| fortinet.firewall.srcswversion | Source software version | keyword | -| fortinet.firewall.srcuuid | Source UUID | keyword | -| fortinet.firewall.sscname | SSC name | keyword | -| fortinet.firewall.ssid | Base Service Set ID | keyword | -| fortinet.firewall.sslaction | SSL Action | keyword | -| fortinet.firewall.ssllocal | WAD SSL local | keyword | -| fortinet.firewall.sslremote | WAD SSL remote | keyword | -| fortinet.firewall.stacount | Number of stations/clients | integer | -| fortinet.firewall.stage | IPSEC stage | keyword | -| fortinet.firewall.stamac | 802.1x station mac | keyword | -| fortinet.firewall.state | Admin login state | keyword | -| fortinet.firewall.status | Status | keyword | -| fortinet.firewall.stitch | Automation stitch triggered | keyword | -| fortinet.firewall.subject | Email subject | keyword | -| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | -| fortinet.firewall.subservice | AV subservice | keyword | -| fortinet.firewall.subtype | Log subtype | keyword | -| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | -| fortinet.firewall.switchproto | Protocol change information | keyword | -| fortinet.firewall.sync_status | The sync status with the master | keyword | -| fortinet.firewall.sync_type | The sync type with the master | keyword | -| fortinet.firewall.sysuptime | System uptime | keyword | -| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | -| fortinet.firewall.threattype | WIDS threat type | keyword | -| fortinet.firewall.time | Time of the event | keyword | -| fortinet.firewall.to | Email to field | keyword | -| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | -| fortinet.firewall.total | Total memory | integer | -| fortinet.firewall.totalsession | Total Number of Sessions | integer | -| fortinet.firewall.trace_id | Session clash trace ID | keyword | -| fortinet.firewall.trandisp | NAT translation type | keyword | -| fortinet.firewall.transid | HTTP transaction ID | integer | -| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | -| fortinet.firewall.trigger | Automation stitch trigger | keyword | -| fortinet.firewall.trueclntip | File filter true client IP | ip | -| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | -| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | -| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | -| fortinet.firewall.type | Module type | keyword | -| fortinet.firewall.ui | Admin authentication UI type | keyword | -| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | -| fortinet.firewall.unit | Power supply unit | integer | -| fortinet.firewall.urlfilteridx | URL filter ID | integer | -| fortinet.firewall.urlfilterlist | URL filter list | keyword | -| fortinet.firewall.urlsource | URL filter source | keyword | -| fortinet.firewall.urltype | URL filter type | keyword | -| fortinet.firewall.used | Number of Used IPs | integer | -| fortinet.firewall.used_for_type | Connection for the type | integer | -| fortinet.firewall.utmaction | Security action performed by UTM | keyword | -| fortinet.firewall.vap | Virtual AP | keyword | -| fortinet.firewall.vapmode | Virtual AP mode | keyword | -| fortinet.firewall.vcluster | virtual cluster id | integer | -| fortinet.firewall.vcluster_member | Virtual cluster member | integer | -| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | -| fortinet.firewall.vd | Virtual Domain Name | keyword | -| fortinet.firewall.vdname | Virtual Domain Name | keyword | -| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | -| fortinet.firewall.version | Version | keyword | -| fortinet.firewall.vip | Virtual IP | keyword | -| fortinet.firewall.virus | Virus name | keyword | -| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | -| fortinet.firewall.voip_proto | VOIP protocol | keyword | -| fortinet.firewall.vpn | VPN description | keyword | -| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | -| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | -| fortinet.firewall.vrf | VRF number | integer | -| fortinet.firewall.vulncat | Vulnerability Category | keyword | -| fortinet.firewall.vulnid | Vulnerability ID | integer | -| fortinet.firewall.vulnname | Vulnerability name | keyword | -| fortinet.firewall.vwlid | VWL ID | integer | -| fortinet.firewall.vwlquality | VWL quality | keyword | -| fortinet.firewall.vwlservice | VWL service | keyword | -| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | -| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | -| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | -| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | -| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | -| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | -| fortinet.firewall.xauthuser | XAuth User Name | keyword | -| fortinet.firewall.xid | Wireless X ID | integer | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | - - -### Clientendpoint - -The `clientendpoint` dataset collects Fortinet FortiClient Endpoint Security logs. - -An example event for `clientendpoint` looks as following: - -```json -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.clientendpoint", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": [ - "10.102.123.34" - ], - "port": 3994 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "deny", - "agent_id_status": "verified", - "code": "http", - "dataset": "fortinet.clientendpoint", - "ingested": "2022-01-25T12:25:45Z", - "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", - "outcome": "failure", - "timezone": "+00:00" - }, - "host": { - "name": "boNemoe4402.www.invalid" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:54478" - } - }, - "network": { - "direction": "external", - "protocol": "udp" - }, - "observer": { - "product": "FortiClient", - "type": "Anti-Virus", - "vendor": "Fortinet" - }, - "process": { - "pid": 7880 - }, - "related": { - "hosts": [ - "litesse6379.api.domain", - "boNemoe4402.www.invalid" - ], - "ip": [ - "10.150.92.220", - "10.102.123.34" - ], - "user": [ - "sumdo" - ] - }, - "rsa": { - "counters": { - "dclass_c1": 5286, - "dclass_c1_str": "block_count" - }, - "internal": { - "messageid": "http" - }, - "investigations": { - "ec_outcome": "Failure", - "ec_subject": "NetworkComm", - "ec_theme": "ALM" - }, - "misc": { - "action": [ - "deny" - ], - "result": "failure\n" - }, - "network": { - "alias_host": [ - "boNemoe4402.www.invalid" - ], - "domain": "litesse6379.api.domain", - "network_service": "http" - }, - "time": { - "event_time": "2021-01-29T06:09:59.000Z" - } - }, - "server": { - "domain": "litesse6379.api.domain", - "registered_domain": "api.domain", - "subdomain": "litesse6379", - "top_level_domain": "domain" - }, - "source": { - "ip": [ - "10.150.92.220" - ], - "port": 7178 - }, - "tags": [ - "preserve_original_event", - "fortinet-clientendpoint", - "forwarded" - ], - "user": { - "name": "sumdo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -### Fortimail - -The `fortimail` dataset collects Fortinet FortiMail logs. - -An example event for `fortimail` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "821504b9-6e80-4572-aae7-c5bb3cf38906", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.fortimail", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "event", - "agent_id_status": "verified", - "code": "nes", - "dataset": "fortinet.fortimail", - "ingested": "2022-01-25T12:29:32Z", - "original": "date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=\"boNemoe\"\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "high", - "source": { - "address": "172.30.0.4:44540" - } - }, - "observer": { - "product": "FortiMail", - "type": "Firewall", - "vendor": "Fortinet" - }, - "rsa": { - "internal": { - "event_desc": "boNemoe", - "messageid": "event_update" - }, - "misc": { - "category": "update", - "event_type": "event", - "hardware_id": "pexe", - "msgIdPart1": "event", - "msgIdPart2": "update", - "reference_id": "nes", - "reference_id1": "eab", - "severity": "high" - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimail", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -### Fortimanager - -The `fortimanager` dataset collects Fortinet Manager/Analyzer logs. - -An example event for `fortimanager` looks as following: - -```json -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "fortinet.fortimanager", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 449, - "geo": { - "country_name": "sequa" - }, - "ip": [ - "10.44.173.44" - ], - "nat": { - "ip": "10.189.58.145", - "port": 5273 - }, - "port": 6125 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "allow", - "agent_id_status": "verified", - "code": "sse", - "dataset": "fortinet.fortimanager", - "ingested": "2022-01-25T12:33:50Z", - "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "very-high", - "source": { - "address": "172.30.0.4:60997" - } - }, - "network": { - "bytes": 8329 - }, - "observer": { - "egress": { - "interface": { - "name": "enp0s3068" - } - }, - "ingress": { - "interface": { - "name": "eth5722" - } - }, - "product": "FortiManager", - "type": "Configuration", - "vendor": "Fortinet" - }, - "related": { - "hosts": [ - "modtempo" - ], - "ip": [ - "10.189.58.145", - "10.20.234.169", - "10.44.173.44" - ] - }, - "rsa": { - "internal": { - "messageid": "generic_fortinetmgr_1" - }, - "misc": { - "action": [ - "allow" - ], - "category": "der", - "context": "abo", - "event_source": "modtempo", - "event_type": "exercita", - "hardware_id": "olab", - "log_session_id": "psa", - "policy_id": "ntium", - "reference_id": "sse", - "severity": "very-high", - "vsys": "nto" - }, - "network": { - "dinterface": "enp0s3068", - "network_service": "lupt", - "sinterface": "eth5722" - }, - "time": { - "duration_time": 14.119, - "event_time": "2016-01-29T06:09:59.000Z", - "event_time_str": "odoco" - }, - "web": { - "reputation_num": 13.8 - } - }, - "source": { - "bytes": 7880, - "geo": { - "country_name": "dolore" - }, - "ip": [ - "10.20.234.169" - ], - "port": 1001 - }, - "tags": [ - "preserve_original_event", - "fortinet-fortimanager", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/fortinet/1.6.2/img/fortinet-logo.svg b/packages/fortinet/1.6.2/img/fortinet-logo.svg deleted file mode 100755 index d6a8448f32..0000000000 --- a/packages/fortinet/1.6.2/img/fortinet-logo.svg +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/packages/fortinet/1.6.2/manifest.yml b/packages/fortinet/1.6.2/manifest.yml deleted file mode 100755 index c7a9ec5706..0000000000 --- a/packages/fortinet/1.6.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: fortinet -title: Fortinet Logs -version: 1.6.2 -release: ga -description: Collect logs from Fortinet instances with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.14.1 || ^8.0.0" -icons: - - src: /img/fortinet-logo.svg - title: Fortinet - size: 216x216 - type: image/svg+xml -policy_templates: - - name: fortinet - title: Fortinet logs - description: Collect logs from Fortinet instances - inputs: - - type: logfile - title: "Collect Fortinet logs (input: logfile)" - description: "Collecting logs from Fortinet instances (input: logfile)" - - type: tcp - title: "Collect Fortinet logs (input: tcp)" - description: "Collecting logs from Fortinet instances (input: tcp)" - - type: udp - title: "Collect Fortinet logs (input: udp)" - description: "Collecting logs from Fortinet instances (input: udp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp/1.9.1/changelog.yml b/packages/gcp/1.9.1/changelog.yml deleted file mode 100755 index 65d5e98f0f..0000000000 --- a/packages/gcp/1.9.1/changelog.yml +++ /dev/null @@ -1,147 +0,0 @@ -# newer versions go on top -- version: "1.9.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3103 -- version: "1.9.0" - changes: - - description: Preserve request and response in flattened fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/3390 -- version: "1.8.0" - changes: - - description: Add missing `cloud.provider` field. - type: enhancement - link: https://github.com/elastic/integrations/pull/3274 -- version: "1.7.0" - changes: - - description: Add dashboards for firewall and vpc flow logs. - type: enhancement - link: https://github.com/elastic/integrations/pull/3280 - - description: Add missing mappings for several `event.*` fields. - type: bugfix - link: https://github.com/elastic/integrations/pull/3280 -- version: "1.6.1" - changes: - - description: Clarify the GCP privileges required by the Pub/Sub input. - type: enhancement - link: https://github.com/elastic/integrations/pull/3206 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Improve Google Cloud Platform docs. - type: enhancement - link: https://github.com/elastic/integrations/pull/2842 -- version: "1.4.2" - changes: - - description: Remove emtpy values, names with only dots, and invalid client IPs. - type: bugfix - link: https://github.com/elastic/integrations/pull/2747 -- version: "1.4.1" - changes: - - description: Fix quoting of the credentials_json value in policy templates. - type: bugfix - link: https://github.com/elastic/integrations/pull/2712 -- version: "1.4.0" - changes: - - description: Add gcp.dns integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2624 -- version: "1.3.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2406 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2251 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1965 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1818 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1661 -- version: "1.0.0" - changes: - - description: Move from experimental to GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1568 - - description: remove experimental from data_sets - type: enhancement - link: https://github.com/elastic/integrations/pull/1717 -- version: "0.3.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1478 -- version: '0.3.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1385 -- version: "0.3.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.3.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.2.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1240 -- version: "0.1.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1045 -- version: "0.0.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/846 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/1.9.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/1.9.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fc0ff88942..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,388 +0,0 @@ ---- -description: Pipeline for Google Cloud audit logs - -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: gcp.audit.type - copy_from: "json.protoPayload.@type" - ignore_failure: true -## -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry -# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog -## - - drop: - description: Drop the document if it is not of AuditLog type - if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' -# .insertId - - set: - field: event.id - copy_from: json.insertId - if: ctx.json?.insertId != null -# .logName - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true -# .severity - - rename: - field: json.severity - target_field: log.level - ignore_missing: true -## -# Extract the type of audit logging data from logName to event.provider -# https://cloud.google.com/pubsub/docs/audit-logging#log_name -## - - dissect: - field: log.logger - pattern: "%{}%2F%{event.provider}" - ignore_missing: true - # NOTE test data fails the spec - ignore_failure: true - - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 -## -# MonitoredResource -# .resource -# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource -## - - set: - field: cloud.project.id - copy_from: json.resource.labels.project_id - if: ctx.json?.resource?.labels?.project_id != null - - set: - field: cloud.instance.id - copy_from: json.resource.labels.instance_id - if: ctx.json?.resource?.labels?.instance_id != null -## -# MonitoredResourceDescriptor type -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor -# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list -## - - set: - field: orchestrator.type - value: kubernetes - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: orchestrator.cluster.name - copy_from: json.resource.labels.cluster_name - ignore_empty_value: true - if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') - - set: - field: _temp.type - copy_from: json.protoPayload.resourceName - ignore_empty_value: true - if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' - - grok: - field: _temp.type - patterns: - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' - - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' - - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' - - 'api/%{API_VERSION:orchestrator.api_version}' - - '%{RESOURCE_TYPE:orchestrator.resource.type}' - pattern_definitions: - API_VERSION: (v\d+([a-z]+)?(\d+)?) - RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) - ignore_missing: true - -## -# AuthenticationInfo -# .protoPayload.authenticationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo -## -# email address of authenticated user (redacted) or service account -# principalEmail -> client.user.email - - rename: - field: json.protoPayload.authenticationInfo.principalEmail - target_field: client.user.email - ignore_missing: true -# identity of requesting first or third party -# principalSubject -> client.user.id - - rename: - field: json.protoPayload.authenticationInfo.principalSubject - target_field: client.user.id - ignore_missing: true - - rename: - field: json.protoPayload.authenticationInfo.authoritySelector - target_field: gcp.audit.authentication_info.authority_selector - ignore_missing: true - -# TODO remove - duplicated in client.user.email and client.user.id - - set: - field: gcp.audit.authentication_info.principal_email - copy_from: client.user.email - if: ctx.client?.user?.email != null - - set: - field: gcp.audit.authentication_info.principal_subject - copy_from: client.user.id - if: ctx.client?.user?.id != null -## -# AuthorizationInfo -# .protoPayload.authorizationInfo -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo -## - - rename: - field: json.protoPayload.authorizationInfo - target_field: gcp.audit.authorization_info - ignore_missing: true - - foreach: - field: gcp.audit.authorization_info - ignore_missing: true - ignore_failure: true - processor: - rename: - field: _ingest._value.resourceAttributes - target_field: _ingest._value.resource_attributes - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List - -## -# Labels -# .labels -## - - set: - field: gcp.audit.labels - copy_from: json.labels - if: ctx.json?.labels != null -## -# RequestMetadata -# .protoPayload.requestMetadata -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata -## - - convert: - if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" - type: ip - field: json.protoPayload.requestMetadata.callerIp - target_field: source.ip - ignore_missing: true - # TODO remove - duplicated in useragent - - rename: - field: json.protoPayload.requestMetadata.callerSuppliedUserAgent - target_field: gcp.audit.request_metadata.caller_supplied_user_agent - ignore_missing: true - - set: - field: user_agent.original - value: "{{gcp.audit.request_metadata.caller_supplied_user_agent}}" - if: ctx?.gcp?.audit?.request_metadata?.caller_supplied_user_agent != null - - user_agent: - field: user_agent.original - ignore_missing: true -## -# LogEntryOperation -# .operation -# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation -## -# set only if it is not the same as insertId - - set: - field: gcp.audit.logentry_operation.id - copy_from: json.operation.id - if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id - - script: - lang: painless - description: set event.category and type for long running operation - tag: set-event-type-for-long-operations - if: ctx.json?.operation != null - source: | - def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; - def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; - if (first && last) { - return; - } - if (ctx.event.category == null) { - ctx.event.category = new ArrayList(); - } - if (ctx.event.type == null) { - ctx.event.type = new ArrayList(); - } - ctx.event.category.add('session'); - if (first == true && last == false) { - ctx.event.type.add('start'); - } - if (first == false && last == true) { - ctx.event.type.add('end'); - } - -# TODO remove duplicate protoPayload.methodName - - rename: - field: json.protoPayload.methodName - target_field: gcp.audit.method_name - ignore_missing: true - - set: - field: event.action - value: "{{gcp.audit.method_name}}" - if: ctx?.gcp?.audit?.method_name != null - - convert: - field: json.protoPayload.numResponseItems - target_field: gcp.audit.num_response_items - type: long - ignore_missing: true - - set: - field: gcp.audit.request - copy_from: json.protoPayload.request - if: ctx.json?.protoPayload?.request != null - - set: - field: gcp.audit.response - copy_from: json.protoPayload.response - if: ctx.json?.protoPayload?.response != null - - rename: - field: json.protoPayload.resourceName - target_field: gcp.audit.resource_name - ignore_missing: true - if: ctx.orchestrator?.type != 'kubernetes' - - rename: - field: json.protoPayload.resourceLocation.currentLocations - target_field: gcp.audit.resource_location.current_locations - ignore_missing: true -# TODO remove duplicate json.protoPayload.serviceName - - rename: - field: json.protoPayload.serviceName - target_field: gcp.audit.service_name - ignore_missing: true - - set: - field: service.name - value: "{{gcp.audit.service_name}}" - if: ctx?.gcp?.audit?.service_name != null -## -# .protoPayload.Status -# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status -# google.rpc.Code referred in Status can have the following values -# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto -## - - convert: - field: json.protoPayload.status.code - target_field: gcp.audit.status.code - type: long - ignore_missing: true - - rename: - field: json.protoPayload.status.message - target_field: gcp.audit.status.message - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 - - set: - field: event.outcome - value: success - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - -## -# if gcp.audit.authorization_info.[0].granted is true then -# set event.category [network, configuration] and event.type to [access, allowed]; -# Caveat -# 1. protoPayload.resourceName is a single value while authorization_info[].resource -# is a list. -# 2. as per test data authorization_info may not be as per spec. -## - - append: - field: event.category - value: ['network', 'configuration'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 - - append: - field: event.type - value: ['access', 'allowed'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted - - append: - field: event.type - value: ['access', 'denied'] - if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - -## -# clean-up -## - - remove: - field: - - _temp - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - script: - description: Drops null and empty values and dotted keys recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - def m = ((Map) o); - def it = m.entrySet().iterator(); - while (it.hasNext()) { - def e = ((Map.Entry) it.next()); - def key = ((String) e.getKey()); - def value = e.getValue(); - Pattern onlyDotsRegex = /^\.+$/; - if (onlyDotsRegex.matcher(key).matches() || drop(value)) { - it.remove(); - } - } - return (m.size() == 0); - } else if (o instanceof List) { - def l = ((List) o); - l.removeIf(v -> drop(v)); - return (l.length == 0); - } - return false; - } - drop(ctx); -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.1/data_stream/audit/fields/agent.yml b/packages/gcp/1.9.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/1.9.1/data_stream/audit/fields/base-fields.yml b/packages/gcp/1.9.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 4a7da76510..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.audit diff --git a/packages/gcp/1.9.1/data_stream/audit/fields/ecs.yml b/packages/gcp/1.9.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 982283187d..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,202 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: API version being used to carry out the action - name: orchestrator.api_version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: URL of the API used to manage the cluster. - name: orchestrator.cluster.url - type: keyword -- description: The version of the cluster. - name: orchestrator.cluster.version - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Organization affected by the event (for multi-tenant orchestrator setups). - name: orchestrator.organization - type: keyword -- description: Name of the resource being acted upon. - name: orchestrator.resource.name - type: keyword -- description: Type of resource being acted upon. - name: orchestrator.resource.type - type: keyword -- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). - name: orchestrator.type - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Error message. - name: error.message - type: match_only_text diff --git a/packages/gcp/1.9.1/data_stream/audit/fields/fields.yml b/packages/gcp/1.9.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 12064f765e..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,115 +0,0 @@ -- name: gcp.audit - type: group - fields: - - name: type - type: keyword - description: | - Type property. - - name: authentication_info - type: group - fields: - - name: principal_email - type: keyword - description: "The email address of the authenticated user making the request." - - name: authority_selector - type: keyword - description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." - - name: principal_subject - type: keyword - description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." - - name: authorization_info - type: array - description: | - Authorization information for the operation. - fields: - - name: permission - type: keyword - description: "The required IAM permission." - - name: granted - type: boolean - description: "Whether or not authorization for resource and permission was granted." - - name: resource - type: keyword - description: "The resource being accessed, as a REST-style string." - - name: resource_attributes - type: group - fields: - - name: service - type: keyword - description: | - The name of the service. - - name: name - type: keyword - description: | - The name of the resource. - - name: type - type: keyword - description: | - The type of the resource. - - name: labels - type: flattened - description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." - - name: logentry_operation - type: group - fields: - - name: id - type: keyword - description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." - - name: producer - type: keyword - description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." - - name: first - type: boolean - description: "Optional. Set this to True if this is the first log entry in the operation." - - name: last - type: boolean - description: "Optional. Set this to True if this is the last log entry in the operation." - - name: method_name - type: keyword - description: | - The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - - name: num_response_items - type: long - description: | - The number of items returned from a List or Query API method, if applicable. - - name: request - type: flattened - - name: request_metadata - type: group - fields: - - name: caller_ip - type: ip - description: "The IP address of the caller." - - name: raw.caller_ip - type: keyword - description: "The raw IP address of the caller." - - name: caller_supplied_user_agent - type: keyword - description: | - The user agent of the caller. This information is not authenticated and should be treated accordingly. - - name: response - type: flattened - - name: resource_name - type: keyword - description: | - The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - - name: resource_location - type: group - fields: - - name: current_locations - type: array - description: | - Current locations of the resource. - - name: service_name - type: keyword - description: | - The name of the API service performing the operation. For example, datastore.googleapis.com. - - name: status - type: group - fields: - - name: code - type: integer - description: "The status code, which should be an enum value of google.rpc.Code." - - name: message - type: keyword - description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/1.9.1/data_stream/audit/fields/package-fields.yml b/packages/gcp/1.9.1/data_stream/audit/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.1/data_stream/audit/manifest.yml b/packages/gcp/1.9.1/data_stream/audit/manifest.yml deleted file mode 100755 index 0c5919ce10..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) audit logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-audit - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-audit - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/1.9.1/data_stream/audit/sample_event.json b/packages/gcp/1.9.1/data_stream/audit/sample_event.json deleted file mode 100755 index b5881e272f..0000000000 --- a/packages/gcp/1.9.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-05-20T07:25:00.534Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-05-20T07:25:01Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authentication_info": { - "principal_email": "xxx@xxx.xxx" - }, - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "method_name": "beta.compute.instances.aggregatedList", - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "request_metadata": { - "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status": "Success" - }, - "service_name": "compute.googleapis.com", - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/1.9.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9589af9c48..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,243 +0,0 @@ ---- -description: Pipeline for Google Cloud DNS logs - -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - set: - field: event.kind - value: event - - set: - field: cloud.provider - value: gcp - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - convert: - field: json.resource.labels.project_id - target_field: cloud.project.id - type: string - ignore_failure: true - - convert: - field: json.resource.labels.location - target_field: cloud.region - type: string - ignore_failure: true - - rename: - field: json.jsonPayload.authAnswer - target_field: gcp.dns.auth_answer - ignore_missing: true - - rename: - field: json.jsonPayload.destinationIP - target_field: gcp.dns.destination_ip - ignore_missing: true - - set: - field: destination.address - copy_from: gcp.dns.destination_ip - ignore_failure: true - - convert: - field: gcp.dns.destination_ip - target_field: destination.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.egressError - target_field: gcp.dns.egress_error - ignore_missing: true - - rename: - field: json.jsonPayload.protocol - target_field: gcp.dns.protocol - ignore_missing: true - - set: - field: network.transport - copy_from: gcp.dns.protocol - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - rename: - field: json.jsonPayload.queryName - target_field: gcp.dns.query_name - ignore_missing: true - - set: - field: dns.question.name - copy_from: gcp.dns.query_name - ignore_failure: true - - gsub: - field: dns.question.name - pattern: "[.]$" - replacement: "" - ignore_failure: true - - registered_domain: - field: dns.question.name - target_field: dns.question - - remove: - field: dns.question.domain - ignore_missing: true - - rename: - field: json.jsonPayload.queryType - target_field: gcp.dns.query_type - ignore_missing: true - - set: - field: dns.question.type - copy_from: gcp.dns.query_type - ignore_failure: true - - rename: - field: json.jsonPayload.rdata - target_field: gcp.dns.rdata - ignore_missing: true - - script: - if: ctx?.gcp?.dns?.rdata != null - lang: painless - tag: Process DNS RData - description: This script processes the DNS RData into `dns.answers` and `dns.resolved_ip`. - source: | - def rdata = ctx.gcp.dns.rdata; - - def dns_answers = []; - def dns_resolved_ip = []; - - // Check for truncated answers. - def truncated = rdata.endsWith("...") ? 1 : 0; - - // Process answers. - def rdata_answers = /\n/.split(rdata); - - for (def i = 0; i < rdata_answers.length - truncated; i++) { - def answer_parts = /\t/.split(rdata_answers[i]); - - // Assign answer parts. - def name = answer_parts[0]; - def ttl = answer_parts[1]; - def cls = answer_parts[2]; - def type = answer_parts[3]; - def data = answer_parts[4]; - - // Remove trailing fullstop. - if (name.endsWith(".")) { - name = name.substring(0, name.length() - 1); - } - - if (data.endsWith(".")) { - data = data.substring(0, data.length() - 1); - } - - // Uppercase type. - type = type.toUpperCase(); - - dns_answers.add([ - "name": name, - "ttl": ttl, - "class": cls, - "type": type, - "data": data - ]); - - if (type == "A" || type == "AAAA") { - dns_resolved_ip.add(data); - } - } - - ctx.dns.answers = dns_answers; - ctx.dns.resolved_ip = dns_resolved_ip; - - rename: - field: json.jsonPayload.responseCode - target_field: gcp.dns.response_code - ignore_missing: true - - set: - field: dns.response_code - copy_from: gcp.dns.response_code - ignore_failure: true - - set: - field: event.outcome - value: success - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" - - set: - field: event.outcome - value: failure - if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" - - rename: - field: json.jsonPayload.serverLatency - target_field: gcp.dns.server_latency - ignore_missing: true - - rename: - field: json.jsonPayload.sourceIP - target_field: gcp.dns.source_ip - ignore_missing: true - - set: - field: source.address - copy_from: gcp.dns.source_ip - ignore_failure: true - - convert: - field: gcp.dns.source_ip - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.jsonPayload.sourceNetwork - target_field: gcp.dns.source_network - ignore_missing: true - - rename: - field: json.jsonPayload.vmInstanceIdString - target_field: gcp.dns.vm_instance_id - ignore_missing: true - - set: - field: cloud.instance.id - copy_from: gcp.dns.vm_instance_id - ignore_failure: true - - rename: - field: json.jsonPayload.vmInstanceName - target_field: gcp.dns.vm_instance_name - ignore_missing: true - - set: - field: cloud.instance.name - copy_from: gcp.dns.vm_instance_name - ignore_failure: true - - gsub: - field: cloud.instance.name - pattern: "^.*[.]" - replacement: "" - ignore_failure: true - - rename: - field: json.jsonPayload.vmProjectId - target_field: gcp.dns.vm_project_id - ignore_missing: true - - rename: - field: json.jsonPayload.vmZoneName - target_field: gcp.dns.vm_zone_name - ignore_missing: true - - set: - field: cloud.availability_zone - copy_from: gcp.dns.vm_zone_name - ignore_failure: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.1/data_stream/dns/fields/agent.yml b/packages/gcp/1.9.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/1.9.1/data_stream/dns/fields/base-fields.yml b/packages/gcp/1.9.1/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index bc80931b38..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.dns diff --git a/packages/gcp/1.9.1/data_stream/dns/fields/ecs.yml b/packages/gcp/1.9.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index cd7eacb22f..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,126 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/gcp/1.9.1/data_stream/dns/fields/fields.yml b/packages/gcp/1.9.1/data_stream/dns/fields/fields.yml deleted file mode 100755 index c0a98003d6..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: gcp.dns - type: group - fields: - - name: auth_answer - type: boolean - description: Authoritative answer. - - name: destination_ip - type: ip - description: Destination IP address, only applicable for forwarding cases. - - name: egress_error - type: keyword - description: Egress proxy error. - - name: protocol - type: keyword - description: Protocol TCP or UDP. - - name: query_name - type: keyword - description: DNS query name. - - name: query_type - type: keyword - description: DNS query type. - - name: rdata - type: keyword - description: DNS answer in presentation format, truncated to 260 bytes. - - name: response_code - type: keyword - description: Response code. - - name: server_latency - type: integer - description: Server latency. - - name: source_ip - type: ip - description: Source IP address of the query. - - name: source_network - type: keyword - description: Source network of the query. - - name: vm_instance_id - type: keyword - description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_instance_name - type: keyword - description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. - - name: vm_project_id - type: keyword - description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. - - name: vm_zone_name - type: keyword - description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. diff --git a/packages/gcp/1.9.1/data_stream/dns/manifest.yml b/packages/gcp/1.9.1/data_stream/dns/manifest.yml deleted file mode 100755 index c8190efa2e..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) DNS logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-dns - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-dns - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/1.9.1/data_stream/dns/sample_event.json b/packages/gcp/1.9.1/data_stream/dns/sample_event.json deleted file mode 100755 index 10349b6d73..0000000000 --- a/packages/gcp/1.9.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-05-20T07:25:43.755Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-05-20T07:25:44Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/1.9.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7dceda4c2c..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,410 +0,0 @@ ---- -description: Pipeline for Google Cloud Firewall Logs - -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.action - value: firewall-rule - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.resource.labels.subnetwork_name - target_field: network.name - ignore_missing: true - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - rename: - field: json.jsonPayload.disposition - target_field: event.type - if: ctx?.json?.jsonPayload?.disposition != null - - set: - field: event.type - value: connection - if: ctx?.event?.type != null - - lowercase: - field: event.type - - set: - field: network.direction - value: inbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" - - set: - field: network.direction - value: outbound - if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "outbound" - ignore_missing: true - - rename: - field: json.jsonPayload.vpc - target_field: json.jsonPayload.dest_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.instance - target_field: json.jsonPayload.dest_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.location - target_field: json.jsonPayload.dest_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_vpc - target_field: json.jsonPayload.src_vpc - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_instance - target_field: json.jsonPayload.src_instance - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.remote_location - target_field: json.jsonPayload.src_location - if: ctx?.network?.direction == "inbound" - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.rule_details.reference - target_field: rule.name - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - if: ctx?.source?.address != null - ignore_failure: true - - set: - field: destination.ip - value: "{{destination.address}}" - if: ctx?.destination?.address != null - ignore_failure: true - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "outbound" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.network?.direction == "inbound" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.network?.direction == "inbound" - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - rename: - field: json.jsonPayload.rule_details - target_field: gcp.firewall.rule_details - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - - remove: - field: - - gcp.firewall.connection - - gcp.firewall.dest_location - - gcp.firewall.disposition - - gcp.firewall.src_location - - json - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/1.9.1/data_stream/firewall/fields/agent.yml b/packages/gcp/1.9.1/data_stream/firewall/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/1.9.1/data_stream/firewall/fields/base-fields.yml b/packages/gcp/1.9.1/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index 93e2a6ab3b..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.firewall diff --git a/packages/gcp/1.9.1/data_stream/firewall/fields/ecs.yml b/packages/gcp/1.9.1/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 54175f3093..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,240 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/gcp/1.9.1/data_stream/firewall/fields/fields.yml b/packages/gcp/1.9.1/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 98681562b2..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,44 +0,0 @@ -- name: gcp.firewall - type: group - fields: - - name: rule_details - type: group - fields: - - name: priority - type: long - description: The priority for the firewall rule. - - name: action - type: keyword - description: Action that the rule performs on match. - - name: direction - type: keyword - description: Direction of traffic that matches this rule. - - name: reference - type: keyword - description: Reference to the firewall rule. - - name: source_range - type: keyword - description: List of source ranges that the firewall rule applies to. - - name: destination_range - type: keyword - description: List of destination ranges that the firewall applies to. - - name: source_tag - type: keyword - description: | - List of all the source tags that the firewall rule applies to. - - name: target_tag - type: keyword - description: | - List of all the target tags that the firewall rule applies to. - - name: ip_port_info - type: array - description: | - List of ip protocols and applicable port ranges for rules. - - name: source_service_account - type: keyword - description: | - List of all the source service accounts that the firewall rule applies to. - - name: target_service_account - type: keyword - description: | - List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/1.9.1/data_stream/firewall/fields/package-fields.yml b/packages/gcp/1.9.1/data_stream/firewall/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.1/data_stream/firewall/manifest.yml b/packages/gcp/1.9.1/data_stream/firewall/manifest.yml deleted file mode 100755 index 4d0f663192..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) firewall logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-firewall - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-firewall - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/1.9.1/data_stream/firewall/sample_event.json b/packages/gcp/1.9.1/data_stream/firewall/sample_event.json deleted file mode 100755 index feeb2644cf..0000000000 --- a/packages/gcp/1.9.1/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:26:27.445Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-05-20T07:26:28Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index d582de0a80..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,27 +0,0 @@ -project_id: {{project_id}} -topic: {{topic}} -subscription.name: {{subscription_name}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -subscription.create: {{subscription_create}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 594342f345..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,371 +0,0 @@ ---- -description: Pipeline for Google Cloud VPC Flow Logs - -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - community_id: - source_ip: json.jsonPayload.connection.src_ip - source_port: json.jsonPayload.connection.src_port - destination_ip: json.jsonPayload.connection.dest_ip - destination_port: json.jsonPayload.connection.dest_port - iana_number: json.jsonPayload.connection.protocol - - date: - field: json.timestamp - timezone: UTC - formats: - - ISO8601 - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - set: - field: event.type - value: connection - - set: - field: event.id - copy_from: json.insertId - ignore_empty_value: true - ignore_failure: true - - set: - field: cloud.provider - value: gcp - - rename: - field: json.logName - target_field: log.logger - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_ip - target_field: destination.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.dest_port - target_field: destination.port - ignore_missing: true - - rename: - field: json.jsonPayload.connection.protocol - target_field: network.iana_number - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_ip - target_field: source.address - ignore_missing: true - - rename: - field: json.jsonPayload.connection.src_port - target_field: source.port - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance.vm_name - target_field: source.domain - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance.vm_name - target_field: destination.domain - ignore_missing: true - - rename: - field: json.jsonPayload.bytes_sent - target_field: source.bytes - ignore_missing: true - - rename: - field: json.jsonPayload.packets_sent - target_field: source.packets - ignore_missing: true - - rename: - field: json.jsonPayload.start_time - target_field: event.start - ignore_missing: true - - rename: - field: json.jsonPayload.end_time - target_field: event.end - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.continent - target_field: destination.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.country - target_field: destination.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.region - target_field: destination.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_location.city - target_field: destination.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.continent - target_field: source.geo.continent_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.country - target_field: source.geo.country_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.region - target_field: source.geo.region_name - ignore_missing: true - - rename: - field: json.jsonPayload.src_location.city - target_field: source.geo.city_name - ignore_missing: true - - rename: - field: json.jsonPayload.dest_instance - target_field: gcp.destination.instance - ignore_missing: true - - rename: - field: json.jsonPayload.dest_vpc - target_field: gcp.destination.vpc - ignore_missing: true - - rename: - field: json.jsonPayload.src_instance - target_field: gcp.source.instance - ignore_missing: true - - rename: - field: json.jsonPayload.src_vpc - target_field: gcp.source.vpc - ignore_missing: true - - convert: - field: json.jsonPayload.rtt_msec - target_field: json.jsonPayload.rtt.ms - type: long - ignore_missing: true - - rename: - field: json.jsonPayload - target_field: gcp.vpcflow - ignore_missing: true - - convert: - field: source.bytes - type: long - ignore_missing: true - - convert: - field: source.packets - type: long - ignore_missing: true - - convert: - field: network.iana_number - type: string - ignore_missing: true - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - - remove: - field: - - gcp.vpcflow.rtt_msec - - gcp.vpcflow.connection - - gcp.vpcflow.dest_location - - gcp.vpcflow.src_location - - json - ignore_missing: true - - set: - field: source.ip - value: "{{source.address}}" - ignore_failure: true - if: ctx?.source?.address != null - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_failure: true - if: ctx?.destination?.address != null - - convert: - field: gcp.source.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.source.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "DEST" - - convert: - field: gcp.destination.instance.project_id - target_field: cloud.project.id - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.vm_name - target_field: cloud.instance.name - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.region - target_field: cloud.region - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.instance.zone - target_field: cloud.availability_zone - type: string - ignore_missing: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: gcp.destination.vpc.subnetwork_name - target_field: network.name - type: string - ignore_missing: true - ignore_failure: true - if: ctx?.gcp?.vpcflow?.reporter == "SRC" - - convert: - field: source.bytes - type: long - target_field: network.bytes - ignore_missing: true - - convert: - field: source.packets - type: long - target_field: network.packets - ignore_missing: true - - set: - field: network.direction - value: internal - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: outbound - if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null - - set: - field: network.direction - value: inbound - if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null - - set: - field: network.direction - value: unknown - if: ctx?.network?.direction == null - - set: - field: network.type - value: ipv4 - if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") - - set: - field: network.type - value: ipv6 - if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.source?.ip != "" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/fields/agent.yml b/packages/gcp/1.9.1/data_stream/vpcflow/fields/agent.yml deleted file mode 100755 index 616523c9e1..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/fields/agent.yml +++ /dev/null @@ -1,199 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/1.9.1/data_stream/vpcflow/fields/base-fields.yml deleted file mode 100755 index 09f5a3a04a..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp.vpcflow diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/1.9.1/data_stream/vpcflow/fields/ecs.yml deleted file mode 100755 index 1fb5a0a066..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/fields/ecs.yml +++ /dev/null @@ -1,262 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/fields/fields.yml b/packages/gcp/1.9.1/data_stream/vpcflow/fields/fields.yml deleted file mode 100755 index afd0aca3fa..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: gcp.vpcflow - type: group - fields: - - name: reporter - type: keyword - description: | - The side which reported the flow. Can be either 'SRC' or 'DEST'. - - name: rtt.ms - type: long - description: | - Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/1.9.1/data_stream/vpcflow/fields/package-fields.yml deleted file mode 100755 index 88482fd9c1..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/fields/package-fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: gcp - type: group - fields: - - name: destination.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: destination.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. - - name: source.instance - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: region - type: keyword - description: | - Region of the VM. - - name: zone - type: keyword - description: | - Zone of the VM. - - name: source.vpc - type: group - fields: - - name: project_id - type: keyword - description: | - ID of the project containing the VM. - - name: vpc_name - type: keyword - description: | - VPC on which the VM is operating. - - name: subnetwork_name - type: keyword - description: | - Subnetwork on which the VM is operating. diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/manifest.yml b/packages/gcp/1.9.1/data_stream/vpcflow/manifest.yml deleted file mode 100755 index 61718d7823..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/manifest.yml +++ /dev/null @@ -1,58 +0,0 @@ -type: logs -title: Google Cloud Platform (GCP) vpcflow logs -streams: - - input: gcp-pubsub - vars: - - name: topic - type: text - title: Topic - description: Name of the topic where the logs are written to. - multi: false - required: true - show_user: true - default: cloud-logging-vpcflow - - name: subscription_name - type: text - title: Subscription Name - description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. - multi: false - required: true - show_user: true - default: filebeat-gcp-vpcflow - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: true - show_user: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - gcp-vpcflow - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: gcp-pubsub.yml.hbs - title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) - description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/1.9.1/data_stream/vpcflow/sample_event.json b/packages/gcp/1.9.1/data_stream/vpcflow/sample_event.json deleted file mode 100755 index 3d743d26e5..0000000000 --- a/packages/gcp/1.9.1/data_stream/vpcflow/sample_event.json +++ /dev/null @@ -1,128 +0,0 @@ -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "67.43.156.14", - "as": { - "number": 35908 - }, - "domain": "elasticsearch", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "port": 9200 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:27:09.739Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821308944Z", - "id": "ut8lbrffooxyp", - "ingested": "2022-05-20T07:27:10Z", - "kind": "event", - "start": "2019-06-14T03:40:08.469099728Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 3 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 15169, - "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 92, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.14" - ] - }, - "source": { - "address": "10.87.40.76", - "bytes": 15169, - "domain": "kibana", - "ip": "10.87.40.76", - "packets": 92, - "port": 33880 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/docs/README.md b/packages/gcp/1.9.1/docs/README.md deleted file mode 100755 index f34f061b86..0000000000 --- a/packages/gcp/1.9.1/docs/README.md +++ /dev/null @@ -1,1157 +0,0 @@ -# Google Cloud Integration - -The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. - -## Authentication - -To use this Google Cloud Platform (GCP) integration, you need to set up a -*Service Account* with a *Role* and a *Service Account Key* to access data on -your GCP project. - -### Service Account - -First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. - -The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. - -If you haven't already, this might be a good moment to check out the [best -practices for securing service -accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) -guide. - -### Role - -You need to grant your Service Account (SA) access to Google Cloud Platform -resources by assigning a role to the account. In order to assign minimal -privileges, create a custom role that has only the privileges required by Agent. -Those privileges are: - -- `pubsub.subscriptions.consume` -- `pubsub.subscriptions.create` * -- `pubsub.subscriptions.get` -- `pubsub.topics.attachSubscription` * - -\* Only required if Agent is expected to create a new subscription. If you -create the subscriptions yourself you may omit these privileges. - -After you have created the custom role, assign the role to your service account. - -### Service Account Keys - -Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. - -From the list of SA: - -1. Click the one you just created to open the detailed view. -2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. -3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). - -## Configure the Integration Settings - -The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). - -The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. - -### Project Id - -The Project Id is the Google Cloud project ID where your resources exist. - -### Credentials File vs Json - -Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. - -#### Option 1: Credentials File - -Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. - -Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. - -#### Option 2: Credentials JSON - -Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. - -#### Recommendations - -Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. - -## Logs Collection Configuration - -With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. - -### Requirements - -You need to create a few dedicated Google Cloud resources before starting, in detail: - -- Log Sink -- Pub/Sub Topic -- Subscription - -Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. - -Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. - -### On the Google Cloud Console - -At a high level, the steps required are: - -- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. -- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. -- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. -- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. - -This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. - -More example filters for different log types: - -```text -# -# VPC Flow: logs for specific subnet -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/vpc_flows") AND -resource.labels.subnetwork_name"=[SUBNET_NAME]" - -# -# Audit: Google Compute Engine firewall rule deletion -# -resource.type="gce_firewall_rule" AND -log_id("cloudaudit.googleapis.com/activity") AND -protoPayload.methodName:"firewalls.delete" - -# -# DNS: all DNS queries -# -resource.type="dns_query" - -# -# Firewall: logs for a given country -# -resource.type="gce_subnetwork" AND -log_id("compute.googleapis.com/firewall") AND -jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] -``` - -Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. - -To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. - -### On Kibana - -Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. - -From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: - -- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. -- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). -- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. - -### Troubleshooting - -If you don't see Audit logs showing up, check the Agent logs to see if there are errors. - -Common error types: - -- Missing roles in the Service Account -- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields - -#### Missing Roles in the Service Account - -If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. -``` - -Solution: make sure your SA has all the required roles. - -#### Misconfigured Settings - -If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: - -```text -[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. -``` - -Solution: double check the integration settings. - -## Logs - -### Audit - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-05-20T07:25:00.534Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-05-20T07:25:01Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authentication_info": { - "principal_email": "xxx@xxx.xxx" - }, - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "method_name": "beta.compute.instances.aggregatedList", - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "request_metadata": { - "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status": "Success" - }, - "service_name": "compute.googleapis.com", - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` - -### Firewall - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:26:27.445Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-05-20T07:26:28Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` - -### VPC Flow - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "67.43.156.14", - "as": { - "number": 35908 - }, - "domain": "elasticsearch", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "port": 9200 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:27:09.739Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821308944Z", - "id": "ut8lbrffooxyp", - "ingested": "2022-05-20T07:27:10Z", - "kind": "event", - "start": "2019-06-14T03:40:08.469099728Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 3 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 15169, - "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 92, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.14" - ] - }, - "source": { - "address": "10.87.40.76", - "bytes": 15169, - "domain": "kibana", - "ip": "10.87.40.76", - "packets": 92, - "port": 33880 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` - -### DNS - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-05-20T07:25:43.755Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-05-20T07:25:44Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` diff --git a/packages/gcp/1.9.1/docs/audit.md b/packages/gcp/1.9.1/docs/audit.md deleted file mode 100755 index 2e8c6995f7..0000000000 --- a/packages/gcp/1.9.1/docs/audit.md +++ /dev/null @@ -1,277 +0,0 @@ -# Audit - -## Logs - -The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.user.email | User email address. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | -| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | -| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | -| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | -| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | -| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | -| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | -| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | -| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | -| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | -| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | -| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | -| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | -| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | -| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | -| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | -| gcp.audit.request | | flattened | -| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | -| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | -| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | -| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | -| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | -| gcp.audit.response | | flattened | -| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | -| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | -| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | -| gcp.audit.type | Type property. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| orchestrator.api_version | API version being used to carry out the action | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| orchestrator.cluster.version | The version of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | -| orchestrator.resource.name | Name of the resource being acted upon. | keyword | -| orchestrator.resource.type | Type of resource being acted upon. | keyword | -| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2019-12-19T00:44:25.051Z", - "agent": { - "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "client": { - "user": { - "email": "xxx@xxx.xxx" - } - }, - "cloud": { - "project": { - "id": "elastic-beats" - }, - "provider": "gcp" - }, - "data_stream": { - "dataset": "gcp.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "beta.compute.instances.aggregatedList", - "agent_id_status": "verified", - "category": [ - "network", - "configuration" - ], - "created": "2022-05-20T07:25:00.534Z", - "dataset": "gcp.audit", - "id": "yonau2dg2zi", - "ingested": "2022-05-20T07:25:01Z", - "kind": "event", - "outcome": "success", - "provider": "data_access", - "type": [ - "access", - "allowed" - ] - }, - "gcp": { - "audit": { - "authentication_info": { - "principal_email": "xxx@xxx.xxx" - }, - "authorization_info": [ - { - "granted": true, - "permission": "compute.instances.list", - "resource_attributes": { - "name": "projects/elastic-beats", - "service": "resourcemanager", - "type": "resourcemanager.projects" - } - } - ], - "method_name": "beta.compute.instances.aggregatedList", - "num_response_items": 61, - "request": { - "@type": "type.googleapis.com/compute.instances.aggregatedList" - }, - "request_metadata": { - "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)" - }, - "resource_location": { - "current_locations": [ - "global" - ] - }, - "resource_name": "projects/elastic-beats/global/instances", - "response": { - "@type": "core.k8s.io/v1.Status", - "apiVersion": "v1", - "details": { - "group": "batch", - "kind": "jobs", - "name": "gsuite-exporter-1589294700", - "uid": "2beff34a-945f-11ea-bacf-42010a80007f" - }, - "kind": "Status", - "status": "Success" - }, - "service_name": "compute.googleapis.com", - "type": "type.googleapis.com/google.cloud.audit.AuditLog" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "level": "INFO", - "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" - }, - "service": { - "name": "compute.googleapis.com" - }, - "source": { - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "gcp-audit" - ], - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "71.0." - } -} -``` diff --git a/packages/gcp/1.9.1/docs/dns.md b/packages/gcp/1.9.1/docs/dns.md deleted file mode 100755 index 1d7e31a900..0000000000 --- a/packages/gcp/1.9.1/docs/dns.md +++ /dev/null @@ -1,196 +0,0 @@ -# DNS - -## Logs - -The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| gcp.dns.auth_answer | Authoritative answer. | boolean | -| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | -| gcp.dns.egress_error | Egress proxy error. | keyword | -| gcp.dns.protocol | Protocol TCP or UDP. | keyword | -| gcp.dns.query_name | DNS query name. | keyword | -| gcp.dns.query_type | DNS query type. | keyword | -| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | -| gcp.dns.response_code | Response code. | keyword | -| gcp.dns.server_latency | Server latency. | integer | -| gcp.dns.source_ip | Source IP address of the query. | ip | -| gcp.dns.source_network | Source network of the query. | keyword | -| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | -| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-01-23T09:16:05.341Z", - "agent": { - "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "europe-west2-a", - "instance": { - "id": "8340998530665147", - "name": "instance" - }, - "project": { - "id": "project" - }, - "provider": "gcp", - "region": "europe-west2" - }, - "data_stream": { - "dataset": "gcp.dns", - "namespace": "ep", - "type": "logs" - }, - "dns": { - "answers": [ - { - "class": "IN", - "data": "127.0.0.1", - "name": "elastic.co", - "ttl": "300", - "type": "A" - } - ], - "question": { - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "A" - }, - "resolved_ip": [ - "127.0.0.1" - ], - "response_code": "NOERROR" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-05-20T07:25:43.755Z", - "dataset": "gcp.dns", - "id": "vwroyze8pg7y", - "ingested": "2022-05-20T07:25:44Z", - "kind": "event", - "outcome": "success" - }, - "gcp": { - "dns": { - "auth_answer": true, - "protocol": "UDP", - "query_name": "elastic.co.", - "query_type": "A", - "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1", - "response_code": "NOERROR", - "server_latency": 14, - "source_ip": "10.154.0.3", - "source_network": "default", - "vm_instance_id": "8340998530665147", - "vm_instance_name": "694119234537.instance", - "vm_project_id": "project", - "vm_zone_name": "europe-west2-a" - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries" - }, - "network": { - "transport": "udp" - }, - "source": { - "address": "10.154.0.3", - "ip": "10.154.0.3" - }, - "tags": [ - "forwarded", - "gcp-dns" - ] -} -``` diff --git a/packages/gcp/1.9.1/docs/firewall.md b/packages/gcp/1.9.1/docs/firewall.md deleted file mode 100755 index bfdbb35812..0000000000 --- a/packages/gcp/1.9.1/docs/firewall.md +++ /dev/null @@ -1,253 +0,0 @@ -# Firewall - -## Logs - -The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | -| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | -| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | -| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | -| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | -| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | -| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | -| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2019-10-30T13:52:42.191Z", - "agent": { - "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "test-beats" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "10.42.0.2", - "domain": "test-windows", - "ip": "10.42.0.2", - "port": 3389 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "action": "firewall-rule", - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:26:27.445Z", - "dataset": "gcp.firewall", - "id": "1f21ciqfpfssuo", - "ingested": "2022-05-20T07:26:28Z", - "kind": "event", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "test-beats", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "test-beats", - "subnetwork_name": "windows-isolated", - "vpc_name": "windows-isolated" - } - }, - "firewall": { - "rule_details": { - "action": "ALLOW", - "direction": "INGRESS", - "ip_port_info": [ - { - "ip_protocol": "TCP", - "port_range": [ - "3389" - ] - } - ], - "priority": 1000, - "source_range": [ - "0.0.0.0/0" - ], - "target_tag": [ - "allow-rdp" - ] - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" - }, - "network": { - "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", - "direction": "inbound", - "iana_number": "6", - "name": "windows-isolated", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.2.126", - "10.42.0.2" - ] - }, - "rule": { - "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" - }, - "source": { - "address": "192.168.2.126", - "geo": { - "continent_name": "Asia", - "country_name": "omn" - }, - "ip": "192.168.2.126", - "port": 64853 - }, - "tags": [ - "forwarded", - "gcp-firewall" - ] -} -``` diff --git a/packages/gcp/1.9.1/docs/vpcflow.md b/packages/gcp/1.9.1/docs/vpcflow.md deleted file mode 100755 index 05973abc33..0000000000 --- a/packages/gcp/1.9.1/docs/vpcflow.md +++ /dev/null @@ -1,258 +0,0 @@ -# VPC Flow - -## Logs - -The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.instance.region | Region of the VM. | keyword | -| gcp.destination.instance.zone | Zone of the VM. | keyword | -| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | -| gcp.source.instance.region | Region of the VM. | keyword | -| gcp.source.instance.zone | Zone of the VM. | keyword | -| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | -| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | -| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | -| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | -| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | - - -An example event for `vpcflow` looks as following: - -```json -{ - "@timestamp": "2019-06-14T03:50:10.845Z", - "agent": { - "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183", - "hostname": "docker-fleet-agent", - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "cloud": { - "availability_zone": "us-east1-b", - "project": { - "id": "my-sample-project" - }, - "provider": "gcp", - "region": "us-east1" - }, - "data_stream": { - "dataset": "gcp.vpcflow", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "67.43.156.14", - "as": { - "number": 35908 - }, - "domain": "elasticsearch", - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.14", - "port": 9200 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "df142714-8028-4ef0-a80c-4eb03051c084", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2022-05-20T07:27:09.739Z", - "dataset": "gcp.vpcflow", - "end": "2019-06-14T03:49:51.821308944Z", - "id": "ut8lbrffooxyp", - "ingested": "2022-05-20T07:27:10Z", - "kind": "event", - "start": "2019-06-14T03:40:08.469099728Z", - "type": "connection" - }, - "gcp": { - "destination": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "source": { - "instance": { - "project_id": "my-sample-project", - "region": "us-east1", - "zone": "us-east1-b" - }, - "vpc": { - "project_id": "my-sample-project", - "subnetwork_name": "default", - "vpc_name": "default" - } - }, - "vpcflow": { - "reporter": "SRC", - "rtt": { - "ms": 3 - } - } - }, - "input": { - "type": "gcp-pubsub" - }, - "log": { - "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" - }, - "network": { - "bytes": 15169, - "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=", - "direction": "internal", - "iana_number": "6", - "name": "default", - "packets": 92, - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "10.87.40.76", - "67.43.156.14" - ] - }, - "source": { - "address": "10.87.40.76", - "bytes": 15169, - "domain": "kibana", - "ip": "10.87.40.76", - "packets": 92, - "port": 33880 - }, - "tags": [ - "forwarded", - "gcp-vpcflow" - ] -} -``` diff --git a/packages/gcp/1.9.1/img/filebeat-gcp-audit.png b/packages/gcp/1.9.1/img/filebeat-gcp-audit.png deleted file mode 100755 index 4f68932e9f..0000000000 Binary files a/packages/gcp/1.9.1/img/filebeat-gcp-audit.png and /dev/null differ diff --git a/packages/gcp/1.9.1/img/logo_gcp.svg b/packages/gcp/1.9.1/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp/1.9.1/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp/1.9.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index fd857ca086..0000000000 --- a/packages/gcp/1.9.1/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "Overview of the audit log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", - "type": "search" - }, - { - "id": "logs-*", - "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", - "type": "search" - }, - { - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", - "type": "search" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json deleted file mode 100755 index 0462344e04..0000000000 --- a/packages/gcp/1.9.1/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the firewall log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] Firewall", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/1.9.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json deleted file mode 100755 index 46cef5aac9..0000000000 --- a/packages/gcp/1.9.1/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Overview of the VPC flow log data from Google Cloud.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs GCP] VPC Flow", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/1.9.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json deleted file mode 100755 index 3e96491081..0000000000 --- a/packages/gcp/1.9.1/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.email", - "service.name", - "gcp.audit.type", - "event.action", - "event.outcome", - "source.ip", - "source.geo.region_name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Audit [Logs GCP]", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/1.9.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json deleted file mode 100755 index 5f9cb58c69..0000000000 --- a/packages/gcp/1.9.1/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "All assets to monitor GCP", - "name": "GCP" - }, - "coreMigrationVersion": "7.17.0", - "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/gcp/1.9.1/manifest.yml b/packages/gcp/1.9.1/manifest.yml deleted file mode 100755 index c7c2757913..0000000000 --- a/packages/gcp/1.9.1/manifest.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: gcp -title: Google Cloud Platform -version: "1.9.1" -release: ga -description: Collect logs from Google Cloud Platform with Elastic Agent. -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud - - network - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/filebeat-gcp-audit.png - title: filebeat gcp audit - size: 1702x996 - type: image/png -policy_templates: - - name: gcp - title: Google Cloud Platform (GCP) logs - description: Collect logs from Google Cloud Platform (GCP) instances - inputs: - - type: gcp-pubsub - vars: - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - - name: project_id - type: text - title: Project Id - description: Your Google Cloud project ID where the resources exist. - multi: false - required: true - show_user: true - default: SET_PROJECT_NAME - - name: credentials_file - type: text - title: Credentials File - description: The path to the JSON file with the private key. Make sure that the Elastic Agent has at least read-only privileges to this file. - multi: false - required: false - show_user: true - - name: credentials_json - type: text - title: Credentials JSON - description: The content of the JSON file you downloaded from Google Cloud Platform. - multi: false - required: false - show_user: true - title: "Collect Google Cloud Platform (GCP) audit, firewall and vpcflow logs (input: gcp-pubsub)" - description: "Collecting audit, firewall and vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" -owner: - github: elastic/security-external-integrations diff --git a/packages/gcp_pubsub/1.0.1/changelog.yml b/packages/gcp_pubsub/1.0.1/changelog.yml deleted file mode 100755 index e41952b975..0000000000 --- a/packages/gcp_pubsub/1.0.1/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3014 -- version: "1.0.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2712 diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp_pubsub/1.0.1/data_stream/generic/agent/stream/gcp-pubsub.yml.hbs deleted file mode 100755 index 61072ff134..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/agent/stream/gcp-pubsub.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -data_stream: - dataset: {{data_stream.dataset}} -{{#if pipeline}} -pipeline: {{pipeline}} -{{/if}} -{{#if project_id}} -project_id: {{project_id}} -{{/if}} -{{#if topic}} -topic: {{topic}} -{{/if}} -{{#if subscription_name}} -subscription.name: {{subscription_name}} -{{/if}} -{{#if subscription_create}} -subscription.create: {{subscription_create}} -{{/if}} -{{#if subscription_num_goroutines}} -subscription.num_goroutines: {{subscription_num_goroutines}} -{{/if}} -{{#if subscription_max_outstanding_messages}} -subscription.max_outstanding_messages: {{subscription_max_outstanding_messages}} -{{/if}} -{{#if credentials_file}} -credentials_file: {{credentials_file}} -{{/if}} -{{#if credentials_json}} -credentials_json: '{{credentials_json}}' -{{/if}} -{{#if alternative_host}} -alternative_host: {{alternative_host}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/agent.yml b/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/base-fields.yml b/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/base-fields.yml deleted file mode 100755 index 9a0c7aa4e7..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: gcp_pubsub -- name: event.dataset - type: constant_keyword - description: Event dataset - value: gcp_pubsub.generic diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/ecs.yml b/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/ecs.yml deleted file mode 100755 index 16b9b88cff..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/fields/ecs.yml +++ /dev/null @@ -1,27 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/manifest.yml b/packages/gcp_pubsub/1.0.1/data_stream/generic/manifest.yml deleted file mode 100755 index d72cf3a124..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/manifest.yml +++ /dev/null @@ -1,99 +0,0 @@ -type: logs -title: Custom Google Pub/Sub Logs -streams: - - input: gcp-pubsub - vars: - - name: data_stream.dataset - type: text - title: Dataset name - description: | - Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). - default: gcp_pubsub.generic - required: true - show_user: true - - name: pipeline - type: text - title: Ingest Pipeline - description: | - The Ingest Node pipeline ID to be used by the integration. - required: false - show_user: true - - name: project_id - type: text - title: Project ID - multi: false - required: true - show_user: true - - name: topic - type: text - title: Topic - multi: false - required: true - show_user: true - - name: subscription_name - type: text - title: Subscription Name - multi: false - required: true - show_user: true - - name: credentials_file - type: text - title: Credentials File - multi: false - required: false - show_user: true - description: Path to a JSON file containing the credentials and key used to subscribe. - - name: credentials_json - type: text - title: Credentials JSON - multi: false - required: false - show_user: true - description: JSON blob containing the credentials and key used to subscribe. - - name: subscription_create - type: bool - title: Subscription Create - description: If true, the integration will create the subscription on start. - multi: false - required: false - show_user: true - - name: subscription_num_goroutines - type: text - title: Subscription Num Goroutines - description: Number of goroutines created to read from the subscription. This does not limit the number of messages that can be processed concurrently or the maximum number of goroutines the input will create. - multi: false - required: false - show_user: false - - name: subscription_max_outstanding_messages - type: text - title: Subscription Max Outstanding Messages - description: The maximum number of unprocessed messages (unacknowledged but not yet expired). If the value is negative, then there will be no limit on the number of unprocessed messages. Default is 1000. - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: alternative_host - type: text - title: Alternative host - multi: false - required: false - show_user: false - template_path: gcp-pubsub.yml.hbs - title: Custom Google Pub/Sub Logs - description: Collect Logs from Google Pub/Sub topics diff --git a/packages/gcp_pubsub/1.0.1/data_stream/generic/sample_event.json b/packages/gcp_pubsub/1.0.1/data_stream/generic/sample_event.json deleted file mode 100755 index 29f8dbd642..0000000000 --- a/packages/gcp_pubsub/1.0.1/data_stream/generic/sample_event.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "@timestamp": "2022-03-01T13:44:39.474Z", - "agent": { - "ephemeral_id": "1f86371c-5495-4a70-86d8-6a332a68d65e", - "id": "8987526e-bc37-4222-8be4-4e72dc04e70c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "gcp_pubsub.generic", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "8987526e-bc37-4222-8be4-4e72dc04e70c", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-03-01T13:44:56.887Z", - "dataset": "gcp_pubsub.generic", - "id": "df6c1d47df-1", - "ingested": "2022-03-01T13:44:57Z" - }, - "input": { - "type": "gcp-pubsub" - }, - "message": "{\"insertId\":\"ut8lbrffooxyw\",\"jsonPayload\":{\"bytes_sent\":\"1776\",\"connection\":{\"dest_ip\":\"67.43.156.13\",\"dest_port\":33478,\"protocol\":6,\"src_ip\":\"10.87.40.76\",\"src_port\":5601},\"dest_location\":{\"asn\":15169,\"continent\":\"America\",\"country\":\"usa\"},\"end_time\":\"2019-06-14T03:45:37.301953198Z\",\"packets_sent\":\"7\",\"reporter\":\"SRC\",\"rtt_msec\":\"36\",\"src_instance\":{\"project_id\":\"my-sample-project\",\"region\":\"us-east1\",\"vm_name\":\"kibana\",\"zone\":\"us-east1-b\"},\"src_vpc\":{\"project_id\":\"my-sample-project\",\"subnetwork_name\":\"default\",\"vpc_name\":\"default\"},\"start_time\":\"2019-06-14T03:45:37.186193305Z\"},\"logName\":\"projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows\",\"receiveTimestamp\":\"2019-06-14T03:50:10.845445834Z\",\"resource\":{\"labels\":{\"location\":\"us-east1-b\",\"project_id\":\"my-sample-project\",\"subnetwork_id\":\"758019854043528829\",\"subnetwork_name\":\"default\"},\"type\":\"gce_subnetwork\"},\"timestamp\":\"2019-06-14T03:50:10.845445834Z\"}\n", - "tags": [ - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/gcp_pubsub/1.0.1/docs/README.md b/packages/gcp_pubsub/1.0.1/docs/README.md deleted file mode 100755 index 16a1474dbd..0000000000 --- a/packages/gcp_pubsub/1.0.1/docs/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Custom Google Pub/Sub Integration - -The custom Google Pub/Sub input integration is used to ingest data from a Google Pub/Sub topic subscription that is not covered by our [GCP Integration](https://docs.elastic.co/en/integrations/gcp). - -This integration could for example be used to receive Stackdriver logs that have been exported to a Google Pub/Sub topic. - -Multiple Elastic Agent instances can be configured to read from the same subscription to achieve high-availability or increased throughput. - -## Configuring - -1. Create a user-managed service account (you can skip this if Elastic Agent is running in a VM with a service account attached). See: [Service Accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts) - -2. Create a Pub/Sub topic and subscription. See:[Topics and Subscriptions](https://cloud.google.com/pubsub/docs/admin) - -3. Configure this integration to read from the Pub/Sub subscription using the service account credentials. - -4. Write logs into the Pub/Sub topic yourself or configure a log sink to export GCP logs to the topic. See: [Managing Sinks](https://cloud.google.com/logging/docs/export/configure_export_v2) diff --git a/packages/gcp_pubsub/1.0.1/img/logo_gcp.svg b/packages/gcp_pubsub/1.0.1/img/logo_gcp.svg deleted file mode 100755 index 75e139f9b2..0000000000 --- a/packages/gcp_pubsub/1.0.1/img/logo_gcp.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - diff --git a/packages/gcp_pubsub/1.0.1/manifest.yml b/packages/gcp_pubsub/1.0.1/manifest.yml deleted file mode 100755 index f1d4bd1149..0000000000 --- a/packages/gcp_pubsub/1.0.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: gcp_pubsub -title: Custom Google Pub/Sub Logs -version: 1.0.1 -release: ga -description: Collect Logs from Google Pub/Sub topics -type: integration -icons: - - src: /img/logo_gcp.svg - title: logo gcp - size: 32x32 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - google_cloud - - cloud - - custom -conditions: - kibana.version: ^7.16.0 || ^8.0.0 -policy_templates: - - name: gcp - title: Custom Google Pub/Sub Logs - description: Collect Logs from Google Pub/Sub topics - inputs: - - type: gcp-pubsub - title: Custom Google Pub/Sub Logs - description: Collect Logs from Google Pub/Sub topics -owner: - github: elastic/security-external-integrations diff --git a/packages/github/1.0.1/changelog.yml b/packages/github/1.0.1/changelog.yml deleted file mode 100755 index 2fd05bc9bc..0000000000 --- a/packages/github/1.0.1/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3105 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.3.4" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "0.3.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.3.2" - changes: - - description: Fix date format used in queries. - type: bugfix - link: https://github.com/elastic/integrations/pull/2732 -- version: "0.3.1" - changes: - - description: Resolve invalid query operator - type: bugfix - link: https://github.com/elastic/integrations/pull/2664 -- version: "0.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2407 -- version: "0.2.2" - changes: - - description: Removes saved search used for testing - type: bugfix - link: https://github.com/elastic/integrations/pull/2554 -- version: "0.2.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2259 -- version: "0.1.1" - changes: - - description: Update Title and Description. - type: bugfix - link: https://github.com/elastic/integrations/pull/1997 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1760 diff --git a/packages/github/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/github/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 9dbed92e60..0000000000 --- a/packages/github/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,69 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/orgs/{{organization}}/audit-log -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -{{!-- https://github.community/t/new-feature-audit-log-rest-api-check-it-out/161512 --}} -request.transforms: - - set: - target: header.Authorization - value: "Bearer {{access_token}}" - - set: - target: header.Accept - value: "application/vnd.github.v3+json" - - set: - target: url.params.phrase - value: '[[sprintf "created:>=%s" (formatDate .cursor.last_timestamp "2006-01-02T15:04:05-07:00")]]' - default: '[[sprintf "created:>=%s" (formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05-07:00")]]' - - set: - target: url.params.per_page - value: 100 - - set: - target: url.params.include - value: all - - set: - target: url.params.order - value: asc - -request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]' -request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]' -request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]' - -response.pagination: - - set: - target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: '[[ .last_event.created_at ]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/github/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c75e40eef0..0000000000 --- a/packages/github/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -description: Pipeline for parsing GitHub audit logs -processors: -- set: - field: event.kind - value: event -- set: - field: ecs.version - value: "8.2.0" -- append: - field: event.type - value: access -- append: - field: event.category - value: web -- append: - field: event.category - value: iam -- rename: - field: message - target_field: event.original - ignore_missing: true -- json: - field: event.original - target_field: json -- fingerprint: - fields: - - json._document_id - target_field: "_id" - ignore_missing: true -- date: - field: json.created_at - formats: - - UNIX_MS - timezone: UTC - target_field: "@timestamp" -- rename: - field: json._document_id - target_field: event.id - ignore_missing: true -- rename: - field: json.action - target_field: event.action - ignore_missing: true -- rename: - field: json.actor - target_field: user.name - ignore_missing: true -- append: - field: related.user - value: "{{user.name}}" - if: ctx.user?.name != null -- rename: - field: json.org - target_field: github.org - ignore_missing: true -- rename: - field: json.user - target_field: user.target.name - ignore_missing: true -- append: - field: related.user - value: "{{user.target.name}}" - if: ctx.user?.target?.name != null -- rename: - field: json.repo - target_field: github.repo - ignore_missing: true -- rename: - field: json.team - target_field: github.team - ignore_missing: true -- rename: - field: json.data.team - target_field: github.team - ignore_missing: true - if: ctx.github?.team == null -- set: - field: group.name - copy_from: github.team - ignore_empty_value: true - if: ctx.event?.action.startsWith("team.") -- set: - field: user.target.group.name - copy_from: github.team - ignore_empty_value: true - if: ctx.event?.action.startsWith("team.") && ctx.user?.target?.name != null -- set: - field: group.name - copy_from: github.org - ignore_empty_value: true - if: ctx.event?.action.startsWith("org.") -- set: - field: user.target.group.name - copy_from: github.org - ignore_empty_value: true - if: ctx.event?.action.startsWith("org.") && ctx.user?.target?.name != null -- rename: - field: json.data.old_user - target_field: user.target.group.name - ignore_missing: true -- rename: - field: json.data.old_user - target_field: user.target.group.name - ignore_missing: true - if: ctx.user?.target?.group?.name == null -- rename: - field: json.actor_location.country_code - target_field: client.geo.country_iso_code - ignore_missing: true -- grok: - field: event.action - ignore_missing: true - patterns: - - '^%{GH_CAT:github.category}\.%{GREEDYDATA}' - pattern_definitions: - GH_CAT: '[a-z_]+' -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/github/1.0.1/data_stream/audit/fields/agent.yml b/packages/github/1.0.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index 4d9a6f7b36..0000000000 --- a/packages/github/1.0.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/github/1.0.1/data_stream/audit/fields/base-fields.yml b/packages/github/1.0.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index f087bfee14..0000000000 --- a/packages/github/1.0.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: github -- name: event.dataset - type: constant_keyword - description: Event dataset - value: github.audit -- name: "@timestamp" - type: date - description: Event timestamp. -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/github/1.0.1/data_stream/audit/fields/ecs.yml b/packages/github/1.0.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 089f10244c..0000000000 --- a/packages/github/1.0.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,88 +0,0 @@ -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/github/1.0.1/data_stream/audit/fields/fields.yml b/packages/github/1.0.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 59930fc9dc..0000000000 --- a/packages/github/1.0.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: github.org - type: keyword - description: > - GitHub organization name - -- name: github.team - type: keyword - description: >- - GitHub team name -- name: github.repo - type: keyword - description: >- - GitHub repository name -- name: github.category - type: keyword - description: >- - GitHub action category diff --git a/packages/github/1.0.1/data_stream/audit/manifest.yml b/packages/github/1.0.1/data_stream/audit/manifest.yml deleted file mode 100755 index fd72fb7ea5..0000000000 --- a/packages/github/1.0.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,91 +0,0 @@ -type: logs -title: GitHub Audit Logs -release: experimental -streams: - - input: httpjson - vars: - - name: access_token - type: text - title: Personal Access Token - description: the GitHub Personal Access Token. Requires the 'admin:org' scope - multi: false - required: true - show_user: true - - name: organization - type: text - title: Organization Name - description: The GitHub organization name/ID - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 730h # 30 days - description: Initial interval to poll for events. Default is 730 hours (30 days). - - name: api_url - type: text - title: API URL. - description: The API URL without the path. - multi: false - required: true - show_user: false - default: https://api.github.com - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - github-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: GitHub audit logs - description: Collect GitHub audit logs via the API diff --git a/packages/github/1.0.1/data_stream/audit/sample_event.json b/packages/github/1.0.1/data_stream/audit/sample_event.json deleted file mode 100755 index 04e6483361..0000000000 --- a/packages/github/1.0.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "@timestamp": "2020-11-18T17:05:48.837Z", - "agent": { - "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "github.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "repo.destroy", - "agent_id_status": "verified", - "category": [ - "web", - "iam" - ], - "created": "2022-02-03T12:34:05.664Z", - "dataset": "github.audit", - "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2022-02-03T12:34:06Z", - "kind": "event", - "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", - "type": [ - "access" - ] - }, - "github": { - "category": "repo", - "org": "mona-org", - "repo": "mona-org/mona-test-repo" - }, - "host": { - "name": "docker-fleet-agent" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "monalisa" - ] - }, - "tags": [ - "forwarded", - "github-audit", - "preserve_original_event" - ], - "user": { - "name": "monalisa" - } -} \ No newline at end of file diff --git a/packages/github/1.0.1/docs/README.md b/packages/github/1.0.1/docs/README.md deleted file mode 100755 index e7f451bfff..0000000000 --- a/packages/github/1.0.1/docs/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# GitHub Integration - -The GitHub integration collects audit events from the [GitHub API](https://docs.github.com/en/rest ). - -## Logs - -### Audit - -The GitHub audit log records all events related to the GitHub organization. See [Audit log actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) for more details. - -To use this integration, you must be an organization owner, and you must use an Personal Access Token with the admin:org scope. - -*This integration is not compatible with GitHub Enterprise server.* - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| github.category | GitHub action category | keyword | -| github.org | GitHub organization name | keyword | -| github.repo | GitHub repository name | keyword | -| github.team | GitHub team name | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2020-11-18T17:05:48.837Z", - "agent": { - "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "github.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "repo.destroy", - "agent_id_status": "verified", - "category": [ - "web", - "iam" - ], - "created": "2022-02-03T12:34:05.664Z", - "dataset": "github.audit", - "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2022-02-03T12:34:06Z", - "kind": "event", - "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", - "type": [ - "access" - ] - }, - "github": { - "category": "repo", - "org": "mona-org", - "repo": "mona-org/mona-test-repo" - }, - "host": { - "name": "docker-fleet-agent" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "monalisa" - ] - }, - "tags": [ - "forwarded", - "github-audit", - "preserve_original_event" - ], - "user": { - "name": "monalisa" - } -} -``` \ No newline at end of file diff --git a/packages/github/1.0.1/img/github-audit-dashboard.png b/packages/github/1.0.1/img/github-audit-dashboard.png deleted file mode 100755 index e6738cf99f..0000000000 Binary files a/packages/github/1.0.1/img/github-audit-dashboard.png and /dev/null differ diff --git a/packages/github/1.0.1/img/github-user-dashboard.png b/packages/github/1.0.1/img/github-user-dashboard.png deleted file mode 100755 index d31984b7fa..0000000000 Binary files a/packages/github/1.0.1/img/github-user-dashboard.png and /dev/null differ diff --git a/packages/github/1.0.1/img/github.svg b/packages/github/1.0.1/img/github.svg deleted file mode 100755 index a8d1174049..0000000000 --- a/packages/github/1.0.1/img/github.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/packages/github/1.0.1/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 50358b3d23..0000000000 --- a/packages/github/1.0.1/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"panelRefName\":\"panel_af01806a-78b1-4068-8d69-fa2ca952f365\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"panelRefName\":\"panel_7d42442c-83c9-420d-8ef4-883eeb150687\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"panelRefName\":\"panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"panelRefName\":\"panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"type\":\"search\",\"version\":\"7.16.0\"}]", - "timeRestore": false, - "title": "[GitHub] User Change Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-8bfd8310-205c-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "name": "af01806a-78b1-4068-8d69-fa2ca952f365:panel_af01806a-78b1-4068-8d69-fa2ca952f365", - "type": "visualization" - }, - { - "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0", - "name": "7d42442c-83c9-420d-8ef4-883eeb150687:panel_7d42442c-83c9-420d-8ef4-883eeb150687", - "type": "visualization" - }, - { - "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0", - "name": "76db3a0d-7562-4436-acd5-3cbfd4f6d044:panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044", - "type": "visualization" - }, - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "1e435c96-c37f-4eb5-a4e5-2d446b2bf464:panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 506153bc21..0000000000 --- a/packages/github/1.0.1/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"w\":41,\"x\":0,\"y\":0},\"panelIndex\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"panelRefName\":\"panel_63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"w\":7,\"x\":41,\"y\":0},\"panelIndex\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"panelRefName\":\"panel_b37e0c71-2cc3-4895-b839-383ce53561a8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"panelRefName\":\"panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-540},\"mapCenter\":{\"lat\":27.08856,\"lon\":-30.5613,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"w\":37,\"x\":0,\"y\":26},\"panelIndex\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"panelRefName\":\"panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"w\":11,\"x\":37,\"y\":26},\"panelIndex\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"panelRefName\":\"panel_0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"w\":25,\"x\":0,\"y\":44},\"panelIndex\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"panelRefName\":\"panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"w\":23,\"x\":25,\"y\":44},\"panelIndex\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"panelRefName\":\"panel_9ed1cfce-9337-4813-8df5-14a1280bb351\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"w\":48,\"x\":0,\"y\":63},\"panelIndex\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"panelRefName\":\"panel_d48a66a5-50e7-4cab-9b16-767bfa427860\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[GitHub] Audit Log Activity", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-dcee84c0-2059-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "name": "63210180-c999-4d93-8d7a-f2fcb810ad1b:panel_63210180-c999-4d93-8d7a-f2fcb810ad1b", - "type": "visualization" - }, - { - "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0", - "name": "b37e0c71-2cc3-4895-b839-383ce53561a8:panel_b37e0c71-2cc3-4895-b839-383ce53561a8", - "type": "visualization" - }, - { - "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0", - "name": "fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9:panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9", - "type": "visualization" - }, - { - "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0", - "name": "88887e58-b192-4c9b-85c7-14d18a6c1c0d:panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d", - "type": "map" - }, - { - "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0", - "name": "0c469087-fb3f-46d3-8962-c49d2e50f70c:panel_0c469087-fb3f-46d3-8962-c49d2e50f70c", - "type": "visualization" - }, - { - "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0", - "name": "108cd1b7-ce79-4558-ae38-5f1bb93961fe:panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe", - "type": "visualization" - }, - { - "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0", - "name": "9ed1cfce-9337-4813-8df5-14a1280bb351:panel_9ed1cfce-9337-4813-8df5-14a1280bb351", - "type": "visualization" - }, - { - "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0", - "name": "d48a66a5-50e7-4cab-9b16-767bfa427860:panel_d48a66a5-50e7-4cab-9b16-767bfa427860", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 28e6fd92ec..0000000000 --- a/packages/github/1.0.1/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":0.75,\"id\":\"a427cb7d-077b-4c8a-8741-74f8f03283e2\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#6092C0\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#4379aa\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a0ea096b-e0eb-43dd-8f75-c0d8c0e4ac9a\",\"includeInFitToBounds\":true,\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"id\":\"167d9148-ad58-4fa1-99eb-c3e75fc75f96\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"indexPatternTitle\":\"logs-*\",\"term\":\"client.geo.country_iso_code\",\"type\":\"ES_TERM_SOURCE\"}}],\"label\":\"Events by Country\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-29.82486},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-18M\",\"to\":\"now\"},\"zoom\":0.56}", - "title": "Activity Map by Actor Location [GitHub]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_join_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 3becd882e0..0000000000 --- a/packages/github/1.0.1/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.target.name", - "github.org", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.target.name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.target.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "GitHub Audit Users", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 6fcc2915aa..0000000000 --- a/packages/github/1.0.1/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "GitHub Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index e74ffec7ff..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Event Types [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Event Types [GitHub]\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index bee75a85b9..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Active Users [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Active Users [GitHub]\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index ffb543647f..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Controls Audit [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"github.org\",\"id\":\"1632831213212\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Organization\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"github.repo\",\"id\":\"1632831234336\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Repository\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1632872599896\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Actor\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.target.name\",\"id\":\"1632872564349\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Users\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.action\",\"id\":\"1632874177516\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"Action\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls Audit [GitHub]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_4_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 0b63b91066..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Events per Organization [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"github.org\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Events per Organization [GitHub]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 2adad09de2..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Changes [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":0,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"User Changes [GitHub]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index ab96e88761..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Change Timeline [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Change Timeline [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 862ffe3f0b..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Events over time [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events over time [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index e833f96f8f..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Active Repositories [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository\",\"field\":\"github.repo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 10 Active Repositories [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.1/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 1b32797c76..0000000000 --- a/packages/github/1.0.1/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Total Events [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Events [GitHub]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.1/manifest.yml b/packages/github/1.0.1/manifest.yml deleted file mode 100755 index ccad2f973d..0000000000 --- a/packages/github/1.0.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: github -title: GitHub -version: 1.0.1 -release: ga -description: Collect events from GitHub with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/github.svg - title: GitHub - size: 1024x1024 - type: image/svg+xml -screenshots: - - src: /img/github-audit-dashboard.png - title: GitHub audit overview - size: 3000x1788 - type: image/png - - src: /img/github-user-dashboard.png - title: GitHub user overview - size: 2998x1631 - type: image/png -policy_templates: - - name: github - title: GitHub logs - description: Collect logs from GitHub - inputs: - - type: httpjson - title: "Collect GitHub logs via API" - description: "Collecting logs from GitHub via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/google_workspace/1.5.1/changelog.yml b/packages/google_workspace/1.5.1/changelog.yml deleted file mode 100755 index c882d34fd7..0000000000 --- a/packages/google_workspace/1.5.1/changelog.yml +++ /dev/null @@ -1,159 +0,0 @@ -# newer versions go on top -- version: "1.5.1" - changes: - - description: update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3107 -- version: "1.5.0" - changes: - - description: Allow to set credentials directly in the config. - type: enhancement - link: https://github.com/elastic/integrations/pull/3430 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.3.4" - changes: - - description: Fix pagination to prevent skipped events when more than one page is present. - type: bugfix - link: https://github.com/elastic/integrations/pull/3140 -- version: "1.3.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.2" - changes: - - description: Add mapping for ECS event.created. - type: bugfix - link: https://github.com/elastic/integrations/pull/2862 -- version: "1.3.1" - changes: - - description: Remove redundant `event.ingested` from pipelines. - type: enhancement - link: https://github.com/elastic/integrations/pull/2797 - - description: Validate IP fields and remove invalid data to prevent index mapping exceptions. - type: bugfix - link: https://github.com/elastic/integrations/pull/2801 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2408 -- version: "1.2.3" - changes: - - description: Fix admin pipeline parameter processing - type: bugfix - link: https://github.com/elastic/integrations/issues/2533 -- version: "1.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2256 -- version: "1.1.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2106 -- version: "1.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1966 -- version: "1.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1819 -- version: "1.1.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1634 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1719 -- version: "0.7.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1479 -- version: '0.7.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1386 -- version: "0.7.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.7.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.6.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1263 -- version: "0.5.0" - changes: - - description: add system tests and remove log input - type: enhancement - link: https://github.com/elastic/integrations/pull/1130 -- version: "0.4.0" - changes: - - description: update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1046 -- version: "0.3.1" - changes: - - description: add fingerprint processor to avoid duplicated events. - type: enhancement - link: https://github.com/elastic/integrations/pull/1019 -- version: "0.3.0" - changes: - - description: move edge processing to ingest pipelines - type: enhancement - link: https://github.com/elastic/integrations/pull/939 -- version: "0.2.4" - changes: - - description: add fail_on_template_error on pagination - type: bugfix - link: https://github.com/elastic/integrations/pull/900 -- version: "0.2.3" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/847 -- version: "0.2.2" - changes: - - description: fix status code parsing for saml datastream - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/809 -- version: "0.2.1" - changes: - - description: fixes date formatting for pagination - type: bugfix # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/795 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/466 diff --git a/packages/google_workspace/1.5.1/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/admin/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 86e50863da..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/admin -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/admin/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3bacd3943b..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,790 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: iam - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - rename: - field: json.id.uniqueQualifier - target_field: event.id - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - rename: - field: json.actor.profileId - target_field: source.user.id - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_failure: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - rename: - field: json.id.customerId - target_field: organization.id - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - append: - field: event.category - value: configuration - if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING"].contains(ctx?.event?.action)' - - append: - field: event.type - value: change - if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","UPDATE_BUILDING","RENAME_CALENDAR_RESOURCE","UPDATE_CALENDAR_RESOURCE","CANCEL_CALENDAR_EVENTS","RELEASE_CALENDAR_RESOURCES","CHANGE_DEVICE_STATE","CHANGE_CHROME_OS_DEVICE_ANNOTATION","CHANGE_CHROME_OS_DEVICE_STATE","UPDATE_CHROME_OS_PRINT_SERVER","UPDATE_CHROME_OS_PRINTER","MOVE_DEVICE_TO_ORG_UNIT_DETAILED","UPDATE_DEVICE","SEND_CHROME_OS_DEVICE_COMMAND","ASSIGN_ROLE","ADD_PRIVILEGE","REMOVE_PRIVILEGE","RENAME_ROLE","UPDATE_ROLE","UNASSIGN_ROLE","TRANSFER_DOCUMENT_OWNERSHIP","ORG_USERS_LICENSE_ASSIGNMENT","ORG_ALL_USERS_LICENSE_ASSIGNMENT","USER_LICENSE_ASSIGNMENT","CHANGE_LICENSE_AUTO_ASSIGN","USER_LICENSE_REASSIGNMENT","ORG_LICENSE_REVOKE","USER_LICENSE_REVOKE","UPDATE_DYNAMIC_LICENSE","DROP_FROM_QUARANTINE","REJECT_FROM_QUARANTINE","RELEASE_FROM_QUARANTINE","CHROME_LICENSES_ENABLED","CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","ASSIGN_CUSTOM_LOGO","UNASSIGN_CUSTOM_LOGO","REVOKE_ENROLLMENT_TOKEN","CHROME_LICENSES_ALLOWED","EDIT_ORG_UNIT_DESCRIPTION","MOVE_ORG_UNIT","EDIT_ORG_UNIT_NAME","REVOKE_DEVICE_ENROLLMENT_TOKEN","TOGGLE_SERVICE_ENABLED","ADD_TO_TRUSTED_OAUTH2_APPS","REMOVE_FROM_TRUSTED_OAUTH2_APPS","BLOCK_ON_DEVICE_ACCESS","TOGGLE_CAA_ENABLEMENT","CHANGE_CAA_ERROR_MESSAGE","CHANGE_CAA_APP_ASSIGNMENTS","UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","TRUST_DOMAIN_OWNED_OAUTH2_APPS","UNBLOCK_ON_DEVICE_ACCESS","CHANGE_ACCOUNT_AUTO_RENEWAL","ADD_APPLICATION","ADD_APPLICATION_TO_WHITELIST","CHANGE_ADVERTISEMENT_OPTION","CHANGE_ALERT_CRITERIA","ALERT_RECEIVERS_CHANGED","RENAME_ALERT","ALERT_STATUS_CHANGED","ADD_DOMAIN_ALIAS","REMOVE_DOMAIN_ALIAS","AUTHORIZE_API_CLIENT_ACCESS","REMOVE_API_CLIENT_ACCESS","CHROME_LICENSES_REDEEMED","TOGGLE_AUTO_ADD_NEW_SERVICE","CHANGE_PRIMARY_DOMAIN","CHANGE_CONFLICT_ACCOUNT_ACTION","CHANGE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","CHANGE_DOMAIN_DEFAULT_LOCALE","CHANGE_DOMAIN_DEFAULT_TIMEZONE","CHANGE_DOMAIN_NAME","TOGGLE_ENABLE_PRE_RELEASE_FEATURES","CHANGE_DOMAIN_SUPPORT_MESSAGE","ADD_TRUSTED_DOMAINS","REMOVE_TRUSTED_DOMAINS","CHANGE_EDU_TYPE","CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","CHANGE_LOGIN_BACKGROUND_COLOR","CHANGE_LOGIN_BORDER_COLOR","CHANGE_LOGIN_ACTIVITY_TRACE","PLAY_FOR_WORK_ENROLL","PLAY_FOR_WORK_UNENROLL","UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","CHANGE_ORGANIZATION_NAME","CHANGE_PASSWORD_MAX_LENGTH","CHANGE_PASSWORD_MIN_LENGTH","REMOVE_APPLICATION","REMOVE_APPLICATION_FROM_WHITELIST","CHANGE_RENEW_DOMAIN_REGISTRATION","CHANGE_RESELLER_ACCESS","RULE_ACTIONS_CHANGED","CHANGE_RULE_CRITERIA","RENAME_RULE","RULE_STATUS_CHANGED","ADD_SECONDARY_DOMAIN","REMOVE_SECONDARY_DOMAIN","UPDATE_DOMAIN_SECONDARY_EMAIL","UPDATE_RULE","ADD_MOBILE_CERTIFICATE","COMPANY_OWNED_DEVICE_BLOCKED","COMPANY_OWNED_DEVICE_UNBLOCKED","COMPANY_OWNED_DEVICE_WIPED","CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","ADD_MOBILE_APPLICATION_TO_WHITELIST","CHANGE_ADMIN_RESTRICTIONS_PIN","CHANGE_MOBILE_WIRELESS_NETWORK","ADD_MOBILE_WIRELESS_NETWORK","REMOVE_MOBILE_WIRELESS_NETWORK","CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","REMOVE_MOBILE_CERTIFICATE","CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK"].contains(ctx?.event?.action)' - - append: - field: event.type - value: user - if: '["REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","CREATE_MANAGED_CONFIGURATION","CREATE_BUILDING","CREATE_CALENDAR_RESOURCE","CREATE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_CREATE_GATEWAY","INSERT_CHROME_OS_PRINT_SERVER","INSERT_CHROME_OS_PRINTER","CREATE_ROLE","ADD_WEB_ADDRESS","EMAIL_UNDELETE","CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","CREATE_DEVICE_ENROLLMENT_TOKEN","CREATE_ENROLLMENT_TOKEN","CREATE_ORG_UNIT","CREATE_ALERT","CREATE_PLAY_FOR_WORK_TOKEN","GENERATE_TRANSFER_TOKEN","REGENERATE_OAUTH_CONSUMER_SECRET","CREATE_RULE","GENERATE_PIN","COMPANY_DEVICES_BULK_CREATION","CREATE_GROUP","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING","DELETE_MANAGED_CONFIGURATION","DELETE_BUILDING","DELETE_CALENDAR_RESOURCE","DELETE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_DELETE_GATEWAY","DELETE_CHROME_OS_PRINT_SERVER","DELETE_CHROME_OS_PRINTER","REMOVE_CHROME_OS_APPLICATION_SETTINGS","DELETE_ROLE","DELETE_WEB_ADDRESS","CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","REMOVE_ORG_UNIT","DELETE_ALERT","DELETE_PLAY_FOR_WORK_TOKEN","DELETE_RULE","COMPANY_DEVICE_DELETION","DELETE_GROUP","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE"].contains(ctx?.event?.action)' - - append: - field: event.type - value: group - if: '["REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["ISSUE_DEVICE_COMMAND","DRIVE_DATA_RESTORE","VIEW_SITE_DETAILS","EMAIL_LOG_SEARCH","SKIP_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS","VIEW_DNS_LOGIN_DETAILS","MX_RECORD_VERIFICATION_CLAIM","UPLOAD_OAUTH_CERTIFICATE","SKIP_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN","BULK_UPLOAD","DOWNLOAD_PENDING_INVITES_LIST","DOWNLOAD_USERLIST_CSV","USERS_BULK_UPLOAD","ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.admin == null) { - ctx.google_workspace.admin = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - remove: - field: json.events.parameters - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_EDITION - target_field: google_workspace.admin.application.edition - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_NAME - target_field: google_workspace.admin.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.APPLICATION_ENABLED - target_field: google_workspace.admin.application.enabled - ignore_missing: true - - rename: - field: google_workspace.admin.APP_LICENSES_ORDER_NUMBER - target_field: google_workspace.admin.application.licences_order_number - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_NUM_LICENSES_PURCHASED - target_field: google_workspace.admin.application.licences_purchased - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_APPLICATION - target_field: google_workspace.admin.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_EMAIL - target_field: google_workspace.admin.group.email - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_NAME - target_field: group.name - ignore_missing: true - - rename: - field: google_workspace.admin.NEW_VALUE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.OLD_VALUE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ORG_UNIT_NAME - target_field: google_workspace.admin.org_unit.name - ignore_missing: true - - rename: - field: google_workspace.admin.SETTING_NAME - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.SETTING_DESCRIPTION - target_field: google_workspace.admin.setting.description - ignore_missing: true - - rename: - field: google_workspace.admin.USER_DEFINED_SETTING_NAME - target_field: google_workspace.admin.user_defined_setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_PRIORITIES - target_field: google_workspace.admin.group.priorities - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_NAME - target_field: google_workspace.admin.domain.name - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_ALIAS - target_field: google_workspace.admin.domain.alias - ignore_missing: true - - rename: - field: google_workspace.admin.SECONDARY_DOMAIN_NAME - target_field: google_workspace.admin.domain.secondary_name - ignore_missing: true - - rename: - field: google_workspace.admin.MANAGED_CONFIGURATION_NAME - target_field: google_workspace.admin.managed_configuration - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_APP_PACKAGE_ID - target_field: google_workspace.admin.application.package_id - ignore_missing: true - - rename: - field: google_workspace.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION - target_field: google_workspace.admin.non_featured_services_selection - ignore_missing: true - - rename: - field: google_workspace.admin.FIELD_NAME - target_field: google_workspace.admin.field - ignore_missing: true - - rename: - field: google_workspace.admin.RESOURCE_IDENTIFIER - target_field: google_workspace.admin.resource.id - ignore_missing: true - - rename: - field: google_workspace.admin.USER_EMAIL - target_field: google_workspace.admin.user.email - ignore_missing: true - - rename: - field: google_workspace.admin.GATEWAY_NAME - target_field: google_workspace.admin.gateway.name - ignore_missing: true - - rename: - field: google_workspace.admin.APP_ID - target_field: google_workspace.admin.application.id - ignore_missing: true - - rename: - field: google_workspace.admin.ASP_ID - target_field: google_workspace.admin.application.asp_id - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_OS_SESSION_TYPE - target_field: google_workspace.admin.chrome_os.session_type - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_NEW_STATE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_PREVIOUS_STATE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_SERIAL_NUMBER - target_field: google_workspace.admin.device.serial_number - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_ID - target_field: google_workspace.admin.device.id - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_TYPE - target_field: google_workspace.admin.device.type - ignore_missing: true - - rename: - field: google_workspace.admin.PRINT_SERVER_NAME - target_field: google_workspace.admin.print_server.name - ignore_missing: true - - rename: - field: google_workspace.admin.PRINTER_NAME - target_field: google_workspace.admin.printer.name - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_COMMAND_DETAILS - target_field: google_workspace.admin.device.command_details - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_NEW_ORG_UNIT - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.DEVICE_PREVIOUS_ORG_UNIT - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ROLE_NAME - target_field: google_workspace.admin.role.name - ignore_missing: true - - rename: - field: google_workspace.admin.ROLE_ID - target_field: google_workspace.admin.role.id - ignore_missing: true - - rename: - field: google_workspace.admin.PRIVILEGE_NAME - target_field: google_workspace.admin.privilege.name - ignore_missing: true - - rename: - field: google_workspace.admin.SITE_LOCATION - target_field: url.path - ignore_missing: true - - rename: - field: google_workspace.admin.WEB_ADDRESS - target_field: url.full - ignore_missing: true - - uri_parts: - field: url.full - ignore_failure: true - if: ctx?.url?.full != null - - rename: - field: google_workspace.admin.SITE_NAME - target_field: google_workspace.admin.url.name - ignore_missing: true - - rename: - field: google_workspace.admin.SERVICE_NAME - target_field: google_workspace.admin.service.name - ignore_missing: true - - rename: - field: google_workspace.admin.PRODUCT_NAME - target_field: google_workspace.admin.product.name - ignore_missing: true - - rename: - field: google_workspace.admin.SKU_NAME - target_field: google_workspace.admin.product.sku - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER - target_field: google_workspace.admin.bulk_upload.failed - ignore_missing: true - - rename: - field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER - target_field: google_workspace.admin.bulk_upload.total - ignore_missing: true - - rename: - field: google_workspace.admin.BULK_UPLOAD_FAIL_USERS_NUMBER - target_field: google_workspace.admin.bulk_upload.failed - ignore_missing: true - - rename: - field: google_workspace.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER - target_field: google_workspace.admin.bulk_upload.total - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_MSG_ID - target_field: google_workspace.admin.email.log_search_filter.message_id - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_RECIPIENT - target_field: google_workspace.admin.email.log_search_filter.recipient.value - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SENDER - target_field: google_workspace.admin.email.log_search_filter.sender.value - ignore_missing: true - - convert: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - type: ip - ignore_missing: true - on_failure: - - remove: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP - target_field: google_workspace.admin.email.log_search_filter.recipient.ip - ignore_missing: true - - convert: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - type: ip - ignore_missing: true - on_failure: - - remove: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - - rename: - field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP - target_field: google_workspace.admin.email.log_search_filter.sender.ip - ignore_missing: true - - rename: - field: google_workspace.admin.QUARANTINE_NAME - target_field: google_workspace.admin.email.quarantine_name - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_LICENSES_ENABLED - target_field: google_workspace.admin.chrome_licenses.enabled - ignore_missing: true - - rename: - field: google_workspace.admin.CHROME_LICENSES_ALLOWED - target_field: google_workspace.admin.chrome_licenses.allowed - ignore_missing: true - - rename: - field: google_workspace.admin.FULL_ORG_UNIT_PATH - target_field: google_workspace.admin.org_unit.full - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_SERVICE_NAME - target_field: google_workspace.admin.oauth2.service.name - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_ID - target_field: google_workspace.admin.oauth2.application.id - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_NAME - target_field: google_workspace.admin.oauth2.application.name - ignore_missing: true - - rename: - field: google_workspace.admin.OAUTH2_APP_TYPE - target_field: google_workspace.admin.oauth2.application.type - ignore_missing: true - - rename: - field: google_workspace.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD - target_field: google_workspace.admin.verification_method - ignore_missing: true - - rename: - field: google_workspace.admin.DOMAIN_VERIFICATION_METHOD - target_field: google_workspace.admin.verification_method - ignore_missing: true - - rename: - field: google_workspace.admin.CAA_ASSIGNMENTS_NEW - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.CAA_ASSIGNMENTS_OLD - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_SETTING_NEW - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.REAUTH_SETTING_OLD - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.ALERT_NAME - target_field: google_workspace.admin.alert.name - ignore_missing: true - - rename: - field: google_workspace.admin.API_CLIENT_NAME - target_field: google_workspace.admin.api.client.name - ignore_missing: true - - rename: - field: google_workspace.admin.API_SCOPES - target_field: google_workspace.admin.api.scopes - ignore_missing: true - - rename: - field: google_workspace.admin.PLAY_FOR_WORK_TOKEN_ID - target_field: google_workspace.admin.mdm.token - ignore_missing: true - - rename: - field: google_workspace.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME - target_field: google_workspace.admin.mdm.vendor - ignore_missing: true - - rename: - field: google_workspace.admin.INFO_TYPE - target_field: google_workspace.admin.info_type - ignore_missing: true - - rename: - field: google_workspace.admin.RULE_NAME - target_field: google_workspace.admin.rule.name - ignore_missing: true - - rename: - field: google_workspace.admin.USER_CUSTOM_FIELD - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_DEST_EMAIL - target_field: google_workspace.admin.email_monitor.dest_email - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_CHAT - target_field: google_workspace.admin.email_monitor.level.chat - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL - target_field: google_workspace.admin.email_monitor.level.draft - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL - target_field: google_workspace.admin.email_monitor.level.incoming - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL - target_field: google_workspace.admin.email_monitor.level.outgoing - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_EXPORT_INCLUDE_DELETED - target_field: google_workspace.admin.email_dump.include_deleted - ignore_missing: true - - rename: - field: google_workspace.admin.EMAIL_EXPORT_PACKAGE_CONTENT - target_field: google_workspace.admin.email_dump.package_content - ignore_missing: true - - rename: - field: google_workspace.admin.SEARCH_QUERY_FOR_DUMP - target_field: google_workspace.admin.email_dump.query - ignore_missing: true - - rename: - field: google_workspace.admin.DESTINATION_USER_EMAIL - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.REQUEST_ID - target_field: google_workspace.admin.request.id - ignore_missing: true - - rename: - field: google_workspace.admin.GMAIL_RESET_REASON - target_field: message - ignore_missing: true - - rename: - field: google_workspace.admin.USER_NICKNAME - target_field: google_workspace.admin.user.nickname - ignore_missing: true - - rename: - field: google_workspace.admin.ACTION_ID - target_field: google_workspace.admin.mobile.action.id - ignore_missing: true - - rename: - field: google_workspace.admin.ACTION_TYPE - target_field: google_workspace.admin.mobile.action.type - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_CERTIFICATE_COMMON_NAME - target_field: google_workspace.admin.mobile.certificate.name - ignore_missing: true - - rename: - field: google_workspace.admin.NUMBER_OF_COMPANY_OWNED_DEVICES - target_field: google_workspace.admin.mobile.company_owned_devices - ignore_missing: true - - rename: - field: google_workspace.admin.COMPANY_DEVICE_ID - target_field: google_workspace.admin.device.id - ignore_missing: true - - rename: - field: google_workspace.admin.DISTRIBUTION_ENTITY_NAME - target_field: google_workspace.admin.distribution.entity.name - ignore_missing: true - - rename: - field: google_workspace.admin.DISTRIBUTION_ENTITY_TYPE - target_field: google_workspace.admin.distribution.entity.type - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_APP_PACKAGE_ID - target_field: google_workspace.admin.application.package_id - ignore_missing: true - - rename: - field: google_workspace.admin.NEW_PERMISSION_GRANT_STATE - target_field: google_workspace.admin.new_value - ignore_missing: true - - rename: - field: google_workspace.admin.OLD_PERMISSION_GRANT_STATE - target_field: google_workspace.admin.old_value - ignore_missing: true - - rename: - field: google_workspace.admin.PERMISSION_GROUP_NAME - target_field: google_workspace.admin.setting.name - ignore_missing: true - - rename: - field: google_workspace.admin.MOBILE_WIRELESS_NETWORK_NAME - target_field: network.name - ignore_missing: true - - date: - field: google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE - target_field: google_workspace.admin.email.log_search_filter.end_date - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_END_DATE != null - - date: - field: google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE - target_field: google_workspace.admin.email.log_search_filter.start_date - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_START_DATE != null - - date: - field: google_workspace.admin.BIRTHDATE - target_field: google_workspace.admin.user.birthdate - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.BIRTHDATE != null - - date: - field: google_workspace.admin.BEGIN_DATE_TIME - target_field: event.start - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.BEGIN_DATE_TIME != null - - date: - field: google_workspace.admin.START_DATE - target_field: event.start - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.START_DATE != null - - date: - field: google_workspace.admin.END_DATE - target_field: event.end - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.END_DATE != null - - date: - field: google_workspace.admin.END_DATE_TIME - target_field: event.end - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - if: ctx?.google_workspace?.admin?.END_DATE_TIME != null - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.admin?.group?.email != null && ctx?.google_workspace?.admin?.group?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.admin.group.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.group == null) { - ctx.group = new HashMap(); - } - ctx.group.name = splitmail[0]; - ctx.group.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.admin?.user?.email != null && ctx?.google_workspace?.admin?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.admin.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.user.target.email = ctx.google_workspace.admin.user.email; - - set: - field: user.target.group.name - copy_from: group.name - if: ctx?.group?.name != null - - set: - field: user.target.group.domain - copy_from: group.domain - if: ctx?.group?.domain != null - - script: - lang: painless - if: 'ctx?.event?.start != null && ctx?.event?.end != null' - source: >- - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); - ctx.event.duration = ChronoUnit.NANOS.between(start, end); - - convert: - field: google_workspace.admin.bulk_upload.total - type: long - ignore_missing: true - - convert: - field: google_workspace.admin.bulk_upload.failed - type: long - ignore_missing: true - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed == 0' - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != 0' - - split: - field: google_workspace.admin.WHITELISTED_GROUPS - target_field: google_workspace.admin.group.allowed_list - separator: ',' - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: related.user - value: "{{user.target.name}}" - if: ctx?.user?.target?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - convert: - field: event.id - type: string - ignore_missing: true - - convert: - field: source.user.id - type: string - ignore_missing: true - - convert: - field: user.id - type: string - ignore_missing: true - - remove: - field: - - json - - google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE - - google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE - - google_workspace.admin.BIRTHDATE - - google_workspace.admin.BEGIN_DATE_TIME - - google_workspace.admin.START_DATE - - google_workspace.admin.END_DATE - - google_workspace.admin.END_DATE_TIME - - google_workspace.admin.WHITELISTED_GROUPS - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/admin/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/admin/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/admin/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/admin/fields/base-fields.yml deleted file mode 100755 index 5913006667..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.admin -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/admin/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/admin/fields/ecs.yml deleted file mode 100755 index cf45f5e9aa..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/fields/ecs.yml +++ /dev/null @@ -1,290 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/admin/fields/fields.yml b/packages/google_workspace/1.5.1/data_stream/admin/fields/fields.yml deleted file mode 100755 index 642107f70f..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/fields/fields.yml +++ /dev/null @@ -1,259 +0,0 @@ -- name: google_workspace.admin - type: group - fields: - - name: application.edition - type: keyword - description: The Google Workspace edition. - - name: application.name - type: keyword - description: The application's name. - - name: application.enabled - type: keyword - description: The enabled application. - - name: application.licences_order_number - type: keyword - description: Order number used to redeem licenses. - - name: application.licences_purchased - type: long - description: Number of licences purchased. - - name: application.id - type: keyword - description: The application ID. - - name: application.asp_id - type: keyword - description: The application specific password ID. - - name: application.package_id - type: keyword - description: The mobile application package ID. - - name: group.email - type: keyword - description: The group's primary email address. - - name: new_value - type: keyword - description: The new value for the setting. - - name: old_value - type: keyword - description: The old value for the setting. - - name: org_unit.name - type: keyword - description: The organizational unit name. - - name: org_unit.full - type: keyword - description: The org unit full path including the root org unit name. - - name: setting.name - type: keyword - description: The setting name. - - name: user_defined_setting.name - type: keyword - description: The name of the user-defined setting. - - name: setting.description - type: keyword - description: The setting name. - - name: group.priorities - type: keyword - description: Group priorities. - - name: domain.alias - type: keyword - description: The domain alias. - - name: domain.name - type: keyword - description: The primary domain name. - - name: domain.secondary_name - type: keyword - description: The secondary domain name. - - name: managed_configuration - type: keyword - description: The name of the managed configuration. - - name: non_featured_services_selection - type: keyword - description: | - Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED - - name: field - type: keyword - description: The name of the field. - - name: resource.id - type: keyword - description: The name of the resource identifier. - - name: user.email - type: keyword - description: The user's primary email address. - - name: user.nickname - type: keyword - description: The user's nickname. - - name: user.birthdate - type: date - description: The user's birth date. - - name: gateway.name - type: keyword - description: Gateway name. Present on some chat settings. - - name: chrome_os.session_type - type: keyword - description: Chrome OS session type. - - name: device.serial_number - type: keyword - description: Device serial number. - - name: device.id - type: keyword - - name: device.type - type: keyword - description: Device type. - - name: print_server.name - type: keyword - description: The name of the print server. - - name: printer.name - type: keyword - description: The name of the printer. - - name: device.command_details - type: keyword - description: Command details. - - name: role.id - type: keyword - description: Unique identifier for this role privilege. - - name: role.name - type: keyword - description: | - The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - - name: privilege.name - type: keyword - description: Privilege name. - - name: service.name - type: keyword - description: The service name. - - name: url.name - type: keyword - description: The website name. - - name: product.name - type: keyword - description: The product name. - - name: product.sku - type: keyword - description: The product SKU. - - name: bulk_upload.failed - type: long - description: Number of failed records in bulk upload operation. - - name: bulk_upload.total - type: long - description: Number of total records in bulk upload operation. - - name: group.allowed_list - type: keyword - description: Names of allow-listed groups. - - name: email.quarantine_name - type: keyword - description: The name of the quarantine. - - name: email.log_search_filter.message_id - type: keyword - description: The log search filter's email message ID. - - name: email.log_search_filter.start_date - type: date - description: The log search filter's start date. - - name: email.log_search_filter.end_date - type: date - description: The log search filter's ending date. - - name: email.log_search_filter.recipient.value - type: keyword - description: The log search filter's email recipient. - - name: email.log_search_filter.sender.value - type: keyword - description: The log search filter's email sender. - - name: email.log_search_filter.recipient.ip - type: ip - description: The log search filter's email recipient's IP address. - - name: email.log_search_filter.sender.ip - type: ip - description: The log search filter's email sender's IP address. - - name: chrome_licenses.enabled - type: keyword - description: | - Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: chrome_licenses.allowed - type: keyword - description: | - Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings - - name: oauth2.service.name - type: keyword - description: | - OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: oauth2.application.id - type: keyword - description: OAuth2 application ID. - - name: oauth2.application.name - type: keyword - description: OAuth2 application name. - - name: oauth2.application.type - type: keyword - description: | - OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings - - name: verification_method - type: keyword - description: | - Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: alert.name - type: keyword - description: The alert name. - - name: rule.name - type: keyword - description: The rule name. - - name: api.client.name - type: keyword - description: The API client name. - - name: api.scopes - type: keyword - description: The API scopes. - - name: mdm.token - type: keyword - description: The MDM vendor enrollment token. - - name: mdm.vendor - type: keyword - description: The MDM vendor's name. - - name: info_type - type: keyword - description: | - This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings - - name: email_monitor.dest_email - type: keyword - description: The destination address of the email monitor. - - name: email_monitor.level.chat - type: keyword - description: The chat email monitor level. - - name: email_monitor.level.draft - type: keyword - description: The draft email monitor level. - - name: email_monitor.level.incoming - type: keyword - description: The incoming email monitor level. - - name: email_monitor.level.outgoing - type: keyword - description: The outgoing email monitor level. - - name: email_dump.include_deleted - type: boolean - description: Indicates if deleted emails are included in the export. - - name: email_dump.package_content - type: keyword - description: The contents of the mailbox package. - - name: email_dump.query - type: keyword - description: The search query used for the dump. - - name: request.id - type: keyword - description: The request ID. - - name: mobile.action.id - type: keyword - description: The mobile device action's ID. - - name: mobile.action.type - type: keyword - description: | - The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: mobile.certificate.name - type: keyword - description: The mobile certificate common name. - - name: mobile.company_owned_devices - type: long - description: The number of devices a company owns. - - name: distribution.entity.name - type: keyword - description: | - The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings - - name: distribution.entity.type - type: keyword - description: | - The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/packages/google_workspace/1.5.1/data_stream/admin/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/admin/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/admin/manifest.yml b/packages/google_workspace/1.5.1/data_stream/admin/manifest.yml deleted file mode 100755 index 5be2f1ef22..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Admin logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Admin logs (httpjson) - description: Collect admin logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-admin - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/admin/sample_event.json b/packages/google_workspace/1.5.1/data_stream/admin/sample_event.json deleted file mode 100755 index 6479395033..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/admin/sample_event.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:23:57.000Z", - "agent": { - "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.admin", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "CHANGE_APPLICATION_SETTING", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-02-03T12:23:57.797Z", - "dataset": "google_workspace.admin", - "id": "1", - "ingested": "2022-02-03T12:23:58Z", - "provider": "admin", - "type": [ - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "admin": { - "application": { - "edition": "basic", - "name": "drive" - }, - "group": { - "email": "group@example.com" - }, - "new_value": "new", - "old_value": "old", - "org_unit": { - "name": "org" - }, - "setting": { - "name": "setting" - } - }, - "event": { - "type": "APPLICATION_SETTINGS" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-admin" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/drive/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/drive/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 510c49aabb..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/drive -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/drive/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 85f487e7a8..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,268 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: file - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - rename: - field: json.ipAddress - target_field: source.ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - rename: - field: json.id.customerId - target_field: organization.id - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: event.type - value: change - if: '["add_to_folder", "edit", "add_lock", "move", "remove_from_folder", "rename", "remove_lock", "sheets_import_range", "approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.category - value: iam - if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.category - value: configuration - if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["create", "untrash", "upload"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["delete", "trash"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["download", "preview", "print", "view"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.drive == null) { - ctx.google_workspace.drive = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["boolValue"] != null) { - ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["boolValue"]; - } - } - - rename: - field: google_workspace.drive.doc_id - target_field: google_workspace.drive.file.id - ignore_missing: true - - rename: - field: google_workspace.drive.doc_title - target_field: file.name - ignore_missing: true - - rename: - field: google_workspace.drive.doc_type - target_field: google_workspace.drive.file.type - ignore_missing: true - - rename: - field: google_workspace.drive.owner - target_field: google_workspace.drive.file.owner.email - ignore_missing: true - - rename: - field: google_workspace.drive.owner_is_shared_drive - target_field: google_workspace.drive.file.owner.is_shared_drive - ignore_missing: true - - rename: - field: google_workspace.drive.new_settings_state - target_field: google_workspace.drive.new_value - ignore_missing: true - - rename: - field: google_workspace.drive.old_settings_state - target_field: google_workspace.drive.old_value - ignore_missing: true - - rename: - field: google_workspace.drive.target_user - target_field: google_workspace.drive.target - ignore_missing: true - - set: - field: file.type - value: dir - if: '["folder", "shared"].contains(ctx?.google_workspace?.drive?.file?.type)' - - set: - field: file.type - value: file - if: ctx?.file?.type == null - - script: - lang: painless - if: ctx?.file?.name != null - source: > - def path = ctx.file.name; - def extIdx = path.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = path.substring(extIdx+1); - } - - script: - lang: painless - if: 'ctx?.google_workspace?.drive?.target != null && ctx?.google_workspace?.drive?.target.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.drive.target.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - ctx.related.user.add(splitmail[0]); - - script: - lang: painless - if: 'ctx?.google_workspace?.drive?.file?.owner?.email != null && ctx?.google_workspace?.drive?.file?.owner?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.drive.file.owner.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.file == null) { - ctx.file = new HashMap(); - } - ctx.file.owner = splitmail[0]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{file.owner}}" - if: ctx?.file?.owner != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/drive/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/drive/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/drive/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/drive/fields/base-fields.yml deleted file mode 100755 index 0ea1dcfcb3..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.drive -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/drive/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/drive/fields/ecs.yml deleted file mode 100755 index 69f294179c..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/fields/ecs.yml +++ /dev/null @@ -1,236 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/drive/fields/fields.yml b/packages/google_workspace/1.5.1/data_stream/drive/fields/fields.yml deleted file mode 100755 index 85a89be11c..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/fields/fields.yml +++ /dev/null @@ -1,84 +0,0 @@ -- name: google_workspace.drive - type: group - fields: - - name: billable - type: boolean - description: Whether this activity is billable. - - name: source_folder_id - type: keyword - - name: source_folder_title - type: keyword - - name: destination_folder_id - type: keyword - - name: destination_folder_title - type: keyword - - name: file.id - type: keyword - - name: file.type - type: keyword - description: | - Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: originating_app_id - type: keyword - description: | - The Google Cloud Project ID of the application that performed the action. - - name: file.owner.email - type: keyword - - name: file.owner.is_shared_drive - type: boolean - description: | - Boolean flag denoting whether owner is a shared drive. - - name: primary_event - type: boolean - description: | - Whether this is a primary event. A single user action in Drive may generate several events. - - name: shared_drive_id - type: keyword - description: | - The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. - - name: visibility - type: keyword - description: | - Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: new_value - type: keyword - description: | - When a setting or property of the file changes, the new value for it will appear here. - - name: old_value - type: keyword - description: | - When a setting or property of the file changes, the old value for it will appear here. - - name: sheets_import_range_recipient_doc - type: keyword - description: Doc ID of the recipient of a sheets import range. - - name: old_visibility - type: keyword - description: | - When visibility changes, this holds the old value. - - name: visibility_change - type: keyword - description: | - When visibility changes, this holds the new overall visibility of the file. - - name: target_domain - type: keyword - description: | - The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - - name: added_role - type: keyword - description: | - Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: membership_change_type - type: keyword - description: | - Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: shared_drive_settings_change_type - type: keyword - description: | - Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: removed_role - type: keyword - description: | - Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive - - name: target - type: keyword - description: Target user or group. diff --git a/packages/google_workspace/1.5.1/data_stream/drive/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/drive/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/drive/manifest.yml b/packages/google_workspace/1.5.1/data_stream/drive/manifest.yml deleted file mode 100755 index ef6840f241..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Drive logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Drive logs (httpjson) - description: Collect drive logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-drive - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/drive/sample_event.json b/packages/google_workspace/1.5.1/data_stream/drive/sample_event.json deleted file mode 100755 index 3a1ed6c11c..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/drive/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:24:50.000Z", - "agent": { - "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.drive", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "add_to_folder", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-02-03T12:24:50.101Z", - "dataset": "google_workspace.drive", - "id": "1", - "ingested": "2022-02-03T12:24:51Z", - "provider": "drive", - "type": [ - "change" - ] - }, - "file": { - "name": "document title", - "owner": "owner", - "type": "file" - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "drive": { - "billable": false, - "destination_folder_id": "1234", - "destination_folder_title": "folder title", - "file": { - "id": "1234", - "owner": { - "email": "owner@example.com", - "is_shared_drive": false - }, - "type": "document" - }, - "originating_app_id": "1234", - "primary_event": true, - "visibility": "people_with_link" - }, - "event": { - "type": "access" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "owner", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-drive" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/groups/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/groups/agent/stream/httpjson.yml.hbs deleted file mode 100755 index f0699fc2de..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/groups -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/google_workspace/1.5.1/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/groups/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index da25fdedc4..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,300 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: iam - - append: - field: event.type - value: group - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: event.type - value: change - if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "change_acl_permission", "approve_join_request", "join"].contains(ctx?.event?.action)' - - append: - field: event.category - value: configuration - if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "add_info_setting", "remove_info_setting"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["accept_invitation", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "moderate_message", "always_post_from_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: user - if: '["accept_invitation", "approve_join_request", "join", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "add_user", "remove_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: creation - if: '["create_group", "add_info_setting", "add_user"].contains(ctx?.event?.action)' - - append: - field: event.type - value: deletion - if: '["delete_group", "remove_info_setting", "remove_user"].contains(ctx?.event?.action)' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.groups == null) { - ctx.google_workspace.groups = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - rename: - field: google_workspace.groups.group_email - target_field: google_workspace.groups.email - ignore_missing: true - - rename: - field: google_workspace.groups.new_value_repeated - target_field: google_workspace.groups.new_value - ignore_missing: true - - rename: - field: google_workspace.groups.old_value_repeated - target_field: google_workspace.groups.old_value - ignore_missing: true - - rename: - field: google_workspace.groups.user_email - target_field: google_workspace.groups.member.email - ignore_missing: true - - rename: - field: google_workspace.groups.basic_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.identity_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.info_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.new_members_restrictions_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.post_replies_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.spam_moderation_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.topic_setting - target_field: google_workspace.groups.setting - ignore_missing: true - - rename: - field: google_workspace.groups.message_id - target_field: google_workspace.groups.message.id - ignore_missing: true - - rename: - field: google_workspace.groups.message_moderation_action - target_field: google_workspace.groups.message.moderation_action - ignore_missing: true - - rename: - field: google_workspace.groups.member_role - target_field: google_workspace.groups.member.role - ignore_missing: true - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.groups?.status == "failed"' - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.groups?.status == "success"' - - script: - lang: painless - if: 'ctx?.google_workspace?.groups?.email != null && ctx?.google_workspace?.groups?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.groups.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.group == null) { - ctx.group = new HashMap(); - } - ctx.group.name = splitmail[0]; - ctx.group.domain = splitmail[1]; - - script: - lang: painless - if: 'ctx?.google_workspace?.groups?.member?.email != null && ctx?.google_workspace?.groups?.member?.email.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.groups.member.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - ctx.related.user.add(splitmail[0]); - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.user.target.email = ctx.google_workspace.groups.member.email; - - set: - field: user.target.group.name - copy_from: group.name - if: ctx?.group?.name != null - - set: - field: user.target.group.domain - copy_from: group.domain - if: ctx?.group?.domain != null - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/groups/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/groups/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/groups/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/groups/fields/base-fields.yml deleted file mode 100755 index b265ecedb0..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.groups -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/groups/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/groups/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/groups/fields/fields.yml b/packages/google_workspace/1.5.1/data_stream/groups/fields/fields.yml deleted file mode 100755 index f80bd11d93..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/fields/fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: google_workspace.groups - type: group - fields: - - name: acl_permission - type: keyword - description: | - Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: email - type: keyword - description: | - Group email. - - name: member.email - type: keyword - description: | - Member email. - - name: member.role - type: keyword - description: | - Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: setting - type: keyword - description: | - Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: new_value - type: keyword - description: | - New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: old_value - type: keyword - description: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: value - type: keyword - description: | - Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups - - name: message.id - type: keyword - description: | - SMTP message Id of an email message. Present for moderation events. - - name: message.moderation_action - type: keyword - description: | - Message moderation action. Possible values are `approved` and `rejected`. - - name: status - type: keyword - description: | - A status describing the output of an operation. Possible values are `failed` and `succeeded`. diff --git a/packages/google_workspace/1.5.1/data_stream/groups/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/groups/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/groups/manifest.yml b/packages/google_workspace/1.5.1/data_stream/groups/manifest.yml deleted file mode 100755 index 7e74484384..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Groups logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Groups logs (httpjson) - description: Collect groups logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-groups - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/groups/sample_event.json b/packages/google_workspace/1.5.1/data_stream/groups/sample_event.json deleted file mode 100755 index 315609614d..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/groups/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:25:39.000Z", - "agent": { - "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.groups", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "change_acl_permission", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:25:39.375Z", - "dataset": "google_workspace.groups", - "id": "1", - "ingested": "2022-02-03T12:25:40Z", - "provider": "groups", - "type": [ - "group", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "acl_change" - }, - "groups": { - "acl_permission": "can_add_members", - "email": "group@example.com", - "new_value": [ - "managers", - "members" - ], - "old_value": [ - "managers" - ] - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-groups" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/login/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/login/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a8c2e6d9e7..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/login -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/google_workspace/1.5.1/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/login/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a4c0266385..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,245 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: authentication - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - append: - field: event.category - value: session - if: '["login_failure", "login_success", "logout"].contains(ctx?.event?.action)' - - append: - field: event.type - value: start - if: '["login_failure", "login_success"].contains(ctx?.event?.action)' - - append: - field: event.type - value: end - if: 'ctx?.event?.action == "logout"' - - append: - field: event.type - value: user - if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' - - append: - field: event.type - value: change - if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' - - append: - field: event.type - value: info - if: '["gov_attack_warning", "login_challenge", "login_verification", "suspicious_login", "suspicious_login_less_secure_app", "suspicious_programmatic_login"].contains(ctx?.event?.action)' - - set: - field: event.outcome - value: failure - if: 'ctx?.event?.action == "login_failure"' - - set: - field: event.outcome - value: success - if: 'ctx?.event?.action == "login_success"' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.login == null) { - ctx.google_workspace.login = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("login_")) { - ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(6); - } - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - script: - lang: painless - if: ctx?.google_workspace?.login?.timestamp != null - source: > - ctx._temp_ = new HashMap(); - ctx._temp_.start = ctx?.google_workspace?.login.timestamp / 1000; - - date: - field: _temp_.start - target_field: event.start - timezone: UTC - formats: - - UNIX_MS - if: ctx?._temp_?.start != null - - set: - field: event.outcome - value: success - if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null && ctx?.google_workspace?.login?.challenge_status == "Challenge Passed"' - - set: - field: event.outcome - value: failure - if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null' - - script: - lang: painless - if: 'ctx?.google_workspace?.login?.affected_email_address != null && ctx?.google_workspace?.login?.affected_email_address.contains("@")' - source: > - String[] splitmail = ctx.google_workspace.login.affected_email_address.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.related == null) { - ctx.related = new HashMap(); - } - if (ctx.related.user == null) { - ctx.related.user = new ArrayList(); - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.target == null) { - ctx.user.target = new HashMap(); - } - ctx.user.target.name = splitmail[0]; - ctx.user.target.domain = splitmail[1]; - ctx.related.user.add(splitmail[0]); - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: - - json - - _temp_ - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/login/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/login/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/login/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/login/fields/base-fields.yml deleted file mode 100755 index cb70f3767f..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.login -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/login/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/login/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/login/fields/fields.yml b/packages/google_workspace/1.5.1/data_stream/login/fields/fields.yml deleted file mode 100755 index 23e4416bab..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/fields/fields.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: google_workspace.login - type: group - fields: - - name: affected_email_address - type: keyword - - name: challenge_method - type: keyword - description: | - Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: failure_type - type: keyword - description: | - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: challenge_status - type: keyword - description: | - Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: timestamp - type: long - description: | - UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: type - type: keyword - description: | - Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. - - name: is_second_factor - type: boolean - - name: is_suspicious - type: boolean diff --git a/packages/google_workspace/1.5.1/data_stream/login/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/login/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/login/manifest.yml b/packages/google_workspace/1.5.1/data_stream/login/manifest.yml deleted file mode 100755 index 4adbd3874b..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Login logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Login logs (httpjson) - description: Collect login logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-login - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/login/sample_event.json b/packages/google_workspace/1.5.1/data_stream/login/sample_event.json deleted file mode 100755 index 18ad1d7859..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/login/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:26:31.000Z", - "agent": { - "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.login", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "account_disabled_password_leak", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-02-03T12:26:31.037Z", - "dataset": "google_workspace.login", - "id": "1", - "ingested": "2022-02-03T12:26:32Z", - "provider": "login", - "type": [ - "user", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "account_warning" - }, - "kind": "admin#reports#activity", - "login": { - "affected_email_address": "foo@elastic.co" - }, - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-login" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "domain": "elastic.co", - "name": "foo" - } - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/saml/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/saml/agent/stream/httpjson.yml.hbs deleted file mode 100755 index dc0abe3102..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/saml -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/saml/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4124d08c13..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,181 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.type - value: start - - append: - field: event.category - value: authentication - - append: - field: event.category - value: session - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - set: - field: event.outcome - value: success - if: 'ctx?.event?.action == "login_success"' - - set: - field: event.outcome - value: failure - if: 'ctx?.event?.action == "login_failure"' - - script: - lang: painless - if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' - source: > - if (ctx.google_workspace.saml == null) { - ctx.google_workspace.saml = new HashMap(); - } - for (int i = 0; i < ctx.json.events.parameters.length; ++i) { - if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("saml_")) { - ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(5); - } - if (ctx["json"]["events"]["parameters"][i]["value"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; - } - if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; - } - if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { - ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; - } - } - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/saml/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/saml/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/saml/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/saml/fields/base-fields.yml deleted file mode 100755 index 660db83315..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.saml -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/saml/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/saml/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/saml/fields/fields.yml b/packages/google_workspace/1.5.1/data_stream/saml/fields/fields.yml deleted file mode 100755 index f2f39dd64b..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/fields/fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace.saml - type: group - fields: - - name: application_name - type: keyword - description: | - Saml SP application name. - - name: failure_type - type: keyword - description: | - Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - - name: initiated_by - type: keyword - description: | - Requester of SAML authentication. - - name: orgunit_path - type: keyword - description: | - User orgunit. - - name: status_code - type: keyword - description: | - SAML status code. - - name: second_level_status_code - type: keyword - description: | - SAML second level status code. diff --git a/packages/google_workspace/1.5.1/data_stream/saml/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/saml/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/saml/manifest.yml b/packages/google_workspace/1.5.1/data_stream/saml/manifest.yml deleted file mode 100755 index 5b8c5349f1..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: SAML logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: SAML logs (httpjson) - description: Collect SAML logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-saml - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/saml/sample_event.json b/packages/google_workspace/1.5.1/data_stream/saml/sample_event.json deleted file mode 100755 index 239de70218..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/saml/sample_event.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:27:23.000Z", - "agent": { - "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.saml", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "login_failure", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-02-03T12:27:23.007Z", - "dataset": "google_workspace.saml", - "id": "1", - "ingested": "2022-02-03T12:27:24Z", - "outcome": "failure", - "provider": "saml", - "type": [ - "start" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "login" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - }, - "saml": { - "application_name": "app", - "failure_type": "failure_app_not_configured_for_user", - "initiated_by": "idp", - "orgunit_path": "ounit", - "second_level_status_code": "SUCCESS_URI", - "status_code": "SUCCESS_URI" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-saml" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.5.1/data_stream/user_accounts/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 334297c6f8..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -auth.oauth2.provider: google -auth.oauth2.google.jwt_file: {{jwt_file}} -auth.oauth2.google.jwt_json: {{jwt_json}} -auth.oauth2.google.delegated_account: {{delegated_account}} -auth.oauth2.scopes: - - https://www.googleapis.com/auth/admin.reports.audit.readonly -request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/user_accounts -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: - - set: - target: url.params.startTime - value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.split: - target: body.items - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: url.params.pageToken - value: "[[.last_response.body.nextPageToken]]" - fail_on_template_error: true -cursor: - last_execution_datetime: - value: "[[formatDate now]]" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2290902767..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- -description: Pipeline for parsing google_workspace logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.type - value: change - - append: - field: event.type - value: user - - append: - field: event.category - value: iam - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.id.time - timezone: UTC - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss - - yyyy-MM-dd'T'HH:mm:ssZ - - yyyy-MM-dd'T'HH:mm:ss.SSSZ - - yyyy/MM/dd HH:mm:ss z - - rename: - field: json.events.name - target_field: event.action - ignore_missing: true - - fingerprint: - description: Hashes the ID object and uses it as the document id to avoid duplicate events. - fields: - - json.id - target_field: _id - ignore_missing: true - ignore_failure: true - - rename: - field: json.id.applicationName - target_field: event.provider - ignore_missing: true - - convert: - field: json.id.uniqueQualifier - target_field: event.id - type: string - ignore_missing: true - - rename: - field: json.actor.email - target_field: source.user.email - ignore_missing: true - - convert: - field: json.actor.profileId - target_field: source.user.id - type: string - ignore_missing: true - - set: - field: user.id - copy_from: source.user.id - if: ctx?.source?.user?.id != null - - convert: - field: json.ipAddress - target_field: source.ip - type: ip - ignore_missing: true - - rename: - field: json.kind - target_field: google_workspace.kind - ignore_missing: true - - convert: - field: json.id.customerId - target_field: organization.id - type: string - ignore_missing: true - - rename: - field: json.actor.callerType - target_field: google_workspace.actor.type - ignore_missing: true - - rename: - field: json.actor.key - target_field: google_workspace.actor.key - ignore_missing: true - - rename: - field: json.ownerDomain - target_field: google_workspace.organization.domain - ignore_missing: true - - rename: - field: json.events.type - target_field: google_workspace.event.type - ignore_missing: true - - script: - lang: painless - if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' - source: > - String[] splitmail = ctx.source.user.email.splitOnToken('@'); - if (splitmail.length != 2) { - return; - } - if (ctx.user == null) { - ctx.user = new HashMap(); - } - ctx.user.name = splitmail[0]; - ctx.source.user.name = splitmail[0]; - ctx.user.domain = splitmail[1]; - ctx.source.user.domain = splitmail[1]; - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.user - value: "{{source.user.name}}" - if: ctx?.source?.user?.name != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/agent.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/base-fields.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/base-fields.yml deleted file mode 100755 index 061f34ffc7..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: google_workspace -- name: event.dataset - type: constant_keyword - description: Event dataset - value: google_workspace.user_accounts -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/ecs.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/ecs.yml deleted file mode 100755 index 1f2802e28a..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/ecs.yml +++ /dev/null @@ -1,216 +0,0 @@ -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/package-fields.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/package-fields.yml deleted file mode 100755 index 6aaf0c1ca5..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/fields/package-fields.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: google_workspace - type: group - fields: - - name: actor.type - type: keyword - description: | - The type of actor. - Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - name: actor.key - type: keyword - description: | - Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - name: event.type - type: keyword - description: | - The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: kind - type: keyword - description: | - The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - name: organization.domain - type: keyword - description: | - The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/manifest.yml b/packages/google_workspace/1.5.1/data_stream/user_accounts/manifest.yml deleted file mode 100755 index bda3d1d7c8..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: User accounts logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: User accounts logs (httpjson) - description: Collect user accounts logs using httpjson input - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - google-workspace-user-accounts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/google_workspace/1.5.1/data_stream/user_accounts/sample_event.json b/packages/google_workspace/1.5.1/data_stream/user_accounts/sample_event.json deleted file mode 100755 index ad8b8fb11e..0000000000 --- a/packages/google_workspace/1.5.1/data_stream/user_accounts/sample_event.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "@timestamp": "2022-02-02T12:28:15.000Z", - "agent": { - "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.user_accounts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "2sv_disable", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:28:15.402Z", - "dataset": "google_workspace.user_accounts", - "id": "1", - "ingested": "2022-02-03T12:28:16Z", - "provider": "user_accounts", - "type": [ - "change", - "user" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "2sv_change" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-user-accounts" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/docs/README.md b/packages/google_workspace/1.5.1/docs/README.md deleted file mode 100755 index da6e9afe13..0000000000 --- a/packages/google_workspace/1.5.1/docs/README.md +++ /dev/null @@ -1,1500 +0,0 @@ -# Google Workspace Integration - -The Google Workspace integration collects and parses data from the different [Google Workspace audit reports APIs](https://developers.google.com/admin-sdk/reports). - -## Compatibility - -It is compatible with a subset of applications under the [Google Reports API v1](https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started). As of today it supports: - -| Google Workspace Service | Description | -|---|---| -| [SAML](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml) [help](https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054) | View users’ successful and failed sign-ins to SAML applications. | -| [User Accounts](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts) [help](https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054) | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | -| [Login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login) [help](https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054) | Track user sign-in activity to your domain. | -| [Admin](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings) [help](https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054) | View administrator activity performed within the Google Admin console. | -| [Drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) [help](https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054) | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | -| [Groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) [help](https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054) | Track changes to groups, group memberships and group messages. | - -## Requirements - -In order to ingest data from the Google Reports API you must: - -- Have an *administrator account*. -- [Set up a ServiceAccount](https://support.google.com/workspacemigrate/answer/9222993?hl=en) using the administrator account. -- [Set up access to the Admin SDK API](https://support.google.com/workspacemigrate/answer/9222865?hl=en) for the ServiceAccount. -- [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for your ServiceAccount. - -This module will make use of the following *oauth2 scope*: - -- `https://www.googleapis.com/auth/admin.reports.audit.readonly` - -Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration. - -## Logs - -### Google Workspace Reports ECS fields - -This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets. - -| Google Workspace Reports | ECS Fields | -|------------------------------|---------------------------------------------------------------| -| `items[].id.time` | `@timestamp` | -| `items[].id.uniqueQualifier` | `event.id` | -| `items[].id.applicationName` | `event.provider` | -| `items[].events[].name` | `event.action` | -| `items[].customerId` | `organization.id` | -| `items[].ipAddress` | `source.ip`, `related.ip`, `source.as.*`, `source.geo.*` | -| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | -| `items[].actor.profileId` | `source.user.id` | - -### SAML - -This is the `saml` dataset. - -An example event for `saml` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:27:23.000Z", - "agent": { - "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.saml", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "login_failure", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-02-03T12:27:23.007Z", - "dataset": "google_workspace.saml", - "id": "1", - "ingested": "2022-02-03T12:27:24Z", - "outcome": "failure", - "provider": "saml", - "type": [ - "start" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "login" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - }, - "saml": { - "application_name": "app", - "failure_type": "failure_app_not_configured_for_user", - "initiated_by": "idp", - "orgunit_path": "ounit", - "second_level_status_code": "SUCCESS_URI", - "status_code": "SUCCESS_URI" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-saml" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| google_workspace.saml.application_name | Saml SP application name. | keyword | -| google_workspace.saml.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. | keyword | -| google_workspace.saml.initiated_by | Requester of SAML authentication. | keyword | -| google_workspace.saml.orgunit_path | User orgunit. | keyword | -| google_workspace.saml.second_level_status_code | SAML second level status code. | keyword | -| google_workspace.saml.status_code | SAML status code. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### User Accounts - -This is the `user_accounts` dataset. - -An example event for `user_accounts` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:28:15.000Z", - "agent": { - "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.user_accounts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "2sv_disable", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:28:15.402Z", - "dataset": "google_workspace.user_accounts", - "id": "1", - "ingested": "2022-02-03T12:28:16Z", - "provider": "user_accounts", - "type": [ - "change", - "user" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "2sv_change" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-user-accounts" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Login Accounts - -This is the `login` dataset. - -An example event for `login` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:26:31.000Z", - "agent": { - "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.login", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "account_disabled_password_leak", - "agent_id_status": "verified", - "category": [ - "authentication" - ], - "created": "2022-02-03T12:26:31.037Z", - "dataset": "google_workspace.login", - "id": "1", - "ingested": "2022-02-03T12:26:32Z", - "provider": "login", - "type": [ - "user", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "account_warning" - }, - "kind": "admin#reports#activity", - "login": { - "affected_email_address": "foo@elastic.co" - }, - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-login" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "domain": "elastic.co", - "name": "foo" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.login.affected_email_address | | keyword | -| google_workspace.login.challenge_method | Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.challenge_status | Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.login.is_second_factor | | boolean | -| google_workspace.login.is_suspicious | | boolean | -| google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long | -| google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Admin - -This is the `admin` dataset. - -An example event for `admin` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:23:57.000Z", - "agent": { - "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.admin", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "CHANGE_APPLICATION_SETTING", - "agent_id_status": "verified", - "category": [ - "iam", - "configuration" - ], - "created": "2022-02-03T12:23:57.797Z", - "dataset": "google_workspace.admin", - "id": "1", - "ingested": "2022-02-03T12:23:58Z", - "provider": "admin", - "type": [ - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "admin": { - "application": { - "edition": "basic", - "name": "drive" - }, - "group": { - "email": "group@example.com" - }, - "new_value": "new", - "old_value": "old", - "org_unit": { - "name": "org" - }, - "setting": { - "name": "setting" - } - }, - "event": { - "type": "APPLICATION_SETTINGS" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-admin" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.admin.alert.name | The alert name. | keyword | -| google_workspace.admin.api.client.name | The API client name. | keyword | -| google_workspace.admin.api.scopes | The API scopes. | keyword | -| google_workspace.admin.application.asp_id | The application specific password ID. | keyword | -| google_workspace.admin.application.edition | The Google Workspace edition. | keyword | -| google_workspace.admin.application.enabled | The enabled application. | keyword | -| google_workspace.admin.application.id | The application ID. | keyword | -| google_workspace.admin.application.licences_order_number | Order number used to redeem licenses. | keyword | -| google_workspace.admin.application.licences_purchased | Number of licences purchased. | long | -| google_workspace.admin.application.name | The application's name. | keyword | -| google_workspace.admin.application.package_id | The mobile application package ID. | keyword | -| google_workspace.admin.bulk_upload.failed | Number of failed records in bulk upload operation. | long | -| google_workspace.admin.bulk_upload.total | Number of total records in bulk upload operation. | long | -| google_workspace.admin.chrome_licenses.allowed | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | -| google_workspace.admin.chrome_licenses.enabled | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | -| google_workspace.admin.chrome_os.session_type | Chrome OS session type. | keyword | -| google_workspace.admin.device.command_details | Command details. | keyword | -| google_workspace.admin.device.id | | keyword | -| google_workspace.admin.device.serial_number | Device serial number. | keyword | -| google_workspace.admin.device.type | Device type. | keyword | -| google_workspace.admin.distribution.entity.name | The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.distribution.entity.type | The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.domain.alias | The domain alias. | keyword | -| google_workspace.admin.domain.name | The primary domain name. | keyword | -| google_workspace.admin.domain.secondary_name | The secondary domain name. | keyword | -| google_workspace.admin.email.log_search_filter.end_date | The log search filter's ending date. | date | -| google_workspace.admin.email.log_search_filter.message_id | The log search filter's email message ID. | keyword | -| google_workspace.admin.email.log_search_filter.recipient.ip | The log search filter's email recipient's IP address. | ip | -| google_workspace.admin.email.log_search_filter.recipient.value | The log search filter's email recipient. | keyword | -| google_workspace.admin.email.log_search_filter.sender.ip | The log search filter's email sender's IP address. | ip | -| google_workspace.admin.email.log_search_filter.sender.value | The log search filter's email sender. | keyword | -| google_workspace.admin.email.log_search_filter.start_date | The log search filter's start date. | date | -| google_workspace.admin.email.quarantine_name | The name of the quarantine. | keyword | -| google_workspace.admin.email_dump.include_deleted | Indicates if deleted emails are included in the export. | boolean | -| google_workspace.admin.email_dump.package_content | The contents of the mailbox package. | keyword | -| google_workspace.admin.email_dump.query | The search query used for the dump. | keyword | -| google_workspace.admin.email_monitor.dest_email | The destination address of the email monitor. | keyword | -| google_workspace.admin.email_monitor.level.chat | The chat email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.draft | The draft email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.incoming | The incoming email monitor level. | keyword | -| google_workspace.admin.email_monitor.level.outgoing | The outgoing email monitor level. | keyword | -| google_workspace.admin.field | The name of the field. | keyword | -| google_workspace.admin.gateway.name | Gateway name. Present on some chat settings. | keyword | -| google_workspace.admin.group.allowed_list | Names of allow-listed groups. | keyword | -| google_workspace.admin.group.email | The group's primary email address. | keyword | -| google_workspace.admin.group.priorities | Group priorities. | keyword | -| google_workspace.admin.info_type | This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | -| google_workspace.admin.managed_configuration | The name of the managed configuration. | keyword | -| google_workspace.admin.mdm.token | The MDM vendor enrollment token. | keyword | -| google_workspace.admin.mdm.vendor | The MDM vendor's name. | keyword | -| google_workspace.admin.mobile.action.id | The mobile device action's ID. | keyword | -| google_workspace.admin.mobile.action.type | The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | -| google_workspace.admin.mobile.certificate.name | The mobile certificate common name. | keyword | -| google_workspace.admin.mobile.company_owned_devices | The number of devices a company owns. | long | -| google_workspace.admin.new_value | The new value for the setting. | keyword | -| google_workspace.admin.non_featured_services_selection | Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED | keyword | -| google_workspace.admin.oauth2.application.id | OAuth2 application ID. | keyword | -| google_workspace.admin.oauth2.application.name | OAuth2 application name. | keyword | -| google_workspace.admin.oauth2.application.type | OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | -| google_workspace.admin.oauth2.service.name | OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | -| google_workspace.admin.old_value | The old value for the setting. | keyword | -| google_workspace.admin.org_unit.full | The org unit full path including the root org unit name. | keyword | -| google_workspace.admin.org_unit.name | The organizational unit name. | keyword | -| google_workspace.admin.print_server.name | The name of the print server. | keyword | -| google_workspace.admin.printer.name | The name of the printer. | keyword | -| google_workspace.admin.privilege.name | Privilege name. | keyword | -| google_workspace.admin.product.name | The product name. | keyword | -| google_workspace.admin.product.sku | The product SKU. | keyword | -| google_workspace.admin.request.id | The request ID. | keyword | -| google_workspace.admin.resource.id | The name of the resource identifier. | keyword | -| google_workspace.admin.role.id | Unique identifier for this role privilege. | keyword | -| google_workspace.admin.role.name | The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings | keyword | -| google_workspace.admin.rule.name | The rule name. | keyword | -| google_workspace.admin.service.name | The service name. | keyword | -| google_workspace.admin.setting.description | The setting name. | keyword | -| google_workspace.admin.setting.name | The setting name. | keyword | -| google_workspace.admin.url.name | The website name. | keyword | -| google_workspace.admin.user.birthdate | The user's birth date. | date | -| google_workspace.admin.user.email | The user's primary email address. | keyword | -| google_workspace.admin.user.nickname | The user's nickname. | keyword | -| google_workspace.admin.user_defined_setting.name | The name of the user-defined setting. | keyword | -| google_workspace.admin.verification_method | Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.name | Name given by operators to sections of their network. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Drive - -This is the `drive` dataset. - -An example event for `drive` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:24:50.000Z", - "agent": { - "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.drive", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "add_to_folder", - "agent_id_status": "verified", - "category": [ - "file" - ], - "created": "2022-02-03T12:24:50.101Z", - "dataset": "google_workspace.drive", - "id": "1", - "ingested": "2022-02-03T12:24:51Z", - "provider": "drive", - "type": [ - "change" - ] - }, - "file": { - "name": "document title", - "owner": "owner", - "type": "file" - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "drive": { - "billable": false, - "destination_folder_id": "1234", - "destination_folder_title": "folder title", - "file": { - "id": "1234", - "owner": { - "email": "owner@example.com", - "is_shared_drive": false - }, - "type": "document" - }, - "originating_app_id": "1234", - "primary_event": true, - "visibility": "people_with_link" - }, - "event": { - "type": "access" - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "owner", - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-drive" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.drive.added_role | Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.billable | Whether this activity is billable. | boolean | -| google_workspace.drive.destination_folder_id | | keyword | -| google_workspace.drive.destination_folder_title | | keyword | -| google_workspace.drive.file.id | | keyword | -| google_workspace.drive.file.owner.email | | keyword | -| google_workspace.drive.file.owner.is_shared_drive | Boolean flag denoting whether owner is a shared drive. | boolean | -| google_workspace.drive.file.type | Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.membership_change_type | Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.new_value | When a setting or property of the file changes, the new value for it will appear here. | keyword | -| google_workspace.drive.old_value | When a setting or property of the file changes, the old value for it will appear here. | keyword | -| google_workspace.drive.old_visibility | When visibility changes, this holds the old value. | keyword | -| google_workspace.drive.originating_app_id | The Google Cloud Project ID of the application that performed the action. | keyword | -| google_workspace.drive.primary_event | Whether this is a primary event. A single user action in Drive may generate several events. | boolean | -| google_workspace.drive.removed_role | Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.shared_drive_id | The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. | keyword | -| google_workspace.drive.shared_drive_settings_change_type | Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.sheets_import_range_recipient_doc | Doc ID of the recipient of a sheets import range. | keyword | -| google_workspace.drive.source_folder_id | | keyword | -| google_workspace.drive.source_folder_title | | keyword | -| google_workspace.drive.target | Target user or group. | keyword | -| google_workspace.drive.target_domain | The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword | -| google_workspace.drive.visibility | Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | -| google_workspace.drive.visibility_change | When visibility changes, this holds the new overall visibility of the file. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -### Groups - -This is the `groups` dataset. - -An example event for `groups` looks as following: - -```json -{ - "@timestamp": "2022-02-02T12:25:39.000Z", - "agent": { - "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "google_workspace.groups", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "change_acl_permission", - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-02-03T12:25:39.375Z", - "dataset": "google_workspace.groups", - "id": "1", - "ingested": "2022-02-03T12:25:40Z", - "provider": "groups", - "type": [ - "group", - "change" - ] - }, - "google_workspace": { - "actor": { - "type": "USER" - }, - "event": { - "type": "acl_change" - }, - "groups": { - "acl_permission": "can_add_members", - "email": "group@example.com", - "new_value": [ - "managers", - "members" - ], - "old_value": [ - "managers" - ] - }, - "kind": "admin#reports#activity", - "organization": { - "domain": "elastic.com" - } - }, - "group": { - "domain": "example.com", - "name": "group" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "id": "1" - }, - "related": { - "ip": [ - "98.235.162.24" - ], - "user": [ - "foo" - ] - }, - "source": { - "as": { - "number": 7922, - "organization": { - "name": "Comcast Cable Communications, Inc." - } - }, - "ip": "98.235.162.24", - "user": { - "domain": "bar.com", - "email": "foo@bar.com", - "id": "1", - "name": "foo" - } - }, - "tags": [ - "forwarded", - "google-workspace-groups" - ], - "user": { - "domain": "bar.com", - "id": "1", - "name": "foo", - "target": { - "group": { - "domain": "example.com", - "name": "group" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | -| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | -| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.groups.acl_permission | Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.email | Group email. | keyword | -| google_workspace.groups.member.email | Member email. | keyword | -| google_workspace.groups.member.role | Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.message.id | SMTP message Id of an email message. Present for moderation events. | keyword | -| google_workspace.groups.message.moderation_action | Message moderation action. Possible values are `approved` and `rejected`. | keyword | -| google_workspace.groups.new_value | New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.old_value | Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.setting | Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.groups.status | A status describing the output of an operation. Possible values are `failed` and `succeeded`. | keyword | -| google_workspace.groups.value | Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | -| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | -| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| organization.id | Unique identifier for the organization. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - diff --git a/packages/google_workspace/1.5.1/img/logo.svg b/packages/google_workspace/1.5.1/img/logo.svg deleted file mode 100755 index c06982fbad..0000000000 --- a/packages/google_workspace/1.5.1/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/google_workspace/1.5.1/manifest.yml b/packages/google_workspace/1.5.1/manifest.yml deleted file mode 100755 index 5fb6f620f8..0000000000 --- a/packages/google_workspace/1.5.1/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: google_workspace -title: Google Workspace Audit Reports -version: 1.5.1 -release: ga -description: Collect audit reports from Google Workspaces with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -icons: - - src: /img/logo.svg - title: logo Google - size: 32x32 - type: image/svg+xml -categories: - - security -conditions: - kibana.version: ^8.4.0 -policy_templates: - - name: google_workspace - title: Google Workspace logs - description: Collect logs from Google Workspace APIs - inputs: - - type: httpjson - vars: - - name: jwt_file - type: text - title: Jwt File - description: Specifies the path to the JWT credentials file. - multi: false - required: false - show_user: true - - name: jwt_json - type: text - title: Jwt JSON - description: | - Raw contents of the JWT file. Useful when hosting - a file along with the agent is not possible. - multi: false - required: false - show_user: true - - name: delegated_account - type: text - title: Delegated Account - description: Email of the admin user used to access the API. - multi: false - required: true - show_user: true - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - - name: http_client_timeout - type: text - title: Http Client Timeout - description: Duration of the time limit on HTTP requests. - multi: false - required: true - show_user: true - default: 60s - - name: user_key - type: text - title: User Key - description: Specifies the user key to fetch reports from. - multi: false - required: true - show_user: true - default: all - - name: interval - type: text - title: Interval - description: > - Duration between requests to the API. Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more at https://support.google.com/a/answer/7061566. - - multi: false - required: true - show_user: true - default: 2h - - name: api_host - type: text - title: API Host. - description: The Google Workspace API Host. The path will be automatically set. - multi: false - required: true - show_user: false - default: https://www.googleapis.com - title: "Collect admin, drive, groups, login, saml and user accounts logs (input: httpjson)" - description: "Collecting admin, drive, groups, login, saml and user accounts logs (input: httpjson)" -owner: - github: elastic/security-external-integrations diff --git a/packages/hid_bravura_monitor/1.0.3/changelog.yml b/packages/hid_bravura_monitor/1.0.3/changelog.yml deleted file mode 100755 index 2f4d60acaf..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.0.3" - changes: - - description: Update readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3108 -- version: "1.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.0.1" - changes: - - description: Documentation update - type: enhancement - link: https://github.com/elastic/integrations/pull/2654 -- version: "1.0.0" - changes: - - description: full release - type: enhancement - link: https://github.com/elastic/integrations/pull/1912 diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/agent/stream/filestream.yml.hbs b/packages/hid_bravura_monitor/1.0.3/data_stream/log/agent/stream/filestream.yml.hbs deleted file mode 100755 index e926888e7f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/agent/stream/filestream.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: [".gz$"] -line_terminator: carriage_return_line_feed -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} - {{processors}} -{{/if}} - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: {{instancename}} - hid_bravura_monitor.node: {{node}} - hid_bravura_monitor.environment: {{environment}} - hid_bravura_monitor.instancetype: {{instancetype}} - event.timezone: {{timezone}} -parsers: - - multiline: - type: pattern - pattern: ^[[:cntrl:]] - negate: true - match: after \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23a2795b4e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,196 +0,0 @@ ---- -description: Pipeline for parsing hid_bravura_monitor logs -processors: - - set: - field: ecs.version - value: 1.12.0 - description: Set ecs.version to 1.12.0 - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601:logdate}.%{NONNEGINT} - - \[(%{DATA:pslogid})?\] %{DATA:log.logger} - \[%{NONNEGINT:process.pid},%{NONNEGINT:process.thread.id}\] - %{DATA:log.level}: %{MULTILINEDATA:msg} - pattern_definitions: - MULTILINEDATA: |- - (.| - )* - description: Initial parse - - drop: - if: ctx?.msg.contains('last message repeated') - description: Drop repeated log message - - grok: - field: event.original - patterns: - - >- - (^[[:cntrl:]])?%{TIMESTAMP_ISO8601}.%{NONNEGINT} - \[%{DATA}\] %{DATA} - \[%{NONNEGINT},%{NONNEGINT}\] %{DATA}: - %{NOTSPACE:hid_bravura_monitor.perf.kind}. %{GREEDYDATA:kvpairs} - ignore_missing: true - if: ctx?.log?.level.contains('Perf') - description: Parse Perf messages - - set: - field: log.level - value: Perf - if: ctx?.log?.level.contains('Perf') - description: Set log.level to Perf - - kv: - if: ctx?.log?.level.contains('Perf') - trim_key: ' \r\n' - trim_value: ' {}\r\n' - value_split: ': ' - target_field: hid_bravura_monitor.perf - ignore_missing: true - description: Separate perf info - field: kvpairs - field_split: ' \| ' - - rename: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfAjax' - target_field: user.id - field: hid_bravura_monitor.perf.User - ignore_missing: true - description: Rename hid_bravura_monitor.perf.User to user.id - - script: - if: ctx?.log?.level.contains('Perf') - source: >- - Map m = new HashMap(); ctx['hid_bravura_monitor']['perf'].forEach((k,v) - -> m.put(k.toLowerCase(), v)); - ctx['hid_bravura_monitor'].remove('perf'); - ctx['hid_bravura_monitor']['perf'] = new HashMap(); m.forEach((k,v) -> - ctx['hid_bravura_monitor']['perf'][k] = v ); - description: lowercase perf fields - - set: - if: ctx?.hid_bravura_monitor?.perf?.kind == 'PerfExe' - field: hid_bravura_monitor.perf.exe - copy_from: log.logger - ignore_empty_value: true - description: Copy log.logger to hid_bravura_monitor.perf.exe - - remove: - field: kvpairs - ignore_missing: true - description: Remove kvpairs - - grok: - field: pslogid - patterns: - - >- - %{UUID:hid_bravura_monitor.request.id} - - >- - %{[A-Fa-f0-9]{32}:hid_bravura_monitor.request.id} - ignore_missing: true - ignore_failure: true - description: Set requestid if batchid - - rename: - target_field: user.id - field: pslogid - ignore_missing: true - if: ctx.hid_bravura_monitor?.request?.id == null && ctx?.hid_bravura_monitor?.perf?.kind != 'PerfAjax' - description: Set userid if not a guid - - remove: - field: pslogid - ignore_missing: true - description: Remove pslogid - - date: - field: logdate - formats: - - 'yyyy-MM-dd HH:mm:ss.SSS' - timezone: '{{event.timezone}}' - description: Convert logdate to @timestamp - - rename: - target_field: message - field: msg - description: Override message - - remove: - field: logdate - description: Remove logdate - - set: - if: ctx?.hid_bravura_monitor?.node == '0.0.0.0' - field: hid_bravura_monitor.node - copy_from: host.name - ignore_empty_value: true - description: Copy host.name to hid_bravura_monitor.node if left as default - - convert: - field: process.pid - type: long - ignore_missing: true - description: process.pid to Long - - convert: - field: process.thread.id - type: long - ignore_missing: true - description: process.thread.id to Long - - convert: - field: hid_bravura_monitor.perf.duration - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.duration to Long - - convert: - field: hid_bravura_monitor.perf.kernel - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.kernel to Long - - convert: - field: hid_bravura_monitor.perf.user - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.user to Long - - dot_expander: - field: hid_bravura_monitor.perf.kind - ignore_failure: true - description: move hid_bravura_monitor.perf.kind to object - - convert: - field: hid_bravura_monitor.perf.line - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.line to Long - - convert: - field: hid_bravura_monitor.perf.records - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.records to Long - - convert: - field: hid_bravura_monitor.perf.result - type: long - ignore_missing: true - description: hid_bravura_monitor.perf.result to Long - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/agent.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/agent.yml deleted file mode 100755 index d38a70bd6b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index cf3e4e1384..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset - value: hid_bravura_monitor.log -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 457b585676..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,477 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: Destination domain. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: |- - L7 Network protocol name. ex. http, lumberjack, transport protocol. - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Thread ID. - name: process.thread.id - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Server domain. - name: server.domain - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: Source domain. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Server domain. - name: server.domain - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Client domain. - name: client.domain - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/fields.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/fields.yml deleted file mode 100755 index 79a0312e10..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,99 +0,0 @@ -- name: hid_bravura_monitor.environment - type: keyword - description: Instance environment -- name: hid_bravura_monitor.instancename - type: keyword - description: Instance name -- name: hid_bravura_monitor.instancetype - type: keyword - description: Instance type -- name: hid_bravura_monitor.node - type: keyword - description: Node -- name: hid_bravura_monitor.request - type: group - fields: - - name: id - type: keyword - description: Request ID -- name: hid_bravura_monitor.perf - type: group - fields: - - name: address - type: wildcard - description: Server address - - name: adminid - type: keyword - description: Administrator ID - - name: caller - type: keyword - description: Application caller - - name: dbcommand - type: keyword - description: Database command - - name: destination - type: wildcard - description: Destination URL - - name: duration - type: long - description: Performance duration - - name: event - type: keyword - description: Event - - name: exe - type: keyword - description: Executable - - name: file - type: keyword - description: Source file - - name: function - type: keyword - description: Performance function - - name: kernel - type: long - description: Kernel Time - - name: kind - type: keyword - description: Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) - - name: line - type: long - description: Line number - - name: message - type: wildcard - description: Performance message - multi_fields: - - name: keyword - type: keyword - - name: operation - type: keyword - description: Operation - - name: receivequeue - type: keyword - description: Receive queue - - name: records - type: long - description: Database records - - name: result - type: long - description: Result - - name: sessionid - type: keyword - description: Session ID - - name: sysid - type: keyword - description: System ID - - name: table - type: keyword - description: Database table - - name: targetid - type: keyword - description: Target ID - - name: transid - type: keyword - description: Transaction ID - - name: type - type: keyword - description: IDWFM type - - name: user - type: long - description: User time diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/manifest.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/log/manifest.yml deleted file mode 100755 index 30213ea82e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,70 +0,0 @@ -type: logs -title: Hitachi ID Bravura Monitor -streams: - - input: filestream - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log - description: "Path to IDM Suite log files" - - name: node - type: text - title: Node - multi: false - required: true - show_user: true - default: 0.0.0.0 - description: "If set to 0.0.0.0, `hid_bravura_monitor.node` will be set to the value of `host.name`" - - name: instancename - type: text - title: Instance name - multi: false - required: true - show_user: true - default: default - - name: timezone - type: text - title: Timezone - multi: false - required: true - show_user: true - default: UTC - - name: environment - type: text - title: Environment - multi: false - required: true - show_user: true - default: PRODUCTION - - name: instancetype - type: text - title: Instance type - multi: false - required: true - show_user: true - default: Privilege-Identity-Password - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: filestream.yml.hbs - title: Hitachi ID Bravura Monitor - description: Collect Hitachi ID Security Fabric logs using filestream input diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/log/sample_event.json b/packages/hid_bravura_monitor/1.0.3/data_stream/log/sample_event.json deleted file mode 100755 index 1fc4a9226b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,83 +0,0 @@ -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/agent/stream/winlog.yml.hbs b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/agent/stream/winlog.yml.hbs deleted file mode 100755 index f3f26f16ee..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -name: Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational -condition: ${host.platform} == 'windows' -{{#if event_id}} -event_id: {{event_id}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ee6d39de04..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,399 +0,0 @@ ---- -description: Pipeline for Hitachi ID Suite events -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - - convert: - field: event.code - type: string - ignore_missing: true - - - rename: - field: message - target_field: event.original - ignore_missing: true - - - grok: - field: event.original - patterns: - - >- - %{DATA:winlog.event_data.Message}\|%{GREEDYDATA:kvpairs} - - - kv: - field: kvpairs - field_split: '\|' - value_split: '=' - target_field: winlog.event_data - ignore_missing: false - ignore_failure: false - - - remove: - field: kvpairs - ignore_missing: true - ignore_failure: true - - - split: - field: winlog.event_data.ClientIPs - separator: "," - preserve_trailing: true - ignore_missing: true - - - split: - field: winlog.event_data.FailedTargets - separator: "," - preserve_trailing: true - ignore_missing: true - - - script: - lang: painless - ignore_failure: false - tag: Decode symbolic id table - description: Decode symbolic id table - params: - "1": "AUTH_CHAIN_FAILURE" - "2": "AUTH_CHAIN_SUCCESS" - "3": "USER_LOGIN_LOCKOUT" - "4": "DB_COMMIT_SUSPEND" - "5": "DB_COMMIT_RESUME" - "6": "DB_REPLICATION_CONN_FAILURE" - "7": "DB_REPLICATION_CONN_RESTORED" - "8": "DB_REPLICATION_TRANS_FAILURE" - "9": "DB_QUEUE_INSERT_FAILURE" - "10": "DB_FAILED_PROC_RECORDED" - "11": "PAMSA_ORCHESTRATION_START_FAILURE" - "12": "PAMSA_ORCHESTRATION_END_FAILURE" - "13": "UPDATE_RESOURCE_FAILURE" - "14": "GSET_CHECKIN_FAILURE" - "15": "GSET_CHECKIN_PARTIAL" - "16": "GSET_CHECKIN_SUCCESS" - "17": "GSET_CHECKOUT_SUCCESS" - "18": "GSET_CHECKOUT_FAILURE" - "19": "GSET_CHECKOUT_PARTIAL" - "20": "PWD_CHECKOUT_SUCCESS" - "21": "PWD_CHECKOUT_FAILURE" - "22": "PWD_CHECKIN_SUCCESS" - "23": "PWD_CHECKIN_FAILURE" - "24": "WSTN_VIEW_PASSWORD_SUCCESS" - "25": "WSTN_VIEW_PASSWORD_FAILURE" - "26": "WSTN_VIEW_PASSWORD_HIS_SUCCESS" - "27": "WSTN_VIEW_PASSWORD_HIS_FAILURE" - "28": "ADMIN_ENABLE_ADMIN" - "29": "ADMIN_ENABLE_USER" - "30": "ADMIN_DISABLE_ADMIN" - "31": "ADMIN_DISABLE_USER" - "32": "ADMIN_UNLOCK_ADMIN" - "33": "ADMIN_UNLOCK_USER" - "34": "SMON_SESSION_START" - "35": "SMON_SESSION_END" - "36": "SMON_ADMIN_SESS_TERM_REQ" - "37": "PSUPDATE_START" - "38": "PSUPDATE_FINISH" - "39": "IDAPI_LOGIN_SUCCESS" - "40": "IDAPI_LOGIN_FAILURE" - "41": "MAQ_CHECKIN_FAILURE" - "42": "MAQ_CHECKIN_SUCCESS" - "43": "MAQ_CHECKOUT_FAILURE" - "44": "MAQ_CHECKOUT_SUCCESS" - "45": "TARGET_DEPLOYMENT_FAILURE" - "46": "TARGET_DEPLOYMENT_SUCCESS" - "47": "OPERATION_IMPORT_TARGET" - "48": "WSTN_ADD_WSTN_SUCCESS" - "49": "WSTN_ADD_WSTN_FAILURE" - "50": "IDWFM_EVENT_ABORT" - "51": "IDWFM_EVENT_FAILURE" - "52": "USER_QA_ADD_SUCCESS" - "53": "USER_QA_ADD_FAILURE" - "54": "USER_QA_UPDATE_SUCCESS" - "55": "USER_QA_UPDATE_FAILURE" - "56": "USER_QA_DELETE_SUCCESS" - "57": "ADMIN_QA_ADD_SUCCESS" - "58": "ADMIN_QA_ADD_FAILURE" - "59": "ADMIN_QA_UPDATE_SUCCESS" - "60": "ADMIN_QA_UPDATE_FAILURE" - "61": "ADMIN_QA_DELETE_SUCCESS" - "62": "USER_PW_RESET_START" - "63": "USER_PW_RESET_SUCCESS" - "64": "USER_PW_RESET_FAILURE" - "65": "ADMIN_PW_RESET_START" - "66": "ADMIN_PW_RESET_SUCCESS" - "67": "ADMIN_PW_RESET_FAILURE" - "68": "USER_ACCT_UNLOCK_START" - "69": "USER_ACCT_UNLOCK_SUCCESS" - "70": "USER_ACCT_UNLOCK_FAILURE" - "71": "ADMIN_ACCT_UNLOCK_START" - "72": "ADMIN_ACCT_UNLOCK_SUCCESS" - "73": "ADMIN_ACCT_UNLOCK_FAILURE" - "74": "DB_REPLICATION_WATERMARK_WARN" - "75": "USER_ALIAS_ALREADY_CLAIMED" - "76": "ADMIN_ALIAS_ALREADY_CLAIMED" - "77": "CONNECTOR_TIMEOUT" - "78": "FILE_REPLICATION_FAILURE" - "79": "IDPM_GROUP_SUCCESS" - "80": "IDPM_GROUP_FAILURE" - "81": "WF_REQUEST_BATCH_APPROVED" - "82": "WF_REQUEST_BATCH_REJECTED" - "83": "WF_REQUEST_BATCH_CANCELED" - "84": "WF_REQUEST_BATCH_REVOKED" - "85": "WF_REQUEST_BATCH_PROCESSED" - "86": "DID_REGISTER_SUCCESS" - "87": "DID_REGISTER_FAILURE" - "88": "DID_UPDATE_SUCCESS" - "89": "DID_SEND_SUCCESS" - "90": "USER_IDENTIFY_SUCCESS" - "91": "USER_IDENTIFY_FAILURE" - "92": "USER_LOGIN_SUCCESS" - "93": "USER_LOGIN_FAILURE" - "94": "FEDIDP_IDENTIFY_SUCCESS" - "95": "FEDIDP_IDENTIFY_FAILURE" - "96": "FEDIDP_AUTH_SUCCESS" - "97": "FEDIDP_AUTH_FAILURE" - "98": "DB_STORED_PROC_FAILURE" - "99": "ADMIN_CRED_FAILURE" - "100": "ADMIN_CRED_SUCCESS" - "101": "FEDIDP_SSO_SESSION_CREATE" - "102": "FEDIDP_SSO_SESSION_DESTROY" - "103": "PAM_CHECKOUT_SUCCESS" - "104": "PAM_CHECKOUT_PARTIAL" - "105": "PAM_CHECKOUT_FAILURE" - "106": "PAM_CHECKIN_SUCCESS" - "107": "PAM_CHECKIN_PARTIAL" - "108": "PAM_CHECKIN_FAILURE" - "109": "PAM_CHECKOUT_EXPIRY" - "110": "PAM_CHECKOUT_LIMIT_REACHED" - "111": "PAM_CHECKOUT_OPERATION_SUCCESS" - "112": "PAM_CHECKOUT_OPERATION_FAILURE" - "113": "PAM_CHECKIN_OPERATION_SUCCESS" - "114": "PAM_CHECKIN_OPERATION_FAILURE" - "115": "FEDSP_SAMLAUTH_ASR_FAILURE" - "116": "FEDSP_SAMLAUTH_ASR_SUCCESS" - "117": "FEDSP_SAMLAUTH_ISSUED" - "118": "DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD" - "119": "USER_HDD_RECOVERY_SUCCESS" - "120": "USER_HDD_RECOVERY_FAILURE" - "121": "USER_MOBILE_DEVICE_REGISTRATION" - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - ctx.winlog.put("symbolic_id", t) - - - script: - lang: painless - ignore_failure: false - tag: Decode description table - description: Decode description table - params: - "1": "User failed to authenticate" - "2": "User successfully authenticated" - "3": "User lockout triggered" - "4": "Database commits suspended, replication queue full" - "5": "Database commits resuming" - "6": "Connectivity to replica database lost" - "7": "Connectivity to replica database restored" - "8": "Failed to replicate database transaction" - "9": "Failed to insert data into database replication queue" - "10": "ed to run stored procedure on replica server" - "11": "Subscriber orchestration failed to start" - "12": "Subscriber orchestration completed with failures" - "13": "Failed to update subscriber password" - "14": "Failed to check-in managed group set" - "15": "Failed to fully check-in managed group set, some memberships were not revoked" - "16": "Managed group set successfully checked in" - "17": "Managed group set successfully checked out" - "18": "Failed to check out managed group set" - "19": "Managed group set partially checked out, some memberships were not granted" - "20": "Managed account password successfully checked out" - "21": "Failed to check-out managed account password" - "22": "Managed account password successfully checked in" - "23": "Failed to check-in managed account password" - "24": "Managed account password viewed" - "25": "Failed to view managed account password" - "26": "Historical managed account password viewed" - "27": "Failed to view historical managed account password" - "28": "Administrative profile enabled" - "29": "User profile enabled" - "30": "Administrative profile disabled" - "31": "User profile disabled" - "32": "Administrative profile unlocked" - "33": "User profile unlocked" - "34": "Privileged access session recording started" - "35": "Privileged access session recording ended" - "36": "Privileged access session termination requested by administrator" - "37": "Nightly discovery process started" - "38": "Nightly discovery process finished" - "39": "API login succeeded" - "40": "API login failure" - "41": "Failed to check in system and account query based access" - "42": "Succeeded in checking in system and account query based access" - "43": "Failed to check out system and account query based access" - "44": "Succeeded in checking out system and account query based access" - "45": "Target deployment finished with a failure." - "46": "Successfully finished target deployment." - "47": "Successfully imported a single target." - "48": "Successfully finished target deployment." - "49": "Target deployment finished with a failure." - "50": "Workflow manager aborted event processing." - "51": "Workflow manager failed to process event." - "52": "Security question successfully added." - "53": "Failed to add security question." - "54": "Security question successfully updated." - "55": "Failed to update security question." - "56": "Security question successfully deleted." - "57": "Security question successfully added." - "58": "Failed to add security question." - "59": "Security question successfully updated." - "60": "Failed to update security question." - "61": "Security question successfully deleted." - "62": "Self-service password reset started." - "63": "Self-service password reset successful." - "64": "Self-service password reset failed." - "65": "Help-desk assisted password reset started." - "66": "Help-desk assisted password reset successful." - "67": "Help-desk assisted password reset failed." - "68": "Self-service account unlock started." - "69": "Self-service account unlock successful." - "70": "Self-service account unlock failed." - "71": "Help-desk assisted account unlock started." - "72": "Help-desk assisted account unlock successful." - "73": "Help-desk assisted password reset failed." - "74": "Database replication watermark hit." - "75": "User attempted to claim alias that is already claimed." - "76": "Admin attempted to assign alias that is already claimed." - "77": "Connector timed out while performing operation." - "78": "Error occured during file replication to remote nodes." - "79": "All passwords successfully synchronized." - "80": "One or more passwords failed to be synchronized." - "81": "Workflow request has been approved." - "82": "Workflow request has been rejected." - "83": "Workflow request has been canceled." - "84": "Workflow request has been revoked." - "85": "Workflow request has been processed." - "86": "Successfully registered Digital ID." - "87": "Failed to register Digital ID." - "88": "Successfully updated Digital ID." - "89": "Digital ID successfully downloaded." - "90": "User successfully identified" - "91": "Failed to identify user." - "92": "User successfully logged in." - "93": "User failed to log in." - "94": "Federated authn request successfully parsed." - "95": "Federated authn request failed to be parsed." - "96": "Federated assertion successfully generated." - "97": "Federated assertion failed to be generated." - "98": "Failed to execute stored procedure." - "99": "Target creation failure: Could not establish credentials." - "100": "Target creation successful: Credentials set successfully." - "101": "New federated SSO session created." - "102": "Federated SSO session terminated." - "103": "Generic access check-out successful." - "104": "Generic access check-out partially successful." - "105": "Generic access check-out failed." - "106": "Generic access check-in successful." - "107": "Generic access check-in partially successful." - "108": "Generic access check-in failed." - "109": "Generic access check-out expired." - "110": "Generic access check-out cannot be performed because it would exceed the check-out limit of one of its targets." - "111": "An operation run as part of a generic access check-out succeeded." - "112": "An operation run as part of a generic access check-out failed." - "113": "An operation run as part of a generic access check-in succeeded." - "114": "An operation run as part of a generic access check-in failed." - "115": "Failed to validate a SAML assertion." - "116": "Successfully validated a SAML assertion." - "117": "Issued SAML AuthNRequest." - "118": "Database replication queue delay exceeded configured threshold." - "119": "Self-service encrypted drive recovery successful." - "120": "Self-service encrypted drive recovery failure." - "121": "Self-service mobile device registration." - source: |- - if (ctx?.winlog?.event_id == null) { - return; - } - def t = params.get(ctx.winlog.event_id); - if (t == null) { - return; - } - if (ctx?.winlog?.event_data == null ) { - Map map = new HashMap(); - ctx.winlog.put("event_data", map); - } - ctx.winlog.event_data.put("Description", t) - - - convert: - field: winlog.record_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_id - type: string - ignore_missing: true - - - convert: - field: winlog.event_data.DelayThreshold - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueDelay - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.QueueSize - type: long - ignore_missing: true - - - convert: - field: winlog.event_data.Runtime - type: long - ignore_missing: true - - - set: - field: ecs.version - value: '1.12.0' - - - set: - field: log.level - copy_from: winlog.level - ignore_empty_value: true - ignore_failure: true - if: ctx?.winlog?.level != "" - - - date: - field: winlog.time_created - formats: - - ISO8601 - ignore_failure: true - if: ctx?.winlog?.time_created != null - - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - - remove: - field: [ - "winlog.event_data.Value1", - "winlog.event_data.Value2", - "winlog.event_data.Value3", - "winlog.event_data.Value4", - "winlog.event_data.Value5", - "winlog.event_data.Value6", - "winlog.event_data.Value7", - "winlog.event_data.Value8", - "winlog.event_data.Value9" - ] - ignore_missing: true - -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/agent.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/base-fields.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/base-fields.yml deleted file mode 100755 index ecf4acb535..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/base-fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. - value: logs -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: hid_bravura_monitor.winlog -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/beats.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/beats.yml deleted file mode 100755 index 3c48f1f224..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/beats.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/ecs.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/ecs.yml deleted file mode 100755 index 0ef137f4ea..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/ecs.yml +++ /dev/null @@ -1,223 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: Source domain. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/fields.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/fields.yml deleted file mode 100755 index c2676bab52..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/fields.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: winlog.symbolic_id - type: keyword - description: Symbolic event id -- name: message - type: keyword - description: initial raw message diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/winlog.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/winlog.yml deleted file mode 100755 index 9d6d57c747..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/fields/winlog.yml +++ /dev/null @@ -1,344 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: computerObject - type: group - description: > - computer Object data - - fields: - - name: domain - type: keyword - - name: id - type: keyword - - name: name - type: keyword - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: Account - type: keyword - description: An object on a target system that establishes a user’s identity on that target system. - - name: Action - type: keyword - - name: ActionId - type: keyword - - name: Arguments - type: keyword - - name: AuthChain - type: keyword - description: Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. - - name: AuthUser - type: keyword - description: Authentication user. - - name: BatchSig - type: keyword - description: Request batch ID. - - name: Binding - type: keyword - - name: CanceledBy - type: keyword - description: The user who canceled the request. - - name: ChangedBy - type: keyword - description: The user who made the change. - - name: Checkout - type: keyword - - name: ClientIPs - type: ip - - name: DelayThreshold - type: long - - name: Description - type: keyword - - name: EffectiveUser - type: keyword - - name: ErrorCode - type: keyword - - name: Event - type: keyword - - name: EventID - type: keyword - - name: FailedTargets - type: keyword - - name: GroupSet - type: keyword - - name: Hostname - type: keyword - - name: Identity - type: keyword - description: Identify users. - - name: Initiator - type: keyword - - name: Instance - type: keyword - - name: Issuer - type: keyword - - name: Language - type: keyword - description: Language used. - - name: LoginURL - type: keyword - description: User login URL. - - name: LogonDomain - type: keyword - - name: LogonSystem - type: keyword - - name: LogonUser - type: keyword - - name: MAQ - type: keyword - description: Account set access. - - name: Message - type: keyword - - name: MessageType - type: keyword - - name: Method - type: keyword - - name: Module - type: keyword - - name: Node - type: keyword - - name: Operation - type: keyword - - name: Orchestration - type: keyword - description: Subscriber orchestration. - - name: OSLogin - type: keyword - - name: OTPLogin - type: keyword - description: API login. - - name: Owner - type: keyword - - name: Platform - type: keyword - - name: Policy - type: keyword - - name: Port - type: keyword - - name: Procedure - type: keyword - - name: Profile - type: keyword - - name: QSetID - type: keyword - description: Question set ID. - - name: QSetType - type: keyword - description: Question set type. - - name: QueueDelay - type: long - description: Database replication queue delay. - - name: QueueSize - type: long - description: Database replication queue size. - - name: QueueType - type: keyword - description: Database replication queue type. - - name: Reason - type: keyword - - name: Recipient - type: keyword - description: Recipient of the request. - - name: Replica - type: keyword - description: Replica database or server. - - name: Requester - type: keyword - - name: RequestID - type: keyword - - name: Result - type: keyword - - name: RevokedBy - type: keyword - description: Workflow request has been revoked by. - - name: Runtime - type: long - - name: SessionID - type: keyword - - name: Skin - type: keyword - description: Skin for Bravura Security Fabric instance. - - name: Source - type: keyword - - name: SPFolder - type: keyword - description: Service provider folder. - - name: StoredProc - type: keyword - description: Stored procedure. - - name: System - type: keyword - - name: Target - type: keyword - - name: TargetName - type: keyword - - name: TermintedBy - type: keyword - description: Request terminated by. - - name: Type - type: keyword - - name: URI - type: keyword - description: The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. - - name: WaterMark - type: keyword - description: Database replication watermark. - - name: Workstation - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: level - type: keyword - required: false - description: > - The event severity. Levels are Critical, Error, Warning and Information, Verbose - - - name: outcome - type: keyword - required: false - description: > - Success or Failure of the event. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: time_created - type: keyword - required: false - description: > - Time event was created - - - name: trustAttribute - type: keyword - required: false - - name: trustDirection - type: keyword - required: false - - name: trustType - type: keyword - required: false - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - description: > - Identifier of the user associated with this event. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/manifest.yml b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/manifest.yml deleted file mode 100755 index 9600e70d24..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -type: logs -title: Hitachi ID Security Fabric logs -streams: - - input: winlog - template_path: winlog.yml.hbs - title: Hitachi ID Operational - description: 'Collect Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational channel logs' - vars: - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: tags - type: text - title: Tags - multi: true - show_user: false diff --git a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/sample_event.json b/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/sample_event.json deleted file mode 100755 index 18ae9247b1..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/data_stream/winlog/sample_event.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "1.12.0" - } -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/docs/README.md b/packages/hid_bravura_monitor/1.0.3/docs/README.md deleted file mode 100755 index e23374a7f0..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/docs/README.md +++ /dev/null @@ -1,728 +0,0 @@ -# Hitachi ID Bravura Monitor Integration - -The Hitachi ID Bravura Monitor integration fetches and parses logs from a [Bravura Security Fabric](https://docs.hitachi-id.net/#/index/10/11) instance. - -When you run the integration, it performs the following tasks automatically: - -* Sets the default paths to the log files (you can override the -defaults) - -* Makes sure each multiline log event gets sent as a single event - -* Uses ingest pipelines to parse and process the log lines, shaping the data into a structure suitable -for visualizing in Kibana - -* Deploys dashboards for visualizing the log data - -## Compatibility - -The Hitachi ID Bravura Monitor integration was tested with logs from `Bravura Security Fabric 12.3.0` running on Windows Server 2016. - -The integration was also tested with Bravura Security Fabric/IDM Suite 11.x, 12.x series. - -This integration is not available for Linux or Mac. - -The integration is by default configured to read logs files stored in the `default` instance log directory. -However it can be configured for any file path. See the following example. - -```yaml -- id: b5e895ed-0726-4fa3-870c-464379d1c27b - name: hid_bravura_monitor-1 - revision: 1 - type: filestream - use_output: default - meta: - package: - name: hid_bravura_monitor - version: 1.0.0 - data_stream: - namespace: default - streams: - - id: >- - filestream-hid_bravura_monitor.log-b5e895ed-0726-4fa3-870c-464379d1c27b - data_stream: - dataset: hid_bravura_monitor.log - type: logs - paths: - - 'C:/Program Files/Hitachi ID/IDM Suite/Logs/default*/idmsuite*.log' - prospector.scanner.exclude_files: - - .gz$ - line_terminator: carriage_return_line_feed - tags: null - processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - hid_bravura_monitor.node: 0.0.0.0 - hid_bravura_monitor.environment: PRODUCTION - hid_bravura_monitor.instancetype: Privilege-Identity-Password - event.timezone: UTC - parsers: - - multiline: - type: pattern - pattern: '^[[:cntrl:]]' - negate: true - match: after -``` - -*`hid_bravura_monitor.instancename`* - -The name of the Bravura Security Fabric instance. The default is `default`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancename: default - ... -``` - -*`hid_bravura_monitor.node`* - -The address of the instance node. If the default `0.0.0.0` is left, the value is filled with `host.name`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.node: 127.0.0.1 - ... -``` - -*`event.timezone`* - -The timezone for the given instance server. The default is `UTC`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - event.timezone: Canada/Mountain - ... -``` - -*`hid_bravura_monitor.environment`* - -The environment of the Bravura Security Fabric instance; choices are DEVELOPMENT, TESTING, PRODUCTION. The default is `PRODUCTION`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.environment: DEVELOPMENT - ... -``` - -*`hid_bravura_monitor.instancetype`* - -The type of Bravura Security Fabric instance installed; choices are any combinations of Privilege, Identity or Password. The default is `Privilege-Identity-Password`. For example: - -```yaml -processors: - - add_fields: - target: '' - fields: - hid_bravura_monitor.instancetype: Identity - ... -``` - -*`paths`* - -An array of glob-based paths that specify where to look for the log files. All -patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) -are also supported here. - -For example, you can use wildcards to fetch all files -from a predefined level of subdirectories: `/path/to/log/*/*.log`. This -fetches all `.log` files from the subfolders of `/path/to/log`. It does not -fetch log files from the `/path/to/log` folder itself. If this setting is left -empty, the integration will choose log paths based on your operating system. - -## Logs - -### log - -The `log` dataset collects the Hitachi ID Bravura Security Fabric application logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-16T00:35:25.258Z", - "agent": { - "ephemeral_id": "00124c53-af5e-4d5f-818c-ff189690109e", - "hostname": "docker-fleet-agent", - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "hid_bravura_monitor.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "9bcd741c-af93-434c-ad55-1ec23d08ab89", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "hid_bravura_monitor.log", - "ingested": "2021-10-29T18:19:35Z", - "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", - "timezone": "UTC" - }, - "hid_bravura_monitor": { - "environment": "PRODUCTION", - "instancename": "default", - "instancetype": "Privilege-Identity-Password", - "node": "docker-fleet-agent" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "3bfbf225479aac5f850ea38f5d9d8a02", - "ip": [ - "192.168.192.7" - ], - "mac": [ - "02:42:c0:a8:c0:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "input": { - "type": "filestream" - }, - "log": { - "file": { - "path": "/tmp/service_logs/hid_bravura_monitor.log" - }, - "level": "Error", - "logger": "pamlws.exe", - "offset": 218 - }, - "message": "LWS [HID-TEST] foundcomputer record not found", - "process": { - "pid": 44408, - "thread": { - "id": 52004 - } - }, - "tags": [ - "preserve_original_event" - ], - "user": { - "id": "" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | Client domain. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| hid_bravura_monitor.environment | Instance environment | keyword | -| hid_bravura_monitor.instancename | Instance name | keyword | -| hid_bravura_monitor.instancetype | Instance type | keyword | -| hid_bravura_monitor.node | Node | keyword | -| hid_bravura_monitor.perf.address | Server address | wildcard | -| hid_bravura_monitor.perf.adminid | Administrator ID | keyword | -| hid_bravura_monitor.perf.caller | Application caller | keyword | -| hid_bravura_monitor.perf.dbcommand | Database command | keyword | -| hid_bravura_monitor.perf.destination | Destination URL | wildcard | -| hid_bravura_monitor.perf.duration | Performance duration | long | -| hid_bravura_monitor.perf.event | Event | keyword | -| hid_bravura_monitor.perf.exe | Executable | keyword | -| hid_bravura_monitor.perf.file | Source file | keyword | -| hid_bravura_monitor.perf.function | Performance function | keyword | -| hid_bravura_monitor.perf.kernel | Kernel Time | long | -| hid_bravura_monitor.perf.kind | Performance type (ie. PerfExe, PerfAjax, PerfFileRep, etc.) | keyword | -| hid_bravura_monitor.perf.line | Line number | long | -| hid_bravura_monitor.perf.message | Performance message | wildcard | -| hid_bravura_monitor.perf.message.keyword | Multi-field of `hid_bravura_monitor.perf.message`. | keyword | -| hid_bravura_monitor.perf.operation | Operation | keyword | -| hid_bravura_monitor.perf.receivequeue | Receive queue | keyword | -| hid_bravura_monitor.perf.records | Database records | long | -| hid_bravura_monitor.perf.result | Result | long | -| hid_bravura_monitor.perf.sessionid | Session ID | keyword | -| hid_bravura_monitor.perf.sysid | System ID | keyword | -| hid_bravura_monitor.perf.table | Database table | keyword | -| hid_bravura_monitor.perf.targetid | Target ID | keyword | -| hid_bravura_monitor.perf.transid | Transaction ID | keyword | -| hid_bravura_monitor.perf.type | IDWFM type | keyword | -| hid_bravura_monitor.perf.user | User time | long | -| hid_bravura_monitor.request.id | Request ID | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | Server domain. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### winlog - -The `winglog` dataset collects the Hitachi ID Bravura Security Fabric event logs. - -An example event for `winlog` looks as following: - -```json -{ - "@timestamp": "2021-10-29T14:05:50.739Z", - "cloud": { - "provider": "aws", - "instance": { - "id": "i-043997b05c5fa45ee" - }, - "machine": { - "type": "t3a.xlarge" - }, - "region": "us-east-1", - "availability_zone": "us-east-1a", - "account": { - "id": "753231555564" - }, - "image": { - "id": "ami-0e6ddc753bf04d004" - } - }, - "log": { - "level": "information" - }, - "message": "User successfully logged in.|Profile=JOHND|Language=|Skin=", - "winlog": { - "record_id": 1548167, - "api": "wineventlog", - "opcode": "Info", - "provider_guid": "{5a744344-18a9-480d-8a3a-0560ac58b841}", - "channel": "Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational", - "activity_id": "{4ffdfadd-63f2-41b2-9a4f-13534a729c54}", - "user": { - "identifier": "S-1-5-21-1512184445-966971527-3399726218-1035", - "name": "psadmin", - "domain": "DOMAIN1", - "type": "User" - }, - "event_data": { - "Module": "psf.exe", - "Profile": "JOHND", - "Instance": "pmim" - }, - "event_id": 92, - "computer_name": "hitachi1.corp", - "provider_name": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "task": "", - "process": { - "pid": 6368, - "thread": { - "id": 9064 - } - } - }, - "event": { - "kind": "event", - "code": 92, - "provider": "Hitachi-Hitachi ID Systems-Hitachi ID Suite", - "created": "2021-10-29T14:05:52.111Z" - }, - "host": { - "name": "hitachi1.corp", - "architecture": "x86_64", - "os": { - "family": "windows", - "name": "Windows Server 2019 Datacenter", - "kernel": "10.0.17763.1999 (WinBuild.160101.0800)", - "build": "17763.1999", - "platform": "windows", - "version": "10.0" - }, - "id": "a9d2b7f5-6d62-46b3-8fbe-35a7e83d1dc8", - "ip": [ - "0.0.0.0" - ], - "mac": [ - "0a:a5:af:ad:d3:ab" - ], - "hostname": "node1" - }, - "agent": { - "version": "8.0.0", - "hostname": "node1", - "ephemeral_id": "d061bfcf-e51b-4586-9ace-3d5b15f86e37", - "id": "aa12ad42-61bc-466c-8887-1a15d4646fc7", - "name": "node1", - "type": "filebeat" - }, - "ecs": { - "version": "1.12.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| message | initial raw message | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source.domain | Source domain. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computerObject.domain | | keyword | -| winlog.computerObject.id | | keyword | -| winlog.computerObject.name | | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.Account | An object on a target system that establishes a user’s identity on that target system. | keyword | -| winlog.event_data.Action | | keyword | -| winlog.event_data.ActionId | | keyword | -| winlog.event_data.Arguments | | keyword | -| winlog.event_data.AuthChain | Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules. | keyword | -| winlog.event_data.AuthUser | Authentication user. | keyword | -| winlog.event_data.BatchSig | Request batch ID. | keyword | -| winlog.event_data.Binding | | keyword | -| winlog.event_data.CanceledBy | The user who canceled the request. | keyword | -| winlog.event_data.ChangedBy | The user who made the change. | keyword | -| winlog.event_data.Checkout | | keyword | -| winlog.event_data.ClientIPs | | ip | -| winlog.event_data.DelayThreshold | | long | -| winlog.event_data.Description | | keyword | -| winlog.event_data.EffectiveUser | | keyword | -| winlog.event_data.ErrorCode | | keyword | -| winlog.event_data.Event | | keyword | -| winlog.event_data.EventID | | keyword | -| winlog.event_data.FailedTargets | | keyword | -| winlog.event_data.GroupSet | | keyword | -| winlog.event_data.Hostname | | keyword | -| winlog.event_data.Identity | Identify users. | keyword | -| winlog.event_data.Initiator | | keyword | -| winlog.event_data.Instance | | keyword | -| winlog.event_data.Issuer | | keyword | -| winlog.event_data.Language | Language used. | keyword | -| winlog.event_data.LoginURL | User login URL. | keyword | -| winlog.event_data.LogonDomain | | keyword | -| winlog.event_data.LogonSystem | | keyword | -| winlog.event_data.LogonUser | | keyword | -| winlog.event_data.MAQ | Account set access. | keyword | -| winlog.event_data.Message | | keyword | -| winlog.event_data.MessageType | | keyword | -| winlog.event_data.Method | | keyword | -| winlog.event_data.Module | | keyword | -| winlog.event_data.Node | | keyword | -| winlog.event_data.OSLogin | | keyword | -| winlog.event_data.OTPLogin | API login. | keyword | -| winlog.event_data.Operation | | keyword | -| winlog.event_data.Orchestration | Subscriber orchestration. | keyword | -| winlog.event_data.Owner | | keyword | -| winlog.event_data.Platform | | keyword | -| winlog.event_data.Policy | | keyword | -| winlog.event_data.Port | | keyword | -| winlog.event_data.Procedure | | keyword | -| winlog.event_data.Profile | | keyword | -| winlog.event_data.QSetID | Question set ID. | keyword | -| winlog.event_data.QSetType | Question set type. | keyword | -| winlog.event_data.QueueDelay | Database replication queue delay. | long | -| winlog.event_data.QueueSize | Database replication queue size. | long | -| winlog.event_data.QueueType | Database replication queue type. | keyword | -| winlog.event_data.Reason | | keyword | -| winlog.event_data.Recipient | Recipient of the request. | keyword | -| winlog.event_data.Replica | Replica database or server. | keyword | -| winlog.event_data.RequestID | | keyword | -| winlog.event_data.Requester | | keyword | -| winlog.event_data.Result | | keyword | -| winlog.event_data.RevokedBy | Workflow request has been revoked by. | keyword | -| winlog.event_data.Runtime | | long | -| winlog.event_data.SPFolder | Service provider folder. | keyword | -| winlog.event_data.SessionID | | keyword | -| winlog.event_data.Skin | Skin for Bravura Security Fabric instance. | keyword | -| winlog.event_data.Source | | keyword | -| winlog.event_data.StoredProc | Stored procedure. | keyword | -| winlog.event_data.System | | keyword | -| winlog.event_data.Target | | keyword | -| winlog.event_data.TargetName | | keyword | -| winlog.event_data.TermintedBy | Request terminated by. | keyword | -| winlog.event_data.Type | | keyword | -| winlog.event_data.URI | The HTTP(S) address of the SOAP API of the Bravura Security Fabric server. | keyword | -| winlog.event_data.WaterMark | Database replication watermark. | keyword | -| winlog.event_data.Workstation | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.outcome | Success or Failure of the event. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.symbolic_id | Symbolic event id | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.time_created | Time event was created | keyword | -| winlog.trustAttribute | | keyword | -| winlog.trustDirection | | keyword | -| winlog.trustType | | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | Identifier of the user associated with this event. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | diff --git a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-admin.png b/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-admin.png deleted file mode 100755 index f4596df81e..0000000000 Binary files a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-admin.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-connectors.png b/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-connectors.png deleted file mode 100755 index ccdc4d043a..0000000000 Binary files a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-connectors.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-db-replication.png b/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-db-replication.png deleted file mode 100755 index 46507bebc3..0000000000 Binary files a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-db-replication.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-log-issues.png b/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-log-issues.png deleted file mode 100755 index c69ee309e5..0000000000 Binary files a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-log-issues.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-overview.png b/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-overview.png deleted file mode 100755 index c56709bf9b..0000000000 Binary files a/packages/hid_bravura_monitor/1.0.3/img/kibana-hid_bravura_monitor-overview.png and /dev/null differ diff --git a/packages/hid_bravura_monitor/1.0.3/img/logo_hid_bravura_monitor.svg b/packages/hid_bravura_monitor/1.0.3/img/logo_hid_bravura_monitor.svg deleted file mode 100755 index d5f6071f00..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/img/logo_hid_bravura_monitor.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc0de076a5..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"16ceee80-adfc-4ecd-99f4-3f3160dce1f4\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"b64ac48c-d9e4-4dfa-9ddd-05117c054c44\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"8b200051-1ac1-4008-b031-ba62127cb7b4\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"9cd7264a-0271-4e4a-9fe7-67f7fc60d349\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Log issues - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0665f160-f956-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e6d8ca2d40..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"6a0834a4-8c2b-4484-9f5e-c55faf0deac6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"3b23d41e-170f-4423-8ba8-2971e9b68782\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Disabled Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0db75ff0-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index edfde69098..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"6d898178-6f51-4199-ae7e-44bd35e60bc8\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"47c424ec-b1cc-4ab1-abfc-e9d0382a79ee\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"70c9467e-31cb-4617-beab-2e7012046222\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Discovery", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a431f90-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index 3442fffb55..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"a3abfe8b-3ddd-492a-b081-2e3a3d76e84f\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"31e162b4-565d-4dce-90f1-e0a43ed54a70\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"w\":10,\"x\":0,\"y\":21},\"panelIndex\":\"21a44db8-a29a-4a18-b63e-ca0da9606909\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"w\":38,\"x\":10,\"y\":21},\"panelIndex\":\"efaeb9a6-ef0b-4f77-b397-1c8577f38cbf\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"1494c062-2f24-4571-8e69-793a894392d7\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"5fb347ad-ad70-4cfb-8023-f61468be8a07\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23a89d20-fa07-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index b491b8e1fc..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"27066e19-96ff-46db-989c-2ed0650bfb32\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"9a662dac-12e2-44ce-ad7d-eaca9ec5b478\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"51a5c05f-6a26-4138-9f95-f4c6b01c4d78\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Discovery - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-28db2060-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dc4a543829..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"292870cf-80ba-4071-ac33-6ddc10eef5ee\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"c81e1947-6ef2-4f8f-8497-c6defed48569\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Unlocked Profiles", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3f403100-f9f4-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index a543c8bad3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"aed09807-f936-4881-960d-30039d3fb5cd\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"w\":16,\"x\":0,\"y\":14},\"panelIndex\":\"fa9c7f19-26bc-489f-ad23-1774eaf8dcc6\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"w\":16,\"x\":16,\"y\":14},\"panelIndex\":\"ded4c445-2a0a-448c-9318-38b166d11d73\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"w\":16,\"x\":32,\"y\":14},\"panelIndex\":\"a58e223b-2453-4dcd-9de5-8a6101d9964d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"4909f0f5-c8df-40f8-bc49-df24cb056b8c\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Issues", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-49fa7e40-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0140835288..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"63969223-a0de-4d10-aa3a-5a7de19681c2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"37dcff04-67ca-46e6-bea3-b6be4a08bce8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"w\":48,\"x\":0,\"y\":25},\"panelIndex\":\"250f87a6-96dc-417f-a704-ee29e9669992\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bf327b0-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 668f8ebc02..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"annotations\":[],\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"24e4b310-069e-11ec-8d63-433b7d9c06cf\"}],\"bar_color_rules\":[{\"id\":\"015e0b70-069f-11ec-8d63-433b7d9c06cf\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND NOT (hid_bravura_monitor.perf.exe: *plugin*)\"},\"gauge_color_rules\":[{\"id\":\"040388f0-069f-11ec-8d63-433b7d9c06cf\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":80,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_exclude\":\"\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Executable Average Duration\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"d09c2c16-f29a-48e2-bb74-471b6de1fc03\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"198257f3-2b86-41f1-83cf-2090465b56a8\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4ee19fa0-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index dd04c65524..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"2852a22c-425f-45b2-b953-6b0f3d214447\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9e84cdcf-b3f1-44b5-bdc4-67bb7cb7b7ac\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c3a20836-de82-44e2-a23c-38ac861cc7df\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"aa105229-2ee8-417b-a85b-ab83300357ee\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-52cf42a0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index c48e8c460b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"647b541e-ba69-4580-8b5c-82b99e9141db\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3d4e7a89-9376-40e8-a110-aea6fad8704d\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"c530e489-474a-4a2a-8498-860233140305\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"c530e489-474a-4a2a-8498-860233140305\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-578cb360-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02a9b3f565..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.kind: PerfExe AND hid_bravura_monitor.perf.exe: *plugin*\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_bars\":70,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"hid_bravura_monitor.perf.duration\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"hid_bravura_monitor.perf.exe\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"tooltip_mode\":\"show_all\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}},\"type\":\"visualization\"},\"gridData\":{\"h\":17,\"i\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9f0e186d-5e7d-495b-968b-65a909a63c78\",\"title\":\"Plugin Average Duration\",\"type\":\"visualization\",\"version\":\"7.15.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"w\":48,\"x\":0,\"y\":17},\"panelIndex\":\"f71897e4-f55e-4fb5-93e1-8825546d3116\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Processes - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ebde770-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index e3f3fa0368..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11dfd31e-217a-468c-b9a4-1d171916550b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"ecfdce59-b9f9-4b92-bf44-fc2b0b30940e\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"8e87968f-419b-416a-88b4-69575d6ca6c8\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"w\":12,\"x\":0,\"y\":17},\"panelIndex\":\"d8250cb1-181e-4c67-8a07-2b5adaa631e1\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"w\":9,\"x\":12,\"y\":17},\"panelIndex\":\"10e16f9a-7072-491a-a67f-3b37e4d2d6fe\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"w\":9,\"x\":21,\"y\":17},\"panelIndex\":\"4e305609-b4cd-47c1-b927-9bbb1905f879\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"w\":18,\"x\":30,\"y\":17},\"panelIndex\":\"50d3505b-77d3-4128-a8f2-dd42c7e33ac0\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"w\":48,\"x\":0,\"y\":36},\"panelIndex\":\"5added44-f55b-4d64-bac0-af8514792e8c\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-7c5c1ef0-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 64441e3537..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"bbd62230-da7b-4a8d-8048-164a39c870a6\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"006c196d-830d-4713-bf84-1bf393366bdc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Dataset - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8187dcb0-fa04-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 6c461459fa..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"b525b8b8-13fc-4a51-82b0-233acc227625\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"16f346a5-a0bf-421a-ba88-c678b4fffb2a\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"c23d8833-8154-4aa8-af8e-44dccd8cc199\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"085c710d-1038-4a6a-be6f-21039079b15b\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"33ae3b0f-db67-48f5-abb8-192c029c5d98\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"a70a3621-2a8e-48ed-8870-201731c7e08a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-91029280-0520-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index d28ef16730..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"486bc4b4-3c64-46f8-a319-01204f38c3be\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"b5abbb3d-eb82-45a8-a972-13b692b11c16\",\"panelRefName\":\"panel_1\",\"title\":\"Users: Pages: Node Usage\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"w\":10,\"x\":0,\"y\":10},\"panelIndex\":\"f1b6be80-c65b-4d88-861a-e8a66275bd62\",\"panelRefName\":\"panel_2\",\"title\":\"Users: Pages: User Logins\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"w\":38,\"x\":10,\"y\":10},\"panelIndex\":\"09961de3-ede6-4ecf-a45a-ebe3040366f0\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"144da17a-d86d-49a2-9dfa-db606fb73c54\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Pages", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8739000-f9fd-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 656bd39b30..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"5d50c25d-870c-4aa5-a1f9-5c79904db3d1\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"11298d56-d098-45e3-b23a-6992c24c5652\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Administrative - Password Resets", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a9ea8420-f9f3-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json deleted file mode 100755 index 9e7e6d4034..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"84ac5874-8913-4514-8d51-f2b3cd522a49\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":30,\"i\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"9f39a308-2152-471a-911f-5bb8e316262e\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"w\":11,\"x\":0,\"y\":15},\"panelIndex\":\"93f64f12-ac6d-4462-96c2-53d0c477a0ca\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"87039932-a528-4dba-875e-bed137149330\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"87039932-a528-4dba-875e-bed137149330\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Workflow - Summary (Windows Event)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b0fd1f50-06a2-11ec-a72d-e52b79e13120", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 02dd9de7a8..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"9ccdc869-ebc2-4871-a11a-8d594aff7ccd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"b68e2e9c-13fa-4a90-baa2-40caefe3cb38\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connector Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b66f3780-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 4bf412d86b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f5d8eb70-30ce-4899-9905-2aa35954d01d\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a5499566-62cb-421c-8276-7a9398643a06\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"5fc759c3-9678-4b3c-b0d5-dcfad77adfe8\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"84970d7a-efbd-451d-9619-25381510ab94\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Replication (Logs)", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9bc5190-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 7315087291..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"w\":6,\"x\":0,\"y\":0},\"panelIndex\":\"f71be298-074a-43c0-a3fe-1035fd98a8a7\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"w\":42,\"x\":6,\"y\":0},\"panelIndex\":\"b80b0e2a-b786-48ec-88a5-bc8104ddbd42\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"w\":12,\"x\":0,\"y\":13},\"panelIndex\":\"60432682-b874-48c8-9b8b-3bbf4e650385\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"w\":13,\"x\":12,\"y\":13},\"panelIndex\":\"2af36389-5601-4930-b3ec-b44c671c56ff\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"w\":23,\"x\":25,\"y\":13},\"panelIndex\":\"ed2e421f-36f7-4501-9e4e-34ddae454f07\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"w\":48,\"x\":0,\"y\":31},\"panelIndex\":\"7dd049bb-de23-4838-9bec-3d66ef9c07bc\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - API", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c5417bd0-f9fc-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json deleted file mode 100755 index c5ba0bc63a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"5d934c5f-f909-4f75-a036-ac6253f5f974\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"w\":39,\"x\":9,\"y\":0},\"panelIndex\":\"7d27410b-537a-4c95-a1d8-8a64f363b90c\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"w\":30,\"x\":0,\"y\":18},\"panelIndex\":\"27bdc4ea-7adc-4dee-9526-402fb6ec6d8b\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"w\":18,\"x\":30,\"y\":18},\"panelIndex\":\"4c4f5228-f158-4ccc-afa5-e90d73bca46d\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Windows Event Analysis - Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc6c9cf0-fa06-11eb-96cd-db0fb11a40f3", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 0b45fe2cd7..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"b8ac330d-572e-459e-9266-bd44fc9ac283\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"3316ec90-b61b-4f5a-9c43-02e7bda7604f\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d17be4f0-f9fa-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index ec02c160af..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"a8b8efc3-5a4e-470b-9229-7ad661fb5012\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"w\":8,\"x\":0,\"y\":13},\"panelIndex\":\"aea7ed7d-82b6-4939-975e-fd4deb845e39\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"w\":8,\"x\":8,\"y\":13},\"panelIndex\":\"def5b420-7c49-4363-a30f-7c0c6c13929d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"w\":8,\"x\":16,\"y\":13},\"panelIndex\":\"f3e25e5c-0f66-4eb3-916e-8243184f2b0d\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"w\":8,\"x\":24,\"y\":13},\"panelIndex\":\"c04915c9-e5d6-4c1f-815a-efc1c0b35c7d\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"w\":16,\"x\":32,\"y\":13},\"panelIndex\":\"b7966004-1c02-4fa5-a8ce-5a3362adfb5a\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"1efe3f34-de43-4ffb-992d-8b21cbb771a0\",\"panelRefName\":\"panel_6\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"81a7ce31-d928-48c7-9b8d-acd00a43d08e\",\"panelRefName\":\"panel_7\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Integrations - Connectors", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3a33820-fa02-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_7", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 678b3b629f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5d1eb62a-f7dd-4f14-8961-96a768f70c07\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"013b41ba-55b7-4ed3-9c9e-5c3984651cd8\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"d68fe28e-8def-4ea8-b848-ef2b97430924\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"63b07db7-cd19-4cb8-839d-e7801ef7c5f8\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Users - Authentication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d59177c0-f9fb-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 3a21872d84..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"ef0f2d41-363f-4573-b92a-9ecb0af8b1fd\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"w\":37,\"x\":11,\"y\":0},\"panelIndex\":\"bb8e09a0-aadf-48a8-a5a9-af581d3b42d1\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db22d850-fa00-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 5d1e91e916..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"7fcb881a-1fac-40f3-8344-abc9d970bea0\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"41db8b4e-a061-4e68-a8dc-4fe557771bdc\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"67513776-5611-456a-bafd-42938542c90a\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"67513776-5611-456a-bafd-42938542c90a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"25a4e2bd-b92e-445c-bec4-15ca828c88a8\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] Database - Stored Procedure Performance", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-e9fa5320-fa01-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json b/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json deleted file mode 100755 index 44afdf5fe9..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/dashboard/hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"05d010e5-934c-4b70-ad98-d3b3a191b9e2\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"w\":11,\"x\":0,\"y\":14},\"panelIndex\":\"8ffb10cd-0ea2-4036-8003-8c65e128a201\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"w\":37,\"x\":11,\"y\":14},\"panelIndex\":\"674a1c30-76cd-429f-a9e6-941aef3e982d\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"a75010c7-9c3b-44c2-bf63-676e9aebd54e\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Bravura Monitor] API - Summary", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f8112090-fa03-11eb-a1ab-1964dffd1499", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 14951ba72f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"hid_bravura_monitor.perf.function : *Search*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Search Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json deleted file mode 100755 index a97c94b1ee..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cab36ac889..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"error\",\"warning\",\"critical\"],\"type\":\"phrases\",\"value\":\"error, warning, critical\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"error\"}},{\"match_phrase\":{\"log.level\":\"warning\"}},{\"match_phrase\":{\"log.level\":\"critical\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Windows Event Log Problems", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d315f3429e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.level\",\"log.logger\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"message\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.domain\",\"user.email\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.roles\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"winlog.activity_id\",\"winlog.api\",\"winlog.channel\",\"winlog.computer_name\",\"winlog.event_data.Address\",\"winlog.event_data.AdvancedOptions\",\"winlog.event_data.AlgorithmName\",\"winlog.event_data.AppId\",\"winlog.event_data.AuthenticationPackageName\",\"winlog.event_data.Binary\",\"winlog.event_data.BitlockerUserInputTime\",\"winlog.event_data.BootAppStatus\",\"winlog.event_data.BootMenuPolicy\",\"winlog.event_data.BootMode\",\"winlog.event_data.BootType\",\"winlog.event_data.BugcheckCode\",\"winlog.event_data.BugcheckParameter1\",\"winlog.event_data.BugcheckParameter2\",\"winlog.event_data.BugcheckParameter3\",\"winlog.event_data.BugcheckParameter4\",\"winlog.event_data.BuildVersion\",\"winlog.event_data.CallerProcessId\",\"winlog.event_data.CallerProcessName\",\"winlog.event_data.Checkpoint\",\"winlog.event_data.Company\",\"winlog.event_data.Config\",\"winlog.event_data.ConfigAccessPolicy\",\"winlog.event_data.ConfigurationReader\",\"winlog.event_data.ConnectedStandbyInProgress\",\"winlog.event_data.CorruptionActionState\",\"winlog.event_data.CreationUtcTime\",\"winlog.event_data.CsEntryScenarioInstanceId\",\"winlog.event_data.Default SD String:\",\"winlog.event_data.Description\",\"winlog.event_data.Detail\",\"winlog.event_data.DeviceName\",\"winlog.event_data.DeviceNameLength\",\"winlog.event_data.DeviceTime\",\"winlog.event_data.DeviceVersionMajor\",\"winlog.event_data.DeviceVersionMinor\",\"winlog.event_data.DirtyPages\",\"winlog.event_data.DisableIntegrityChecks\",\"winlog.event_data.DriveName\",\"winlog.event_data.DriverName\",\"winlog.event_data.DriverNameLength\",\"winlog.event_data.DwordVal\",\"winlog.event_data.ElevatedToken\",\"winlog.event_data.EnableDisableReason\",\"winlog.event_data.EntryCount\",\"winlog.event_data.ErrorCode\",\"winlog.event_data.ExtraInfo\",\"winlog.event_data.ExtraInfoLength\",\"winlog.event_data.ExtraInfoString\",\"winlog.event_data.FailureName\",\"winlog.event_data.FailureNameLength\",\"winlog.event_data.FileVersion\",\"winlog.event_data.FilterID\",\"winlog.event_data.FinalStatus\",\"winlog.event_data.FlightSigning\",\"winlog.event_data.Group\",\"winlog.event_data.HiveName\",\"winlog.event_data.HiveNameLength\",\"winlog.event_data.HypervisorDebug\",\"winlog.event_data.HypervisorLaunchType\",\"winlog.event_data.HypervisorLoadOptions\",\"winlog.event_data.IdleImplementation\",\"winlog.event_data.IdleStateCount\",\"winlog.event_data.ImpersonationLevel\",\"winlog.event_data.IntegrityLevel\",\"winlog.event_data.Interface\",\"winlog.event_data.IpAddress\",\"winlog.event_data.IpPort\",\"winlog.event_data.IsTestConfig\",\"winlog.event_data.KernelDebug\",\"winlog.event_data.KeyFilePath\",\"winlog.event_data.KeyLength\",\"winlog.event_data.KeyName\",\"winlog.event_data.KeyType\",\"winlog.event_data.KeysUpdated\",\"winlog.event_data.LastBootGood\",\"winlog.event_data.LastShutdownGood\",\"winlog.event_data.ListenerAdapterProtocol\",\"winlog.event_data.LmPackageName\",\"winlog.event_data.LoadOptions\",\"winlog.event_data.LogonGuid\",\"winlog.event_data.LogonId\",\"winlog.event_data.LogonProcessName\",\"winlog.event_data.LogonType\",\"winlog.event_data.MajorVersion\",\"winlog.event_data.MandatoryLabel\",\"winlog.event_data.MaximumPerformancePercent\",\"winlog.event_data.MemberName\",\"winlog.event_data.MemberSid\",\"winlog.event_data.MinimumPerformancePercent\",\"winlog.event_data.MinimumThrottlePercent\",\"winlog.event_data.MinorVersion\",\"winlog.event_data.NewProcessId\",\"winlog.event_data.NewProcessName\",\"winlog.event_data.NewSchemeGuid\",\"winlog.event_data.NewSize\",\"winlog.event_data.NewTime\",\"winlog.event_data.NominalFrequency\",\"winlog.event_data.Number\",\"winlog.event_data.OldSchemeGuid\",\"winlog.event_data.OldTime\",\"winlog.event_data.Operation\",\"winlog.event_data.OriginalFileName\",\"winlog.event_data.OriginalSize\",\"winlog.event_data.PackageName\",\"winlog.event_data.Path\",\"winlog.event_data.PerformanceImplementation\",\"winlog.event_data.PowerButtonTimestamp\",\"winlog.event_data.PreviousCreationUtcTime\",\"winlog.event_data.PreviousTime\",\"winlog.event_data.PrivilegeList\",\"winlog.event_data.ProcessId\",\"winlog.event_data.ProcessName\",\"winlog.event_data.ProcessPath\",\"winlog.event_data.ProcessPid\",\"winlog.event_data.Product\",\"winlog.event_data.ProtocolType\",\"winlog.event_data.ProviderName\",\"winlog.event_data.PuaCount\",\"winlog.event_data.PuaPolicyId\",\"winlog.event_data.QfeVersion\",\"winlog.event_data.Reason\",\"winlog.event_data.RemoteEventLogging\",\"winlog.event_data.RestrictedAdminMode\",\"winlog.event_data.ReturnCode\",\"winlog.event_data.RunningMode\",\"winlog.event_data.SchemaVersion\",\"winlog.event_data.ScriptBlockText\",\"winlog.event_data.ServiceName\",\"winlog.event_data.ServiceVersion\",\"winlog.event_data.ShutdownActionType\",\"winlog.event_data.ShutdownEventCode\",\"winlog.event_data.ShutdownReason\",\"winlog.event_data.Signature\",\"winlog.event_data.SignatureStatus\",\"winlog.event_data.Signed\",\"winlog.event_data.SleepInProgress\",\"winlog.event_data.StartTime\",\"winlog.event_data.State\",\"winlog.event_data.Status\",\"winlog.event_data.StopTime\",\"winlog.event_data.SubjectDomainName\",\"winlog.event_data.SubjectLogonId\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.SubjectUserSid\",\"winlog.event_data.SystemSleepTransitionsToOn\",\"winlog.event_data.TSId\",\"winlog.event_data.TargetDomainName\",\"winlog.event_data.TargetInfo\",\"winlog.event_data.TargetLinkedLogonId\",\"winlog.event_data.TargetLogonGuid\",\"winlog.event_data.TargetLogonId\",\"winlog.event_data.TargetOutboundDomainName\",\"winlog.event_data.TargetOutboundUserName\",\"winlog.event_data.TargetServerName\",\"winlog.event_data.TargetSid\",\"winlog.event_data.TargetUserName\",\"winlog.event_data.TargetUserSid\",\"winlog.event_data.TerminalSessionId\",\"winlog.event_data.TestSigning\",\"winlog.event_data.TimeSource\",\"winlog.event_data.TokenElevationType\",\"winlog.event_data.TransmittedServices\",\"winlog.event_data.UserSid\",\"winlog.event_data.Version\",\"winlog.event_data.VirtualAccount\",\"winlog.event_data.VsmLaunchType\",\"winlog.event_data.VsmPolicy\",\"winlog.event_data.Workstation\",\"winlog.event_data.param1\",\"winlog.event_data.param10\",\"winlog.event_data.param11\",\"winlog.event_data.param12\",\"winlog.event_data.param2\",\"winlog.event_data.param3\",\"winlog.event_data.param4\",\"winlog.event_data.param5\",\"winlog.event_data.param6\",\"winlog.event_data.param7\",\"winlog.event_data.param8\",\"winlog.event_data.param9\",\"winlog.event_data.serviceGuid\",\"winlog.event_data.updateGuid\",\"winlog.event_data.updateRevisionNumber\",\"winlog.event_data.updateTitle\",\"winlog.event_id\",\"winlog.keywords\",\"winlog.logon.failure.status\",\"winlog.logon.id\",\"winlog.logon.type\",\"winlog.opcode\",\"winlog.process.pid\",\"winlog.process.thread.id\",\"winlog.provider_guid\",\"winlog.provider_name\",\"winlog.record_id\",\"winlog.related_activity_id\",\"winlog.task\",\"winlog.user.domain\",\"winlog.user.identifier\",\"winlog.user.name\",\"winlog.user.type\",\"winlog.user_data.Reason\",\"winlog.user_data.binaryData\",\"winlog.user_data.binaryDataSize\",\"winlog.user_data.param1\",\"winlog.user_data.param2\",\"winlog.user_data.xml_name\",\"winlog.version\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"logged-in\",\"logged-in-special\"],\"type\":\"phrases\",\"value\":\"logged-in, logged-in-special\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"logged-in\"}},{\"match_phrase\":{\"event.action\":\"logged-in-special\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Windows Event Log Logins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json deleted file mode 100755 index 434c4272a2..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfReplication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfReplication\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database: Replication: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 50b65c5ba3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "message", - "host.name", - "log.level", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Warning\",\"Error\"],\"type\":\"phrases\",\"value\":\"Warning, Error\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Warning\"}},{\"match_phrase\":{\"log.level\":\"Error\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "IDM Suite Errors and Warnings", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index d8a9246524..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Plugins", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ae380d7a7e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"iddiscover.exe\",\"pamlws.exe\"],\"type\":\"phrases\",\"value\":\"iddiscover.exe, pamlws.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"iddiscover.exe\"}},{\"match_phrase\":{\"log.logger\":\"pamlws.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Discovery Stored Procedures", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 4f92395e4e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b67cb2881a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Dataset", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json deleted file mode 100755 index 21f0920379..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"81\",\"82\",\"83\",\"84\",\"85\"],\"type\":\"phrases\",\"value\":\"81, 82, 83, 84, 85\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"81\"}},{\"match_phrase\":{\"event.code\":\"82\"}},{\"match_phrase\":{\"event.code\":\"83\"}},{\"match_phrase\":{\"event.code\":\"84\"}},{\"match_phrase\":{\"event.code\":\"85\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Workflow", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 78345eb6c9..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Connector Return Code", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json deleted file mode 100755 index c617f5e303..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Users: Pages: Search", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b8bd09d7f6..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.perf.duration", - "hid_bravura_monitor.perf.caller", - "log.logger" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfSproc\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfSproc\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfSproc", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 777347bc45..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "hid_bravura_monitor.perf.duration", - "log.logger", - "hid_bravura_monitor.perf.user", - "hid_bravura_monitor.perf.kernel", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"NOT log.logger: plugin_*\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfExe - Executables", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 08411d94b0..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "log.logger", - "input.type", - "hid_bravura_monitor.perf.function", - "host.name", - "@timestamp", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDAPI\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDAPI\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDAPI", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json deleted file mode 100755 index 1933bda0f2..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"8\",\"9\",\"10\",\"6\",\"78\"],\"type\":\"phrases\",\"value\":\"8, 9, 10, 6, 78\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"8\"}},{\"match_phrase\":{\"event.code\":\"9\"}},{\"match_phrase\":{\"event.code\":\"10\"}},{\"match_phrase\":{\"event.code\":\"6\"}},{\"match_phrase\":{\"event.code\":\"78\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Hitachi ID Windows Event Logs - Replication", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a787d10-0521-11ec-853c-2bf1ec8ddeef", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index baafc6c4e5..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":[\"ajaxsvc.exe\",\"psf.exe\",\"psa.exe\"],\"type\":\"phrases\",\"value\":\"ajaxsvc.exe, psf.exe, psa.exe\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.logger\":\"ajaxsvc.exe\"}},{\"match_phrase\":{\"log.logger\":\"psf.exe\"}},{\"match_phrase\":{\"log.logger\":\"psa.exe\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.level\",\"negate\":false,\"params\":[\"Error\",\"Warning\"],\"type\":\"phrases\",\"value\":\"Error, Warning\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"log.level\":\"Error\"}},{\"match_phrase\":{\"log.level\":\"Warning\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.id\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"user.id\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "User Issue Logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 7d2a1af5bf..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfAjax\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfAjax\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfAjax", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json deleted file mode 100755 index 1dcfec3f81..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Database Events", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be8c8b60-874f-11eb-a5be-4d72a1654030", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index f0c5cffd71..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfConnector", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bfc7f7c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index c6b4369c88..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "hid_bravura_monitor.request.id", - "log.logger", - "hid_bravura_monitor.perf.duration", - "process.pid", - "process.thread.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfIDWFM\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfIDWFM\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfIDWFM", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json deleted file mode 100755 index 122f899b44..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Hitachi-Hitachi ID Systems-Hitachi ID Suite\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"28\",\"29\",\"30\",\"31\",\"32\",\"33\",\"52\",\"53\",\"54\",\"55\",\"56\",\"57\",\"58\",\"59\",\"60\",\"61\",\"62\",\"63\",\"64\",\"65\",\"66\",\"67\",\"68\",\"69\",\"70\",\"71\",\"72\",\"73\",\"121\"],\"type\":\"phrases\",\"value\":\"28, 29, 30, 31, 32, 33, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 121\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"28\"}},{\"match_phrase\":{\"event.code\":\"29\"}},{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}},{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}},{\"match_phrase\":{\"event.code\":\"52\"}},{\"match_phrase\":{\"event.code\":\"53\"}},{\"match_phrase\":{\"event.code\":\"54\"}},{\"match_phrase\":{\"event.code\":\"55\"}},{\"match_phrase\":{\"event.code\":\"56\"}},{\"match_phrase\":{\"event.code\":\"57\"}},{\"match_phrase\":{\"event.code\":\"58\"}},{\"match_phrase\":{\"event.code\":\"59\"}},{\"match_phrase\":{\"event.code\":\"60\"}},{\"match_phrase\":{\"event.code\":\"61\"}},{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"65\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}},{\"match_phrase\":{\"event.code\":\"68\"}},{\"match_phrase\":{\"event.code\":\"69\"}},{\"match_phrase\":{\"event.code\":\"70\"}},{\"match_phrase\":{\"event.code\":\"71\"}},{\"match_phrase\":{\"event.code\":\"72\"}},{\"match_phrase\":{\"event.code\":\"73\"}},{\"match_phrase\":{\"event.code\":\"121\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Hitachi ID Windows Event Logs - Administrative", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index b7502c0511..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/search/hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"fieldsFromSource\":[\"@timestamp\",\"_id\",\"_index\",\"_score\",\"_source\",\"_type\",\"agent.build.original\",\"agent.ephemeral_id\",\"agent.hostname\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"apache.access.ssl.cipher\",\"apache.access.ssl.protocol\",\"apache.error.integration\",\"as.number\",\"as.organization.name\",\"as.organization.name.text\",\"auditd.log.a0\",\"auditd.log.addr\",\"auditd.log.item\",\"auditd.log.items\",\"auditd.log.laddr\",\"auditd.log.lport\",\"auditd.log.new_auid\",\"auditd.log.new_ses\",\"auditd.log.old_auid\",\"auditd.log.old_ses\",\"auditd.log.rport\",\"auditd.log.sequence\",\"auditd.log.tty\",\"azure.consumer_group\",\"azure.enqueued_time\",\"azure.eventhub\",\"azure.offset\",\"azure.partition_id\",\"azure.sequence_number\",\"client.address\",\"client.as.number\",\"client.as.organization.name\",\"client.as.organization.name.text\",\"client.bytes\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.location\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.ip\",\"client.mac\",\"client.nat.ip\",\"client.nat.port\",\"client.packets\",\"client.port\",\"client.registered_domain\",\"client.subdomain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.full_name.text\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"client.user.name.text\",\"client.user.roles\",\"cloud.account.id\",\"cloud.account.name\",\"cloud.availability_zone\",\"cloud.image.id\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.project.id\",\"cloud.project.name\",\"cloud.provider\",\"cloud.region\",\"code_signature.exists\",\"code_signature.status\",\"code_signature.subject_name\",\"code_signature.trusted\",\"code_signature.valid\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.number\",\"destination.as.organization.name\",\"destination.as.organization.name.text\",\"destination.bytes\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.location\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.ip\",\"destination.mac\",\"destination.nat.ip\",\"destination.nat.port\",\"destination.packets\",\"destination.port\",\"destination.registered_domain\",\"destination.subdomain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.full_name.text\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"destination.user.name.text\",\"destination.user.roles\",\"dll.code_signature.exists\",\"dll.code_signature.status\",\"dll.code_signature.subject_name\",\"dll.code_signature.trusted\",\"dll.code_signature.valid\",\"dll.hash.md5\",\"dll.hash.sha1\",\"dll.hash.sha256\",\"dll.hash.sha512\",\"dll.name\",\"dll.path\",\"dll.pe.architecture\",\"dll.pe.company\",\"dll.pe.description\",\"dll.pe.file_version\",\"dll.pe.imphash\",\"dll.pe.original_file_name\",\"dll.pe.product\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.ttl\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.resolved_ip\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"elasticsearch.audit.action\",\"elasticsearch.audit.event_type\",\"elasticsearch.audit.indices\",\"elasticsearch.audit.layer\",\"elasticsearch.audit.message\",\"elasticsearch.audit.origin.type\",\"elasticsearch.audit.realm\",\"elasticsearch.audit.request.id\",\"elasticsearch.audit.request.name\",\"elasticsearch.audit.url.params\",\"elasticsearch.audit.user.realm\",\"elasticsearch.audit.user.roles\",\"elasticsearch.cluster.name\",\"elasticsearch.cluster.uuid\",\"elasticsearch.component\",\"elasticsearch.gc.heap.size_kb\",\"elasticsearch.gc.heap.used_kb\",\"elasticsearch.gc.jvm_runtime_sec\",\"elasticsearch.gc.old_gen.size_kb\",\"elasticsearch.gc.old_gen.used_kb\",\"elasticsearch.gc.phase.class_unload_time_sec\",\"elasticsearch.gc.phase.cpu_time.real_sec\",\"elasticsearch.gc.phase.cpu_time.sys_sec\",\"elasticsearch.gc.phase.cpu_time.user_sec\",\"elasticsearch.gc.phase.duration_sec\",\"elasticsearch.gc.phase.name\",\"elasticsearch.gc.phase.parallel_rescan_time_sec\",\"elasticsearch.gc.phase.scrub_string_table_time_sec\",\"elasticsearch.gc.phase.scrub_symbol_table_time_sec\",\"elasticsearch.gc.phase.weak_refs_processing_time_sec\",\"elasticsearch.gc.stopping_threads_time_sec\",\"elasticsearch.gc.tags\",\"elasticsearch.gc.threads_total_stop_time_sec\",\"elasticsearch.gc.young_gen.size_kb\",\"elasticsearch.gc.young_gen.used_kb\",\"elasticsearch.index.id\",\"elasticsearch.index.name\",\"elasticsearch.node.id\",\"elasticsearch.node.name\",\"elasticsearch.server.gc.collection_duration.ms\",\"elasticsearch.server.gc.observation_duration.ms\",\"elasticsearch.server.gc.overhead_seq\",\"elasticsearch.server.gc.young.one\",\"elasticsearch.server.gc.young.two\",\"elasticsearch.server.stacktrace\",\"elasticsearch.shard.id\",\"elasticsearch.slowlog.extra_source\",\"elasticsearch.slowlog.id\",\"elasticsearch.slowlog.logger\",\"elasticsearch.slowlog.routing\",\"elasticsearch.slowlog.search_type\",\"elasticsearch.slowlog.source\",\"elasticsearch.slowlog.source_query\",\"elasticsearch.slowlog.stats\",\"elasticsearch.slowlog.took\",\"elasticsearch.slowlog.total_hits\",\"elasticsearch.slowlog.total_shards\",\"elasticsearch.slowlog.type\",\"elasticsearch.slowlog.types\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.stack_trace.text\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.created\",\"data_stream.dataset\",\"event.duration\",\"event.end\",\"event.hash\",\"event.id\",\"event.ingested\",\"event.kind\",\"event.integration\",\"event.original\",\"event.outcome\",\"event.provider\",\"event.reason\",\"event.reference\",\"event.risk_score\",\"event.risk_score_norm\",\"event.sequence\",\"event.severity\",\"event.start\",\"event.timezone\",\"event.type\",\"event.url\",\"file.accessed\",\"file.attributes\",\"file.code_signature.exists\",\"file.code_signature.status\",\"file.code_signature.subject_name\",\"file.code_signature.trusted\",\"file.code_signature.valid\",\"file.created\",\"file.ctime\",\"file.device\",\"file.directory\",\"file.drive_letter\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mime_type\",\"file.mode\",\"file.mtime\",\"file.name\",\"file.owner\",\"file.path\",\"file.path.text\",\"file.pe.architecture\",\"file.pe.company\",\"file.pe.description\",\"file.pe.file_version\",\"file.pe.imphash\",\"file.pe.original_file_name\",\"file.pe.product\",\"file.size\",\"file.target_path\",\"file.target_path.text\",\"file.type\",\"file.uid\",\"file.x509.alternative_names\",\"file.x509.issuer.common_name\",\"file.x509.issuer.country\",\"file.x509.issuer.distinguished_name\",\"file.x509.issuer.locality\",\"file.x509.issuer.organization\",\"file.x509.issuer.organizational_unit\",\"file.x509.issuer.state_or_province\",\"file.x509.not_after\",\"file.x509.not_before\",\"file.x509.public_key_algorithm\",\"file.x509.public_key_curve\",\"file.x509.public_key_exponent\",\"file.x509.public_key_size\",\"file.x509.serial_number\",\"file.x509.signature_algorithm\",\"file.x509.subject.common_name\",\"file.x509.subject.country\",\"file.x509.subject.distinguished_name\",\"file.x509.subject.locality\",\"file.x509.subject.organization\",\"file.x509.subject.organizational_unit\",\"file.x509.subject.state_or_province\",\"file.x509.version_number\",\"fileset.name\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.location\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"haproxy.backend_name\",\"haproxy.backend_queue\",\"haproxy.bind_name\",\"haproxy.bytes_read\",\"haproxy.connection_wait_time_ms\",\"haproxy.connections.active\",\"haproxy.connections.backend\",\"haproxy.connections.frontend\",\"haproxy.connections.retries\",\"haproxy.connections.server\",\"haproxy.error_message\",\"haproxy.frontend_name\",\"haproxy.http.request.captured_cookie\",\"haproxy.http.request.captured_headers\",\"haproxy.http.request.raw_request_line\",\"haproxy.http.request.time_wait_ms\",\"haproxy.http.request.time_wait_without_data_ms\",\"haproxy.http.response.captured_cookie\",\"haproxy.http.response.captured_headers\",\"haproxy.mode\",\"haproxy.server_name\",\"haproxy.server_queue\",\"haproxy.source\",\"haproxy.tcp.connection_waiting_time_ms\",\"haproxy.termination_state\",\"haproxy.time_backend_connect\",\"haproxy.time_queue\",\"haproxy.total_waiting_time_ms\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"hid_bravura_monitor.instancename\",\"hid_bravura_monitor.node\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.address\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.adminid\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.dbcommand\",\"hid_bravura_monitor.perf.destination\",\"hid_bravura_monitor.perf.duration\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.event\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.exe\",\"hid_bravura_monitor.perf.file\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.function\",\"hid_bravura_monitor.perf.kernel\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.kind\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.message\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.operation\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.receivequeue\",\"hid_bravura_monitor.perf.records\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.result\",\"hid_bravura_monitor.perf.rule\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sessionid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.sysid\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.table\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.targetid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.transid\",\"hid_bravura_monitor.perf.type\",\"hid_bravura_monitor.perf.user\",\"hid_bravura_monitor.request.id\",\"hid_bravura_monitor.request.id\",\"host.architecture\",\"host.containerized\",\"host.domain\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.location\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.ip\",\"host.mac\",\"host.name\",\"host.os.build\",\"host.os.codename\",\"host.os.family\",\"host.os.full\",\"host.os.full.text\",\"host.os.kernel\",\"host.os.name\",\"host.os.name.text\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"host.uptime\",\"host.user.domain\",\"host.user.email\",\"host.user.full_name\",\"host.user.full_name.text\",\"host.user.group.domain\",\"host.user.group.id\",\"host.user.group.name\",\"host.user.hash\",\"host.user.id\",\"host.user.name\",\"host.user.name.text\",\"host.user.roles\",\"http.request.body.bytes\",\"http.request.body.content\",\"http.request.body.content.text\",\"http.request.bytes\",\"http.request.method\",\"http.request.mime_type\",\"http.request.referrer\",\"http.response.body.bytes\",\"http.response.body.content\",\"http.response.body.content.text\",\"http.response.bytes\",\"http.response.mime_type\",\"http.response.status_code\",\"http.version\",\"icinga.debug.facility\",\"icinga.main.facility\",\"icinga.startup.facility\",\"icmp.code\",\"icmp.type\",\"igmp.type\",\"iis.access.cookie\",\"iis.access.server_name\",\"iis.access.site_name\",\"iis.access.sub_status\",\"iis.access.win32_status\",\"iis.error.queue_name\",\"iis.error.reason_phrase\",\"input.type\",\"interface.alias\",\"interface.id\",\"interface.name\",\"jolokia.agent.id\",\"jolokia.agent.version\",\"jolokia.secured\",\"jolokia.server.product\",\"jolokia.server.vendor\",\"jolokia.server.version\",\"jolokia.url\",\"kafka.block_timestamp\",\"kafka.key\",\"kafka.log.class\",\"kafka.log.component\",\"kafka.log.thread\",\"kafka.log.trace.class\",\"kafka.log.trace.message\",\"kafka.offset\",\"kafka.partition\",\"kafka.topic\",\"kibana.add_to_spaces\",\"kibana.authentication_provider\",\"kibana.authentication_realm\",\"kibana.authentication_type\",\"kibana.delete_from_spaces\",\"kibana.log.state\",\"kibana.log.tags\",\"kibana.lookup_realm\",\"kibana.saved_object.id\",\"kibana.saved_object.type\",\"kibana.session_id\",\"kibana.space_id\",\"kubernetes.container.image\",\"kubernetes.container.name\",\"kubernetes.deployment.name\",\"kubernetes.namespace\",\"kubernetes.node.hostname\",\"kubernetes.node.name\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.replicaset.name\",\"kubernetes.statefulset.name\",\"log.file.path\",\"log.flags\",\"log.level\",\"log.logger\",\"log.offset\",\"log.origin.file.line\",\"log.origin.file.name\",\"log.origin.function\",\"log.original\",\"log.source.address\",\"log.syslog.facility.code\",\"log.syslog.facility.name\",\"log.syslog.priority\",\"log.syslog.severity.code\",\"log.syslog.severity.name\",\"logstash.log.integration\",\"logstash.log.pipeline_id\",\"logstash.log.thread\",\"logstash.log.thread.text\",\"logstash.slowlog.event\",\"logstash.slowlog.event.text\",\"logstash.slowlog.integration\",\"logstash.slowlog.plugin_name\",\"logstash.slowlog.plugin_params\",\"logstash.slowlog.plugin_params.text\",\"logstash.slowlog.plugin_type\",\"logstash.slowlog.thread\",\"logstash.slowlog.thread.text\",\"logstash.slowlog.took_in_millis\",\"message\",\"mongodb.log.component\",\"mongodb.log.context\",\"mysql.slowlog.bytes_received\",\"mysql.slowlog.bytes_sent\",\"mysql.slowlog.current_user\",\"mysql.slowlog.filesort\",\"mysql.slowlog.filesort_on_disk\",\"mysql.slowlog.full_join\",\"mysql.slowlog.full_scan\",\"mysql.slowlog.innodb.io_r_bytes\",\"mysql.slowlog.innodb.io_r_ops\",\"mysql.slowlog.innodb.io_r_wait.sec\",\"mysql.slowlog.innodb.pages_distinct\",\"mysql.slowlog.innodb.queue_wait.sec\",\"mysql.slowlog.innodb.rec_lock_wait.sec\",\"mysql.slowlog.innodb.trx_id\",\"mysql.slowlog.killed\",\"mysql.slowlog.last_errno\",\"mysql.slowlog.lock_time.sec\",\"mysql.slowlog.log_slow_rate_limit\",\"mysql.slowlog.log_slow_rate_type\",\"mysql.slowlog.merge_passes\",\"mysql.slowlog.priority_queue\",\"mysql.slowlog.query\",\"mysql.slowlog.query_cache_hit\",\"mysql.slowlog.read_first\",\"mysql.slowlog.read_key\",\"mysql.slowlog.read_last\",\"mysql.slowlog.read_next\",\"mysql.slowlog.read_prev\",\"mysql.slowlog.read_rnd\",\"mysql.slowlog.read_rnd_next\",\"mysql.slowlog.rows_affected\",\"mysql.slowlog.rows_examined\",\"mysql.slowlog.rows_sent\",\"mysql.slowlog.schema\",\"mysql.slowlog.sort_merge_passes\",\"mysql.slowlog.sort_range_count\",\"mysql.slowlog.sort_rows\",\"mysql.slowlog.sort_scan_count\",\"mysql.slowlog.tmp_disk_tables\",\"mysql.slowlog.tmp_table\",\"mysql.slowlog.tmp_table_on_disk\",\"mysql.slowlog.tmp_table_sizes\",\"mysql.slowlog.tmp_tables\",\"mysql.thread_id\",\"nats.log.client.id\",\"nats.log.msg.bytes\",\"nats.log.msg.error.message\",\"nats.log.msg.max_messages\",\"nats.log.msg.queue_group\",\"nats.log.msg.reply_to\",\"nats.log.msg.sid\",\"nats.log.msg.subject\",\"nats.log.msg.type\",\"network.application\",\"network.bytes\",\"network.community_id\",\"network.direction\",\"network.forwarded_ip\",\"network.iana_number\",\"network.inner.vlan.id\",\"network.inner.vlan.name\",\"network.name\",\"network.packets\",\"network.protocol\",\"network.transport\",\"network.type\",\"network.vlan.id\",\"network.vlan.name\",\"nginx.error.connection_id\",\"nginx.ingress_controller.http.request.id\",\"nginx.ingress_controller.http.request.length\",\"nginx.ingress_controller.http.request.time\",\"nginx.ingress_controller.upstream.alternative_name\",\"nginx.ingress_controller.upstream.ip\",\"nginx.ingress_controller.upstream.name\",\"nginx.ingress_controller.upstream.port\",\"nginx.ingress_controller.upstream.response.length\",\"nginx.ingress_controller.upstream.response.length_list\",\"nginx.ingress_controller.upstream.response.status_code\",\"nginx.ingress_controller.upstream.response.status_code_list\",\"nginx.ingress_controller.upstream.response.time\",\"nginx.ingress_controller.upstream.response.time_list\",\"nginx.ingress_controller.upstream_address_list\",\"observer.egress.interface.alias\",\"observer.egress.interface.id\",\"observer.egress.interface.name\",\"observer.egress.vlan.id\",\"observer.egress.vlan.name\",\"observer.egress.zone\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.location\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.ingress.interface.alias\",\"observer.ingress.interface.id\",\"observer.ingress.interface.name\",\"observer.ingress.vlan.id\",\"observer.ingress.vlan.name\",\"observer.ingress.zone\",\"observer.ip\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.full.text\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.name.text\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"organization.name.text\",\"os.family\",\"os.full\",\"os.full.text\",\"os.kernel\",\"os.name\",\"os.name.text\",\"os.platform\",\"os.version\",\"osquery.result.action\",\"osquery.result.calendar_time\",\"osquery.result.host_identifier\",\"osquery.result.name\",\"osquery.result.unix_time\",\"package.architecture\",\"package.build_version\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.installed\",\"package.license\",\"package.name\",\"package.path\",\"package.reference\",\"package.size\",\"package.type\",\"package.version\",\"pe.architecture\",\"pe.company\",\"pe.description\",\"pe.file_version\",\"pe.imphash\",\"pe.original_file_name\",\"pe.product\",\"postgresql.log.core_id\",\"postgresql.log.database\",\"postgresql.log.error.code\",\"postgresql.log.query\",\"postgresql.log.query_name\",\"postgresql.log.query_step\",\"postgresql.log.timestamp\",\"process.args\",\"process.args_count\",\"process.code_signature.exists\",\"process.code_signature.status\",\"process.code_signature.subject_name\",\"process.code_signature.trusted\",\"process.code_signature.valid\",\"process.command_line\",\"process.command_line.text\",\"process.entity_id\",\"process.executable\",\"process.executable.text\",\"process.exit_code\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.name.text\",\"process.parent.args\",\"process.parent.args_count\",\"process.parent.code_signature.exists\",\"process.parent.code_signature.status\",\"process.parent.code_signature.subject_name\",\"process.parent.code_signature.trusted\",\"process.parent.code_signature.valid\",\"process.parent.command_line\",\"process.parent.command_line.text\",\"process.parent.entity_id\",\"process.parent.executable\",\"process.parent.executable.text\",\"process.parent.exit_code\",\"process.parent.hash.md5\",\"process.parent.hash.sha1\",\"process.parent.hash.sha256\",\"process.parent.hash.sha512\",\"process.parent.name\",\"process.parent.name.text\",\"process.parent.pe.architecture\",\"process.parent.pe.company\",\"process.parent.pe.description\",\"process.parent.pe.file_version\",\"process.parent.pe.imphash\",\"process.parent.pe.original_file_name\",\"process.parent.pe.product\",\"process.parent.pgid\",\"process.parent.pid\",\"process.parent.ppid\",\"process.parent.start\",\"process.parent.thread.id\",\"process.parent.thread.name\",\"process.parent.title\",\"process.parent.title.text\",\"process.parent.uptime\",\"process.parent.working_directory\",\"process.parent.working_directory.text\",\"process.pe.architecture\",\"process.pe.company\",\"process.pe.description\",\"process.pe.file_version\",\"process.pe.imphash\",\"process.pe.original_file_name\",\"process.pe.product\",\"process.pgid\",\"process.pid\",\"process.ppid\",\"process.program\",\"process.start\",\"process.thread.id\",\"process.thread.name\",\"process.title\",\"process.title.text\",\"process.uptime\",\"process.working_directory\",\"process.working_directory.text\",\"redis.log.role\",\"redis.slowlog.args\",\"redis.slowlog.cmd\",\"redis.slowlog.duration.us\",\"redis.slowlog.id\",\"redis.slowlog.key\",\"registry.data.bytes\",\"registry.data.strings\",\"registry.data.type\",\"registry.hive\",\"registry.key\",\"registry.path\",\"registry.value\",\"related.hash\",\"related.hosts\",\"related.ip\",\"related.user\",\"rule.author\",\"rule.category\",\"rule.description\",\"rule.id\",\"rule.license\",\"rule.name\",\"rule.reference\",\"rule.ruleset\",\"rule.uuid\",\"rule.version\",\"santa.action\",\"santa.certificate.common_name\",\"santa.certificate.sha256\",\"santa.decision\",\"santa.disk.bsdname\",\"santa.disk.bus\",\"santa.disk.fs\",\"santa.disk.model\",\"santa.disk.mount\",\"santa.disk.serial\",\"santa.disk.volume\",\"santa.mode\",\"santa.reason\",\"server.address\",\"server.as.number\",\"server.as.organization.name\",\"server.as.organization.name.text\",\"server.bytes\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.location\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.ip\",\"server.mac\",\"server.nat.ip\",\"server.nat.port\",\"server.packets\",\"server.port\",\"server.registered_domain\",\"server.subdomain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.full_name.text\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"server.user.name.text\",\"server.user.roles\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.number\",\"source.as.organization.name\",\"source.as.organization.name.text\",\"source.bytes\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.location\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.ip\",\"source.mac\",\"source.nat.ip\",\"source.nat.port\",\"source.packets\",\"source.port\",\"source.registered_domain\",\"source.subdomain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.full_name.text\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"source.user.name.text\",\"source.user.roles\",\"span.id\",\"stream\",\"syslog.facility\",\"syslog.facility_label\",\"syslog.priority\",\"syslog.severity_label\",\"system.auth.ssh.dropped_ip\",\"system.auth.ssh.event\",\"system.auth.ssh.method\",\"system.auth.ssh.signature\",\"system.auth.sudo.command\",\"system.auth.sudo.error\",\"system.auth.sudo.pwd\",\"system.auth.sudo.tty\",\"system.auth.sudo.user\",\"system.auth.useradd.home\",\"system.auth.useradd.shell\",\"tags\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.name.text\",\"threat.technique.reference\",\"threat.technique.subtechnique.id\",\"threat.technique.subtechnique.name\",\"threat.technique.subtechnique.name.text\",\"threat.technique.subtechnique.reference\",\"timeseries.instance\",\"tls.cipher\",\"tls.client.certificate\",\"tls.client.certificate_chain\",\"tls.client.hash.md5\",\"tls.client.hash.sha1\",\"tls.client.hash.sha256\",\"tls.client.issuer\",\"tls.client.ja3\",\"tls.client.not_after\",\"tls.client.not_before\",\"tls.client.server_name\",\"tls.client.subject\",\"tls.client.supported_ciphers\",\"tls.client.x509.alternative_names\",\"tls.client.x509.issuer.common_name\",\"tls.client.x509.issuer.country\",\"tls.client.x509.issuer.distinguished_name\",\"tls.client.x509.issuer.locality\",\"tls.client.x509.issuer.organization\",\"tls.client.x509.issuer.organizational_unit\",\"tls.client.x509.issuer.state_or_province\",\"tls.client.x509.not_after\",\"tls.client.x509.not_before\",\"tls.client.x509.public_key_algorithm\",\"tls.client.x509.public_key_curve\",\"tls.client.x509.public_key_exponent\",\"tls.client.x509.public_key_size\",\"tls.client.x509.serial_number\",\"tls.client.x509.signature_algorithm\",\"tls.client.x509.subject.common_name\",\"tls.client.x509.subject.country\",\"tls.client.x509.subject.distinguished_name\",\"tls.client.x509.subject.locality\",\"tls.client.x509.subject.organization\",\"tls.client.x509.subject.organizational_unit\",\"tls.client.x509.subject.state_or_province\",\"tls.client.x509.version_number\",\"tls.curve\",\"tls.established\",\"tls.next_protocol\",\"tls.resumed\",\"tls.server.certificate\",\"tls.server.certificate_chain\",\"tls.server.hash.md5\",\"tls.server.hash.sha1\",\"tls.server.hash.sha256\",\"tls.server.issuer\",\"tls.server.ja3s\",\"tls.server.not_after\",\"tls.server.not_before\",\"tls.server.subject\",\"tls.server.x509.alternative_names\",\"tls.server.x509.issuer.common_name\",\"tls.server.x509.issuer.country\",\"tls.server.x509.issuer.distinguished_name\",\"tls.server.x509.issuer.locality\",\"tls.server.x509.issuer.organization\",\"tls.server.x509.issuer.organizational_unit\",\"tls.server.x509.issuer.state_or_province\",\"tls.server.x509.not_after\",\"tls.server.x509.not_before\",\"tls.server.x509.public_key_algorithm\",\"tls.server.x509.public_key_curve\",\"tls.server.x509.public_key_exponent\",\"tls.server.x509.public_key_size\",\"tls.server.x509.serial_number\",\"tls.server.x509.signature_algorithm\",\"tls.server.x509.subject.common_name\",\"tls.server.x509.subject.country\",\"tls.server.x509.subject.distinguished_name\",\"tls.server.x509.subject.locality\",\"tls.server.x509.subject.organization\",\"tls.server.x509.subject.organizational_unit\",\"tls.server.x509.subject.state_or_province\",\"tls.server.x509.version_number\",\"tls.version\",\"tls.version_protocol\",\"trace.id\",\"traefik.access.backend_url\",\"traefik.access.frontend_name\",\"traefik.access.geoip.city_name\",\"traefik.access.geoip.continent_name\",\"traefik.access.geoip.country_iso_code\",\"traefik.access.geoip.location\",\"traefik.access.geoip.region_iso_code\",\"traefik.access.geoip.region_name\",\"traefik.access.request_count\",\"traefik.access.user_agent.device\",\"traefik.access.user_agent.name\",\"traefik.access.user_agent.original\",\"traefik.access.user_agent.os\",\"traefik.access.user_agent.os_name\",\"traefik.access.user_identifier\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.full.text\",\"url.original\",\"url.original.text\",\"url.password\",\"url.path\",\"url.port\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.subdomain\",\"url.top_level_domain\",\"url.username\",\"user.audit.group.id\",\"user.audit.group.name\",\"user.audit.id\",\"user.audit.name\",\"user.domain\",\"user.effective.group.id\",\"user.effective.group.name\",\"user.effective.id\",\"user.effective.name\",\"user.email\",\"user.filesystem.group.id\",\"user.filesystem.group.name\",\"user.filesystem.id\",\"user.filesystem.name\",\"user.full_name\",\"user.full_name.text\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user.name.text\",\"user.owner.group.id\",\"user.owner.group.name\",\"user.owner.id\",\"user.owner.name\",\"user.roles\",\"user.saved.group.id\",\"user.saved.group.name\",\"user.saved.id\",\"user.saved.name\",\"user.terminal\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original\",\"user_agent.original.text\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.full.text\",\"user_agent.os.full_name\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.name.text\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"vlan.id\",\"vlan.name\",\"vulnerability.category\",\"vulnerability.classification\",\"vulnerability.description\",\"vulnerability.description.text\",\"vulnerability.enumeration\",\"vulnerability.id\",\"vulnerability.reference\",\"vulnerability.report_id\",\"vulnerability.scanner.vendor\",\"vulnerability.score.base\",\"vulnerability.score.environmental\",\"vulnerability.score.temporal\",\"vulnerability.score.version\",\"vulnerability.severity\",\"x509.alternative_names\",\"x509.issuer.common_name\",\"x509.issuer.country\",\"x509.issuer.distinguished_name\",\"x509.issuer.locality\",\"x509.issuer.organization\",\"x509.issuer.organizational_unit\",\"x509.issuer.state_or_province\",\"x509.not_after\",\"x509.not_before\",\"x509.public_key_algorithm\",\"x509.public_key_curve\",\"x509.public_key_exponent\",\"x509.public_key_size\",\"x509.serial_number\",\"x509.signature_algorithm\",\"x509.subject.common_name\",\"x509.subject.country\",\"x509.subject.distinguished_name\",\"x509.subject.locality\",\"x509.subject.organization\",\"x509.subject.organizational_unit\",\"x509.subject.state_or_province\",\"x509.version_number\"],\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfPsupdate\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfPsupdate\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "PerfPsupdate", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "search": "7.9.3" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0df883fdb2..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Transaction is NULL\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"hid_bravura_monitor.perf.transid\"},\"meta\":{\"alias\":\"Transaction exists\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Pages: UI Transactions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"UI Transaction\",\"field\":\"hid_bravura_monitor.perf.transid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Pages: UI Transactions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00cbeab0-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-77cbe8b0-de89-11eb-a272-2d62b237e243", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 70be8c7e8f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operations Per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operations Per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-00dc0a80-1adc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ffa350420f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: API: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-05cb9390-1a22-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 10a036dbb9..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Operation List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-06fb9d30-1a24-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json deleted file mode 100755 index afb95c51b9..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Function Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Function Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0799ca70-2b66-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json deleted file mode 100755 index 9727c2554d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary Table", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Integration\",\"field\":\"winlog.event_data.Module\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Administrative Summary Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-07f86e00-d835-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 709de00be4..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cb6caa0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bff36e3274..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0cf3f020-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0d747cf0-3edb-11eb-9549-63f6cd998f21.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0d747cf0-3edb-11eb-9549-63f6cd998f21.json deleted file mode 100755 index 05daf2d3b4..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0d747cf0-3edb-11eb-9549-63f6cd998f21.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Executables: Duration over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Max\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Min\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Average\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Max\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"5\",\"label\":\"Min\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Executables: Duration over time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0d747cf0-3edb-11eb-9549-63f6cd998f21", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-4215e410-2f42-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0e2a09c0-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0e2a09c0-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4d84236586..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-0e2a09c0-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Issues: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"What kinds of issues are your users encountering?\",\"openLinksInNewTab\":false},\"title\":\"Users: Issues: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-0e2a09c0-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index d65570252d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Requesters", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Requester\",\"field\":\"winlog.event_data.Requester\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Requesters\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1211f840-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 379e10846d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"hid_bravura_monitor.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"hid_bravura_monitor.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: Node Usage", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count of unique User ID\",\"field\":\"user.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count of unique User ID\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count of unique User ID\"},\"type\":\"value\"}]},\"title\":\"Users: Summary: Node Usage\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1269fd70-1956-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 2e3839a607..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Runtime Statistics", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Stored Procedure Runtime Statistics\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1498e300-1482-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 6a73900e1d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Plugin: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Plugin\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Plugin: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1a2adb70-2f44-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-39072a50-2f42-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e32c74fc4f..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Dataset: Log Type Counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Log Type\",\"field\":\"hid_bravura_monitor.perf.kind\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Dataset: Log Type Counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1b439670-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index fbf41a8bc4..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Return Code", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Result\",\"field\":\"hid_bravura_monitor.perf.result\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Return Code\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-1ddd3300-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6258eeea60..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Nodes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Nodes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-20a85000-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 8aa0d744cc..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"1\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"1\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-211feda0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b90f37bce3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Provider Distribution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Problem Provider Distribution\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-23133620-238b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-236240f0-146b-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-236240f0-146b-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 662d031fb2..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-236240f0-146b-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura Log Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Bravura Log Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-236240f0-146b-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 3d69b5f3dd..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Log issues histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#BF1B00\",\"Warning\":\"#E5AC0E\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDM Suite: Log issues histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-24823410-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index b6c265aa5d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"8\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"8\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Transaction Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Transaction Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2722d7e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-29e2b730-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-29e2b730-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7ab138ef5d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-29e2b730-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"# Users\\n\\nIn IDM Suite, a user is a person who is using the product. They have an id and they log into the product with that ID. \\n\\nThe user dashboard is designed to inform people about what users are experiencing.\\n\\n* What pages are they visiting?\\n* What actions are they undertaking?\\n* What is the performance they are experiencing?\\n* What kind of issues are they encountering?\",\"openLinksInNewTab\":false},\"title\":\"Users: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-29e2b730-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 18ab353128..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2a088ae0-243d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 178c39c293..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Unlocked Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Unlocked Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-2ffbfc20-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json deleted file mode 100755 index 1477920457..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Administrative Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Administrative Summary\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-33258a00-d398-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 99eccfe59c..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Load by queue", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Queue\",\"field\":\"hid_bravura_monitor.perf.receivequeue\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Load by queue\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-341531e0-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index da63f8966b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Host Usage", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Host Usage\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-37fb60d0-1481-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a078bbc6f6..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Calls per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Calls per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3bd92210-1a25-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index 50921b0ee7..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":true,\"params\":{\"query\":\"85\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"85\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Recipients", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Recipient\",\"field\":\"winlog.event_data.Recipient\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Recipients\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-3ec54c70-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json deleted file mode 100755 index d1c2372322..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-42dc53c0-243e-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4bb8713e15..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Source\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Log\",\"field\":\"winlog.channel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":20,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Problem Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-489a4f50-2453-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index bab3fb6adb..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Operation count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation\",\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Operation count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4b0765d0-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index cdcd472e01..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura: Selector: Return Code", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"hid_bravura_monitor.perf.result\",\"id\":\"1606164462534\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Return Code\",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":10,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Bravura: Selector: Return Code\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-4bfcdae0-2dcd-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 82bba8ecdd..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Pages: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Transactions represent a UI page the user sees.\\n\\nWhat pages are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: Pages: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-552d3e80-1a26-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 87ec7841f2..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Search: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Search engines need to return quickly since users are waiting on their results. There is a direct correlation between search time and user experience.\\n\\nAs a general rule, Search stored procedures should take less than a second to run on average. \\n\\nSearch stored procedure performance is impacted by elements such as:\\n\\n* Data size. Larger data consumes more CPU, Ram, Disk I/O on the database server. \\n* Policies such as acls, filtering, etc. \\n* Indexes. Sometimes they fragment degrading overall performance. \\n* Table/Index Locking with other database actions.\\n\\nStrategies for improving database search performance include:\\n\\n* Rebuild fragmented database indexes.\\n* Evaluate if more RAM/CPU\\n\\nWhen these don't work, Developers will need database execution plans to review options.\",\"openLinksInNewTab\":false},\"title\":\"Database: Search: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-59482290-25da-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 7ead2be0b3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to insert data into database replication queue", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"9\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"9\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Queue Insert Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Queue Insert Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-5b5237e0-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-603317f0-2f5c-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-603317f0-2f5c-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index 1f7361b9af..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-603317f0-2f5c-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Log Files Processed", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Path\",\"field\":\"log.file.path\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Log Files Processed\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-603317f0-2f5c-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8ddd8dffec..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Discovery: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Discovery stored procedures are involved with loading data from integrations ( Connectors and LWS ) into the product database to learn about changes in the environment we are managing Identities and Access in. \\n\\nSome general rules of thumbs:\\n\\n* LWS stored procdures need to be quick. None should take a second.\\n* Iddiscover.exe stored procedures can run for much longer. Minutes to hours in large environments to process large changes in bulk. \\n\\nStrategies for improving the performance of these stored procedures include:\\n\\n* Rebuild fragmented database indexes\\n* Review if database is low on RAM, CPU, or I/O bandwidth.\\n\\nIf you continue to encounter problems developers will require database execution plans to review the operation of these procedures. \",\"openLinksInNewTab\":false},\"title\":\"Database: Discovery: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64035e60-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7db6a1b1ac..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Operation Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.operation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector: Operation Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-64514c50-1a1f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ecd3fe7dfe..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node historgram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"API: Calls per node historgram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-659dad40-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 858cd4ce71..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":59,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Problem Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-66c884f0-2382-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e39391cfb7..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Affected users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Users\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Affected users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-670cf140-1a1c-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-68d1fdc0-1ab4-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-68d1fdc0-1ab4-11eb-abcf-effcd51852fa.json deleted file mode 100755 index eb8d0d1f0e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-68d1fdc0-1ab4-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Target ID", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Target ID\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-68d1fdc0-1ab4-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json deleted file mode 100755 index b7bfd7f4a3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "81 - Approved\n82 - Denied\n83 - Cancelled\n84 - Revoked\n85 - Processed", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow Request Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Workflow Request Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ac75200-d90a-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-53be5e10-d909-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 4925675408..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"2\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"2\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Success", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Success\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-6ad826b0-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json deleted file mode 100755 index f9952b85fb..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"39\",\"40\"],\"type\":\"phrases\",\"value\":\"39, 40\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"39\"}},{\"match_phrase\":{\"event.code\":\"40\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDAPI Login Attempts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"IDAPI Login Attempts\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-70a8f8e0-d392-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 0326ec1e77..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Instance\",\"field\":\"agent.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-76cb60d0-1463-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6edd1a8f96..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psupdate.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtimes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sum of Duration (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2021-01-11T07:00:00.000Z\",\"to\":\"2021-01-18T07:00:00.000Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of Duration (ms)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Sum of Duration (ms)\"},\"type\":\"value\"}]},\"title\":\"Discovery Runtimes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77701bc0-25bb-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0259683b0d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Workflow: Operations per Node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Workflow: Operations per Node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-77f6f520-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-d1f2d8c0-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index a0e5fcd50a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "Failed to run stored procedure on replication database.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"10\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"10\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Stored Procedure Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Stored Procedure Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-80efbc20-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ed57c27d0a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Discovery Events", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event\",\"field\":\"hid_bravura_monitor.perf.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82277da0-25d5-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-dd637750-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 562b4d6f66..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"hid_bravura_monitor.perf.exe\",\"negate\":false,\"params\":{\"query\":\"psupdate.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.exe\":\"psupdate.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Discovery Runtime Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Runtime (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Discovery ID\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Discovery Runtime Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-82432550-25bc-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 567c658708..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector List", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Address\",\"field\":\"hid_bravura_monitor.perf.address\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector List\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-85943290-1a2b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6f2874777a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Executable Count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Executable\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Executable Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-878feb30-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 22abdbd1a4..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Function runtimes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Function runtimes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-87baab60-25b8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 730b9b47b5..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Severity Counts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Database: Severity Counts\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-89e6a260-25d4-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 04cc20f45d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Dataset: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Dataset: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8c755c30-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-465760e0-25d7-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json deleted file mode 100755 index f4e3b0a06b..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"error\":\"#EF843C\",\"warning\":\"#EAB839\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Problem Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-8ec75c50-2383-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json deleted file mode 100755 index 60028e9750..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"3\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"3\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Login Lockout", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Login Lockout\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9036f440-d37f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-92ed97c0-146c-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-92ed97c0-146c-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index a6e0e6dcab..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-92ed97c0-146c-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Bravura: Errors/Warnings by client", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"organization.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Bravura: Errors/Warnings by client\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-92ed97c0-146c-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 91932e1810..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: API: Users", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: API: Users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9357e910-2b67-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-ad5f7180-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6e743b35ed..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Stored Procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Replication: Stored Procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-95fb9a70-25d8-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7007bcc7c5..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector Return Code: Legend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"Success - 0\\n\\nUnknown Error - 1\\n\\nCannot Connect - 3\\n\\nInvalid Server - 5\\n\\nAccess Denied - 11\\n\\nVerify Failed - 14\",\"openLinksInNewTab\":false},\"title\":\"Connector Return Code: Legend\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-979ecd00-1abd-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-99f321c0-1953-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-99f321c0-1953-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 44409f7426..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-99f321c0-1953-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"What are your users doing in the system?\",\"openLinksInNewTab\":false},\"title\":\"Users: Summary: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-99f321c0-1953-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json deleted file mode 100755 index 67069cd556..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"78\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"78\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "File Replication Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"File Replication Errors\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a513b80-d388-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index 5b0c8576c0..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"32\",\"33\"],\"type\":\"phrases\",\"value\":\"32, 33\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"32\"}},{\"match_phrase\":{\"event.code\":\"33\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unlocked Profile Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unlocked Profile Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-9a75fb00-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 72dcb208bf..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Problem Distribution", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"winlog.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"User Problem Distribution\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a29a1cc0-238a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a2be43fb06..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Replication: Total over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total (ms)\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (ms)\"},\"type\":\"value\"}]},\"title\":\"Database: Replication: Total over time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a8002430-25d7-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2e254220-df55-11eb-9b6e-d57491399e2a", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index fc468116cc..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by level", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Level\",\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by level\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-a950c4e0-1464-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 58cd9378d3..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"winlog.event_id\",\"negate\":false,\"params\":[\"4740\",\"4728\",\"4732\",\"4756\",\"4735\",\"4624\",\"4625\",\"4648\"],\"type\":\"phrases\",\"value\":\"4740, 4728, 4732, 4756, 4735, 4624, 4625, 4648\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"winlog.event_id\":\"4740\"}},{\"match_phrase\":{\"winlog.event_id\":\"4728\"}},{\"match_phrase\":{\"winlog.event_id\":\"4732\"}},{\"match_phrase\":{\"winlog.event_id\":\"4756\"}},{\"match_phrase\":{\"winlog.event_id\":\"4735\"}},{\"match_phrase\":{\"winlog.event_id\":\"4624\"}},{\"match_phrase\":{\"winlog.event_id\":\"4625\"}},{\"match_phrase\":{\"winlog.event_id\":\"4648\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Login Activity", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event ID\",\"field\":\"winlog.event_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Category\",\"field\":\"event.category\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Login Activity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-aabca810-2456-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index ccc4f18a5a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "62 - Self-service password reset\n65 - Help-desk assisted password reset", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"62\",\"65\"],\"type\":\"phrases\",\"value\":\"62, 65\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"62\"}},{\"match_phrase\":{\"event.code\":\"65\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Started", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Code\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Password Resets Started\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b8f9a5c0-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 6833d91789..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Stored Procedure Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Stored Procedure Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-b9fb36b0-1480-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-83eacd90-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bc74ef30-19e4-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bc74ef30-19e4-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7f3f8fa807..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bc74ef30-19e4-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Index content", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"_index\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Index content\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bc74ef30-19e4-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 0fe0c3af4e..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfExe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfExe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"psf.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"psf.exe\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"hid_bravura_monitor.perf.transid\",\"negate\":false,\"params\":{\"query\":\"C_AUTHCHAIN_LOGIN\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.transid\":\"C_AUTHCHAIN_LOGIN\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: Summary: User Logins", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Summary: User Logins\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-bde40aa0-1957-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 97d263851a..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Users: API: Help", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"Ajax is a REST like API used by the UI.\\n\\nWhat actions are people calling and what performance are they experiencing?\",\"openLinksInNewTab\":false},\"title\":\"Users: API: Help\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-be6560d0-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 301a791343..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "API: Calls per node", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"API: Calls per node\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c0e79490-25b6-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-991d9760-1473-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json deleted file mode 100755 index d848a393fe..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Disabled Profiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Profile\",\"field\":\"winlog.event_data.Profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Disabled Profiles\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c318d000-d83d-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json deleted file mode 100755 index f58e4943dd..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"30\",\"31\"],\"type\":\"phrases\",\"value\":\"30, 31\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"30\"}},{\"match_phrase\":{\"event.code\":\"31\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Disabled Profiles Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Disabled Profiles Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-c85815c0-d83e-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json deleted file mode 100755 index cefcd08264..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Provider Login Distribution", - "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Provider\",\"field\":\"winlog.provider_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Outcome\",\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Provider Login Distribution\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cc0f81c0-243f-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1a724dd0-2395-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json deleted file mode 100755 index ad665e2928..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Node counts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Node counts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-cf6ea950-1ade-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json deleted file mode 100755 index c994df3988..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Discovery procedures", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Discovery procedures\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d3897a80-25db-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-3aa4b370-25db-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 4fe4d640eb..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Error Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Error Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5dcbf40-1a28-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json deleted file mode 100755 index e379b37f89..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"log.logger\",\"negate\":false,\"params\":{\"query\":\"iddb.exe\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"log.logger\":\"iddb.exe\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Database: Log Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Database: Log Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d5fae950-25d3-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json deleted file mode 100755 index e0b25e4cfb..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "IDM Suite: Errors/Warnings by process", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"IDM Suite: Errors/Warnings by process\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d66fb2a0-3ed6-11eb-9549-63f6cd998f21", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-2ec4a850-1463-11eb-bb7b-bb041e8cf289", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 00ab38e3b7..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Connector Return Code: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d7dc3680-1add-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d8732760-6570-11eb-a5cd-9dd6854cb107.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d8732760-6570-11eb-a5cd-9dd6854cb107.json deleted file mode 100755 index 51d3a7c118..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-d8732760-6570-11eb-a5cd-9dd6854cb107.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura Log Activity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Bravura Log Activity\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-d8732760-6570-11eb-a5cd-9dd6854cb107", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json deleted file mode 100755 index b9ff373e67..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Processes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Users: Issues: Processes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db3f9af0-1a1b-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 6a17858df5..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Targets", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Targets\",\"field\":\"hid_bravura_monitor.perf.targetid\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connector\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Targets\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-db898d80-1a21-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index a3d17ef983..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Problem Heat Map", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"log.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Problem Heat Map\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-dbc305e0-245a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-1616ab00-22c8-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-e517ea30-1ab3-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-e517ea30-1ab3-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 83394baf6d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-e517ea30-1ab3-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Process Count", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Process Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-e517ea30-1ab3-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 80ed8dc196..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"hid_bravura_monitor.perf.kind\",\"negate\":false,\"params\":{\"query\":\"PerfConnector\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"hid_bravura_monitor.perf.kind\":\"PerfConnector\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Connector: Target Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target ID\",\"field\":\"hid_bravura_monitor.perf.targetid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Max (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector: Target Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ec082d90-1aaf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 44d1ab6b92..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Database: Search performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Function\",\"field\":\"hid_bravura_monitor.perf.function\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Database: Search performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-ef5b4da0-2b6d-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-046c7b20-2b6d-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 8cbf6b5d89..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Connector Return Code: Messages", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message\",\"field\":\"hid_bravura_monitor.perf.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Connector Return Code: Messages\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f596ebf0-1adf-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-55100560-1add-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f5fc2210-146b-11eb-bb7b-bb041e8cf289.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f5fc2210-146b-11eb-bb7b-bb041e8cf289.json deleted file mode 100755 index 391bc0c40d..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f5fc2210-146b-11eb-bb7b-bb041e8cf289.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Bravura Performance", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"hid_bravura_monitor.perf.kind\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Bravura Performance\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f5fc2210-146b-11eb-bb7b-bb041e8cf289", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json deleted file mode 100755 index eacd663506..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Executables: Performance", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process\",\"field\":\"log.logger\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100000},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Average (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Minimum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Maximum (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Total (ms)\",\"field\":\"hid_bravura_monitor.perf.duration\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Executables: Performance\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-f9ed0ec0-2eab-11eb-b6a1-bdb7d768b585", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-95032a30-2eab-11eb-b6a1-bdb7d768b585", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json deleted file mode 100755 index 0638184891..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"6\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"6\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Replication Database Connection Failures", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Replication Database Connection Failures\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fddce510-d387-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-089d63f0-d37c-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json deleted file mode 100755 index 7a6059ca37..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Users: Issues: Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Node\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Users: Issues: Histogram\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe363790-1a1a-11eb-abcf-effcd51852fa", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "hid_bravura_monitor-9e4165d0-1a1a-11eb-abcf-effcd51852fa", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json b/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json deleted file mode 100755 index c251939956..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/kibana/visualization/hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "attributes": { - "description": "63 - Self-service password reset successful.\n64 - Self-service password reset failed.\n66 - Help-desk assisted password reset successful.\n67 - Help-desk assisted password reset failed.", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"63\",\"64\",\"66\",\"67\"],\"type\":\"phrases\",\"value\":\"63, 64, 66, 67\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"63\"}},{\"match_phrase\":{\"event.code\":\"64\"}},{\"match_phrase\":{\"event.code\":\"66\"}},{\"match_phrase\":{\"event.code\":\"67\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Password Resets Trend", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-1y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Password Resets Trend\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "hid_bravura_monitor-fe779080-d83f-11eb-9e70-edcbba448215", - "migrationVersion": { - "visualization": "7.14.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "hid_bravura_monitor-dca8bb20-d397-11eb-9e70-edcbba448215", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/hid_bravura_monitor/1.0.3/manifest.yml b/packages/hid_bravura_monitor/1.0.3/manifest.yml deleted file mode 100755 index d9abe868be..0000000000 --- a/packages/hid_bravura_monitor/1.0.3/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: hid_bravura_monitor -title: Hitachi ID Bravura Monitor -version: 1.0.3 -categories: ["security"] -release: ga -description: Collect logs from Hitachi ID Security Fabric with Elastic Agent. -type: integration -icons: - - src: /img/logo_hid_bravura_monitor.svg - title: logo Hitachi ID Bravura Monitor - size: 50x50 - type: image/svg+xml -conditions: - kibana: - version: ^7.16.0 || ^8.0.0 -screenshots: - - src: /img/kibana-hid_bravura_monitor-overview.png - title: Kibana Hitachi ID Bravura Monitor overview - size: 1907x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-log-issues.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 1 - size: 1902x972 - type: image/png - - src: /img/kibana-hid_bravura_monitor-db-replication.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 2 - size: 1903x969 - type: image/png - - src: /img/kibana-hid_bravura_monitor-connectors.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 3 - size: 1896x971 - type: image/png - - src: /img/kibana-hid_bravura_monitor-admin.png - title: Kibana Hitachi ID Bravura Monitor dashboard example 4 - size: 1904x971 - type: image/png -owner: - github: elastic/security-external-integrations -format_version: 1.0.0 -license: basic -policy_templates: - - name: hid_bravura_monitor - title: Hitachi ID Bravura Monitor logs - description: Collect logs from Hitachi ID Bravura Monitor instances - inputs: - - type: filestream - title: 'Collect Hitachi ID Bravura Monitor application logs (input: filestream)' - description: 'Collecting application logs from Hitachi ID Bravura Monitor instances (input: filestream)' - - type: winlog - title: 'Collect Hitachi ID Bravura Monitor event logs (input: winlog)' - description: 'Collecting Windows Event logs from Hitachi ID Suite channel (input: winlog)' diff --git a/packages/httpjson/1.2.3/changelog.yml b/packages/httpjson/1.2.3/changelog.yml deleted file mode 100755 index 3dc1d9689e..0000000000 --- a/packages/httpjson/1.2.3/changelog.yml +++ /dev/null @@ -1,35 +0,0 @@ -- version: "1.2.3" - changes: - - description: Fixes oauth2 config rendering - type: bugfix - link: https://github.com/elastic/integrations/pull/3518 -- version: "1.2.2" - changes: - - description: Fixes rendering issue for custom oauth2 scopes - type: bugfix - link: https://github.com/elastic/integrations/pull/3295 -- version: "1.2.1" - changes: - - description: Adds missing `delegated_account` option for Google Oauth2 - type: bugfix - link: https://github.com/elastic/integrations/pull/3256 -- version: "1.2.0" - changes: - - description: Update ECS to 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.1.1" - changes: - - description: Fixes typo in config template - type: bugfix - link: https://github.com/elastic/integrations/pull/2883 -- version: "1.1.0" - changes: - - description: Fixes issues with certain configuration fields not working - type: bugfix - link: https://github.com/elastic/integrations/pull/2815 -- version: "1.0.0" - changes: - - description: Initial Implementation - type: enhancement - link: https://github.com/elastic/integrations/pull/2154 diff --git a/packages/httpjson/1.2.3/data_stream/generic/agent/stream/httpjson.yml.hbs b/packages/httpjson/1.2.3/data_stream/generic/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 9d45186622..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,151 +0,0 @@ -config_version: 2 -data_stream: - dataset: {{data_stream.dataset}} -interval: {{request_interval}} - -{{#if username}} -auth.basic.user: {{username}} -{{/if}} -{{#if password}} -auth.basic.password: {{password}} -{{/if}} - -{{#if pipeline}} -pipeline: {{pipeline}} -{{/if}} - -{{#unless username}} -{{#unless password}} -{{#if oauth_id}} -auth.oauth2.client.id: {{oauth_id}} -{{/if}} -{{#if oauth_secret}} -auth.oauth2.client.secret: {{oauth_secret}} -{{/if}} -{{#if oauth_token_url}} -auth.oauth2.token_url: {{oauth_token_url}} -{{/if}} -{{#if oauth_provider}} -auth.oauth2.provider: {{oauth_provider}} -{{/if}} -{{#if oauth_scopes}} -auth.oauth2.scopes: -{{#each oauth_scopes as |scope i|}} - - {{scope}} -{{/each}} -{{/if}} -{{#if oauth_google_credentials_file}} -auth.oauth2.google.credentials_file: {{oauth_google_credentials_file}} -{{/if}} -{{#if oauth_google_credentials_json}} -auth.oauth2.google.credentials_json: '{{oauth_google_credentials_json}}' -{{/if}} -{{#if oauth_google_jwt_file}} -auth.oauth2.google.jwt_file: {{oauth_google_jwt_file}} -{{/if}} -{{#if oauth_google_delegated_account}} -auth.oauth2.google.delegated_account: {{oauth_google_delegated_account}} -{{/if}} -{{#if oauth_azure_tenant_id}} -auth.oauth2.azure.tenant_id: {{oauth_azure_tenant_id}} -{{/if}} -{{#if oauth_azure_resource}} -auth.oauth2.azure.resource: {{oauth_azure_resource}} -{{/if}} -{{#if oauth_endpoint_params}} -auth.oauth2.endpoint_params: - {{oauth_endpoint_params}} -{{/if}} -{{/unless}} -{{/unless}} - -request.url: {{request_url}} -request.method: {{request_method}} -{{#if request_body}} -request.body: - {{request_body}} -{{/if}} -{{#if request_transforms}} -request.transforms: - {{request_transforms}} -{{/if}} -{{#if request_ssl}} -request.ssl: - {{request_ssl}} -{{/if}} -{{#if request_encode_as}} -request.encode_as: {{request_encode_as}} -{{/if}} -{{#if request_timeout}} -request.timeout: {{request_timeout}} -{{/if}} -{{#if request_proxy_url}} -request.proxy_url: {{request_proxy_url}} -{{/if}} -{{#if request_retry_max_attempts}} -request.retry.max_attempts: {{request_retry_max_attempts}} -{{/if}} -{{#if request_retry_wait_min}} -request.retry.wait_min: {{request_retry_wait_min}} -{{/if}} -{{#if request_retry_wait_max}} -request.retry.wait_max: {{request_retry_wait_max}} -{{/if}} -{{#if request_redirect_forward_headers}} -request.redirect.forward_headers: {{request_redirect_forward_headers}} -{{/if}} -{{#if request_redirect_headers_ban_list}} -request.redirect.headers_ban_list: -{{#each request_redirect_headers_ban_list as |item i|}} - - {{item}} -{{/each}} -{{/if}} -{{#if request_redirect_max_redirects}} -request.redirect.max_redirects: {{request_redirect_max_redirects}} -{{/if}} -{{#if request_rate_limit_limit}} -request.rate_limit.limit: {{request_rate_limit_limit}} -{{/if}} -{{#if request_rate_limit_reset}} -request.rate_limit.reset: {{request_rate_limit_reset}} -{{/if}} -{{#if request_rate_limit_remaining}} -request.rate_limit.remaining: {{request_rate_limit_remaining}} -{{/if}} - -{{#if response_transforms}} -response.transforms: - {{response_transforms}} -{{/if}} -{{#if response_split}} -response.split: - {{response_split}} -{{/if}} -{{#if response_pagination}} -response.pagination: {{response_pagination}} -{{/if}} -{{#if response_decode_as}} -response.decode_as: {{response_decode_as}} -{{/if}} -{{#if response_request_body_on_pagination}} -response.request_body_on_pagination: {{response_request_body_on_pagination}} -{{/if}} - -{{#if cursor}} -cursor: - {{cursor}} -{{/if}} - -{{#if tags}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/httpjson/1.2.3/data_stream/generic/fields/base-fields.yml b/packages/httpjson/1.2.3/data_stream/generic/fields/base-fields.yml deleted file mode 100755 index d8277624ff..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: httpjson -- name: event.dataset - type: constant_keyword - description: Event dataset - value: httpjson.generic -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/httpjson/1.2.3/data_stream/generic/fields/beats.yml b/packages/httpjson/1.2.3/data_stream/generic/fields/beats.yml deleted file mode 100755 index ede6958855..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/fields/beats.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/httpjson/1.2.3/data_stream/generic/fields/ecs.yml b/packages/httpjson/1.2.3/data_stream/generic/fields/ecs.yml deleted file mode 100755 index 87e386ebf3..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/fields/ecs.yml +++ /dev/null @@ -1,11 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text diff --git a/packages/httpjson/1.2.3/data_stream/generic/manifest.yml b/packages/httpjson/1.2.3/data_stream/generic/manifest.yml deleted file mode 100755 index c4a6699d38..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/manifest.yml +++ /dev/null @@ -1,340 +0,0 @@ -title: Custom HTTPJSON Input -type: logs -streams: - - input: httpjson - description: Collect custom data from REST API's - template_path: httpjson.yml.hbs - title: Custom HTTPJSON Input - vars: - - name: data_stream.dataset - type: text - title: Dataset name - description: | - Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). - default: httpjson.generic - required: true - show_user: true - - name: pipeline - type: text - title: Ingest Pipeline - description: | - The Ingest Node pipeline ID to be used by the integration. - required: false - show_user: true - - name: request_url - type: text - title: Request URL - description: i.e. scheme://host:port/path - show_user: true - required: true - default: https://server.example.com:8089/api - - name: request_interval - type: text - title: Request Interval - description: How often the API is polled, supports seconds, minutes and hours. - show_user: true - required: true - default: 1m - - name: request_method - type: text - title: Request HTTP Method - description: Supports either GET or POST - show_user: true - required: true - default: GET - - name: username - type: text - title: Basic Auth Username - show_user: true - required: false - description: The username to be used with Basic Auth headers - - name: password - type: password - title: Basic Auth Password - show_user: true - required: false - description: The password to be used with Basic Auth headers - - name: oauth_id - type: text - title: Oauth2 Client ID - description: Client ID used for Oauth2 authentication - show_user: true - required: false - - name: oauth_secret - type: password - title: Oauth2 Client Secret - description: Client secret used for Oauth2 authentication - show_user: true - required: false - - name: oauth_token_url - type: text - title: Oauth2 Token URL - description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable. - show_user: true - required: false - - name: request_body - type: yaml - title: Request Body - description: An optional HTTP body if the request method is POST. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_body) - show_user: true - multi: false - required: false - default: | - #query: - # bool: - # filter: - # term: - # type: authentication - - name: request_transforms - type: yaml - title: Request Transforms - description: Optional transformations to perform on the request before it is sent. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#request-transforms). - show_user: true - multi: false - required: false - default: | - #- set: - # target: body.from - # value: '[[now (parseDuration "-1h")]]' - #- set: - # target: url.params.limit - # value: 10 - - name: response_transforms - type: yaml - title: Response Transforms - description: Optional transformations to perform on the response before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-transforms). - show_user: true - multi: false - required: false - default: | - #- delete: - # target: body.very_confidential - - name: response_split - type: yaml - title: Response Split - description: Optional transformations to perform on the response to split the response into separate documents before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-split). - show_user: true - multi: false - required: false - default: | - #target: body.data - #keep_parent: true - - name: response_pagination - type: yaml - title: Response Pagination - description: Optional settings if pagination is required to retrieve all results. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-pagination). - show_user: true - multi: false - required: false - default: | - #- set: - # target: url.value - # value: http://localhost:9200/_search/scroll - #- set: - # target: url.params.scroll_id - # value: '[[.last_response.body._scroll_id]]' - - name: cursor - type: yaml - title: Custom request cursor - description: | - A cursor is used to keep state between each API request, and can be set to for example the value of something in the response body. - More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#cursor). - show_user: true - multi: false - required: false - default: | - #last_requested_at: - # value: '[[now]]' - - name: request_ssl - type: yaml - title: Request SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc, more examples found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: request_encode_as - type: text - title: Request Encode As - description: ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the Content-Type header value. - show_user: false - multi: false - required: false - - name: request_timeout - type: text - title: Request Timeout - description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. Default is "30"s. - show_user: false - multi: false - required: false - - name: request_proxy_url - type: text - title: Request Proxy - description: This specifies proxy configuration in the form of `http[s]://:@:`. - show_user: false - multi: false - required: false - - name: request_retry_max_attempts - type: text - title: Request Retry Max Attempts - description: The maximum number of retries for the HTTP client. Default is "5". - show_user: false - multi: false - required: false - - name: request_retry_wait_min - type: text - title: Request Retry Wait Min - description: The minimum time to wait before a retry is attempted. Default is "1s". - show_user: false - multi: false - required: false - - name: request_retry_wait_max - type: text - title: Request Retry Wait Max - description: The maximum time to wait before a retry is attempted. Default is "60s". - show_user: false - multi: false - required: false - - name: request_redirect_forward_headers - type: bool - title: Request Redirect Forward Headers - description: When set to true request headers are forwarded in case of a redirect. Default is "false". - show_user: false - multi: false - required: false - - name: request_redirect_headers_ban_list - type: text - title: Request Redirect Headers Ban List - description: When Redirect Forward Headers is set to true, all headers except the ones defined in this list will be forwarded. All headers are forwarded by default. - show_user: false - multi: true - required: false - - name: request_redirect_max_redirects - type: text - title: Request Redirect Max Redirects - description: The maximum number of redirects to follow for a request. Default is "10". - show_user: false - multi: false - required: false - - name: request_rate_limit_limit - type: text - title: Request Rate Limit - description: The value of the response that specifies the total limit. It is defined with a Go template value. - show_user: false - multi: false - required: false - - name: request_rate_limit_reset - type: text - title: Request Rate Limit Reset - description: The value of the response that specifies the epoch time when the rate limit will reset. It is defined with a Go template value. - show_user: false - multi: false - required: false - - name: request_rate_limit_remaining - type: text - title: Request Rate Limit Remaining - description: The value of the response that specifies the remaining quota of the rate limit. It is defined with a Go template value. - show_user: false - multi: false - required: false - - name: oauth_provider - type: text - title: Oauth2 Provider - description: Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are "azure" and "google". - show_user: false - multi: false - required: false - - name: oauth_scopes - type: text - title: Oauth2 Scopes - description: A list of scopes that will be requested during the oauth2 flow. It is optional for all providers. - show_user: false - multi: true - required: false - - name: oauth_google_credentials_file - type: text - title: Oauth2 Google Credentials File - description: The full path to the credentials file for Google. - show_user: false - multi: false - required: false - - name: oauth_google_credentials_json - type: text - title: Oauth2 Google Credentials JSON - description: Your Google credentials information as raw JSON. - show_user: false - multi: false - required: false - - name: oauth_google_jwt_file - type: text - title: Oauth2 Google JWT File - description: Full path to the JWT Account Key file for Google. - show_user: false - multi: false - required: false - - name: oauth_google_delegated_account - type: text - title: Oauth2 Google Delegated account - description: Email of the delegated account used to create the credentials (usually an admin). - show_user: false - multi: false - required: false - - name: oauth_azure_tenant_id - type: text - title: Oauth2 Azure Tenant ID - description: Optional setting used for authentication when using Azure provider. Since it is used in the process to generate the token_url, it can’t be used in combination with it. - show_user: false - multi: false - required: false - - name: oauth_azure_resource - type: text - title: Oauth2 Azure Resource - description: Optional setting for the accessed WebAPI resource when using azure provider. - show_user: false - multi: false - required: false - - name: oauth_endpoint_params - type: yaml - title: Oauth2 Endpoint Params - description: Set of values that will be sent on each request to the token_url. Each param key can have multiple values. Can be set for all providers except google. - show_user: false - multi: false - required: false - default: | - #Param1: - # - ValueA - # - ValueB - #Param2: - # - Value - - name: response_decode_as - type: text - title: Response decode settings - description: | - ContentType used for decoding the response body. Supported values: application/json, application/x-ndjson. By default it will use what is in the response Content-Type header. - show_user: false - required: false - - name: response_request_body_on_pagination - type: bool - title: Include request body on Pagination - description: | - If set to true, the values in request.body are sent with pagination requests. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/httpjson/1.2.3/data_stream/generic/sample_event.json b/packages/httpjson/1.2.3/data_stream/generic/sample_event.json deleted file mode 100755 index 97f5b56929..0000000000 --- a/packages/httpjson/1.2.3/data_stream/generic/sample_event.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "@timestamp": "2022-03-10T12:47:55.098Z", - "agent": { - "ephemeral_id": "03c96875-43cc-4abc-b998-99527ff31de3", - "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "httpjson.generic", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-03-10T12:47:55.098Z", - "dataset": "httpjson.generic", - "ingested": "2022-03-10T12:47:56Z" - }, - "input": { - "type": "httpjson" - }, - "message": "{\"message\":\"success\",\"page\":2}", - "tags": [ - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/httpjson/1.2.3/docs/README.md b/packages/httpjson/1.2.3/docs/README.md deleted file mode 100755 index f575d64220..0000000000 --- a/packages/httpjson/1.2.3/docs/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# Custom HTTPJSON input integration - -The custom HTTPJSON input integration is used to ingest data from custom RESTful API's that do not currently have an existing integration. - -The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events. - -## Configuration - -The extensive documentation for the input are currently available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html). - -The most commonly used configuration options are available on the main integration page, while more advanced and customizable options currently resides under the "Advanced options" part of the integration settings page. - -Configuration is split into three main categories, Request, Response, and Cursor. - -The request part of the configuration handles points like which URL endpoint to communicate with, the request body, specific transformations that have to happen before a request is sent out and some custom options like request proxy, timeout and similar options. - -The response part of the configuration handles options like transformation, rate limiting, pagination, and splitting the response into different documents before it is sent to Elasticsearch. - -The cursor part of the configuration is used when there is a need to keep state between each of the API requests, for example if a timestamp is returned in the response, that should be used as a filter in the next request after that, the cursor is a place where this is stored. - diff --git a/packages/httpjson/1.2.3/manifest.yml b/packages/httpjson/1.2.3/manifest.yml deleted file mode 100755 index 3696038e20..0000000000 --- a/packages/httpjson/1.2.3/manifest.yml +++ /dev/null @@ -1,22 +0,0 @@ -format_version: 1.0.0 -name: httpjson -title: Custom HTTPJSON Input -description: Collect custom data from REST API's with Elastic Agent. -type: integration -version: 1.2.3 -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -license: basic -categories: - - custom -policy_templates: - - name: generic - title: Custom HTTPJSON Input - description: Collect custom data from REST API's - inputs: - - type: httpjson - title: Collect custom data from REST API's - description: Collect custom data from REST API's -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_junos/0.2.1/changelog.yml b/packages/juniper_junos/0.2.1/changelog.yml deleted file mode 100755 index 4d0e0d3edc..0000000000 --- a/packages/juniper_junos/0.2.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "0.2.1" - changes: - - description: Added link to Jupiter Junos documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3133 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2589 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2069 diff --git a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/stream.yml.hbs deleted file mode 100755 index 6f91e74ff3..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,12572 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 1d71b4b9f8..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,12569 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 2abb5c1182..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,12569 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Juniper" - product: "Junos" - type: "Routers" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{day->} %{time->} %{p0}"); - - var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup10 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("p0"), - ], - }); - - var dup11 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup12 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }); - - var dup13 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("p0"), - ], - }); - - var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var dup19 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("pid"), - constant("]: "), - field("p0"), - ], - }); - - var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); - - var dup21 = setc("eventcategory","1605000000"); - - var dup22 = setf("msg","$MSG"); - - var dup23 = date_time({ - dest: "event_time", - args: ["month","day","time"], - fmts: [ - [dB,dF,dH,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup24 = setf("hostname","hhost"); - - var dup25 = setc("event_description","AUDIT"); - - var dup26 = setc("event_description","CRON command"); - - var dup27 = setc("eventcategory","1801030000"); - - var dup28 = setc("eventcategory","1801020000"); - - var dup29 = setc("eventcategory","1605010000"); - - var dup30 = setc("eventcategory","1603000000"); - - var dup31 = setc("event_description","Process mode"); - - var dup32 = setc("event_description","NTP Server Unreachable"); - - var dup33 = setc("eventcategory","1401060000"); - - var dup34 = setc("ec_theme","Authentication"); - - var dup35 = setc("ec_subject","User"); - - var dup36 = setc("ec_activity","Logon"); - - var dup37 = setc("ec_outcome","Success"); - - var dup38 = setc("event_description","rpd proceeding"); - - var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var dup42 = setc("eventcategory","1701010000"); - - var dup43 = setc("ec_outcome","Failure"); - - var dup44 = setc("eventcategory","1401030000"); - - var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var dup46 = setc("eventcategory","1803000000"); - - var dup47 = setc("event_type","VPN"); - - var dup48 = setc("eventcategory","1605020000"); - - var dup49 = setc("eventcategory","1602020000"); - - var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var dup51 = setc("eventcategory","1603020000"); - - var dup52 = date_time({ - dest: "event_time", - args: ["hfld32"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup53 = setc("ec_subject","NetworkComm"); - - var dup54 = setc("ec_activity","Create"); - - var dup55 = setc("ec_activity","Stop"); - - var dup56 = setc("event_description","Trap state change"); - - var dup57 = setc("event_description","peer NLRI mismatch"); - - var dup58 = setc("eventcategory","1605030000"); - - var dup59 = setc("eventcategory","1603010000"); - - var dup60 = setc("eventcategory","1606000000"); - - var dup61 = setf("hostname","hhostname"); - - var dup62 = date_time({ - dest: "event_time", - args: ["hfld6"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup63 = setc("eventcategory","1401050200"); - - var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); - - var dup65 = setc("event_description","unable to run in the background as a daemon"); - - var dup66 = setc("event_description","Another copy of this program is running"); - - var dup67 = setc("event_description","Unable to lock PID file"); - - var dup68 = setc("event_description","Unable to update process PID file"); - - var dup69 = setc("eventcategory","1301000000"); - - var dup70 = setc("event_description","Command stopped"); - - var dup71 = setc("event_description","Unable to create pipes for command"); - - var dup72 = setc("event_description","Command exited"); - - var dup73 = setc("eventcategory","1603050000"); - - var dup74 = setc("eventcategory","1801010000"); - - var dup75 = setc("event_description","Login failure"); - - var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var dup78 = setc("event_description","Unable to open file"); - - var dup79 = setc("event_description","SNMP index assigned changed"); - - var dup80 = setc("eventcategory","1302000000"); - - var dup81 = setc("eventcategory","1001020300"); - - var dup82 = setc("event_description","PFE FW SYSLOG_IP"); - - var dup83 = setc("event_description","process_mode"); - - var dup84 = setc("event_description","Logical interface collision"); - - var dup85 = setc("event_description","excessive runtime time during action of module"); - - var dup86 = setc("event_description","Reinitializing"); - - var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var dup93 = setc("eventcategory","1803010000"); - - var dup94 = setc("ec_activity","Deny"); - - var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var dup97 = setc("event_description","session denied"); - - var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var dup104 = setc("dclass_counter1_string","No.of packets from client"); - - var dup105 = setc("event_description","SNMPD AUTH FAILURE"); - - var dup106 = setc("event_description","send send-type (index1) failure"); - - var dup107 = setc("event_description","SNMP trap error"); - - var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); - - var dup109 = setc("event_description","SNMP TRAP LINK UP"); - - var dup110 = setc("event_description","Login Failure"); - - var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var dup113 = setc("eventcategory","1701020000"); - - var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var dup116 = setc("event_description","User set command"); - - var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var dup120 = setc("event_description","User set groups to secret"); - - var dup121 = setc("event_description","UI CMDLINE READ LINE"); - - var dup122 = setc("event_description","User commit"); - - var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var dup125 = setc("eventcategory","1401070000"); - - var dup126 = setc("ec_activity","Logoff"); - - var dup127 = setc("event_description","Successful login"); - - var dup128 = setf("hostname","hostip"); - - var dup129 = setc("event_description","TACACS+ failure"); - - var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var dup133 = setc("eventcategory","1003010000"); - - var dup134 = setc("eventcategory","1901000000"); - - var dup135 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var dup137 = linear_select([ - dup40, - dup41, - ]); - - var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var dup145 = linear_select([ - dup76, - dup77, - ]); - - var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var dup150 = linear_select([ - dup88, - dup89, - ]); - - var dup151 = linear_select([ - dup90, - dup45, - ]); - - var dup152 = linear_select([ - dup95, - dup96, - ]); - - var dup153 = linear_select([ - dup101, - dup91, - ]); - - var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var dup156 = linear_select([ - dup118, - dup119, - ]); - - var dup157 = linear_select([ - dup123, - dup124, - ]); - - var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - - var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": restart "), - field("p0"), - ], - }), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" message repeated "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("("), - field("hfld1"), - constant("): "), - field("p0"), - ], - }), - ])); - - var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); - - var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); - - var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); - - var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); - - var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); - - var select1 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - part1, - part2, - part3, - part4, - part5, - dup8, - ]); - - var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ - dup9, - ])); - - var all1 = all_match({ - processors: [ - dup1, - select1, - part6, - ], - on_success: processor_chain([ - setc("header_id","0004"), - ]), - }); - - var select2 = linear_select([ - dup2, - dup3, - dup4, - dup5, - dup6, - dup7, - dup8, - ]); - - var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ - dup10, - ])); - - var all2 = all_match({ - processors: [ - dup1, - select2, - part7, - ], - on_success: processor_chain([ - setc("header_id","0005"), - ]), - }); - - var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0007"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant("["), - field("hpid"), - constant("]: "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0008"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" IFP trace> "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0010"), - dup11, - ])); - - var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0029"), - dup12, - ])); - - var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0015"), - dup12, - ])); - - var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0011"), - dup11, - ])); - - var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0027"), - dup9, - ])); - - var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0012"), - dup9, - ])); - - var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ - setc("header_id","0013"), - dup13, - ])); - - var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var all3 = all_match({ - processors: [ - hdr14, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.a"), - ]), - }); - - var all4 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026.upd.b"), - ]), - }); - - var all5 = all_match({ - processors: [ - dup18, - dup135, - dup136, - ], - on_success: processor_chain([ - setc("header_id","0026"), - ]), - }); - - var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ - setc("header_id","0014"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant("["), - field("hpid"), - constant("]: "), - field("p0"), - ], - }), - ])); - - var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0016"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(": "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0017"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("["), - field("pid"), - constant("]: "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0018"), - dup19, - ])); - - var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0028"), - dup19, - ])); - - var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0019"), - dup9, - ])); - - var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0020"), - dup19, - ])); - - var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ - setc("header_id","0021"), - dup9, - ])); - - var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0022"), - dup9, - ])); - - var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0023"), - dup19, - ])); - - var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ - setc("header_id","0024"), - dup9, - ])); - - var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ - setc("header_id","0031"), - dup10, - ])); - - var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ - setc("header_id","0032"), - dup19, - ])); - - var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ - setc("header_id","0033"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant(" "), - field("hhostname"), - constant(" "), - field("messageid"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ - setc("header_id","3336"), - ])); - - var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","3339"), - ])); - - var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","3337"), - ])); - - var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ - setc("header_id","3341"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld3"), - constant(" "), - field("messageid"), - constant(" "), - field("p0"), - ], - }), - ])); - - var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","3338"), - ])); - - var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hhost"), - constant(" node"), - field("hfld1"), - constant(".fpc"), - field("p0"), - ], - }), - ])); - - var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); - - var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); - - var select3 = linear_select([ - part8, - part9, - ]); - - var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); - - var all6 = all_match({ - processors: [ - hdr35, - select3, - part10, - ], - on_success: processor_chain([ - setc("header_id","3340"), - setc("messageid","node"), - ]), - }); - - var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); - - var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); - - var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); - - var select4 = linear_select([ - hdr36, - hdr37, - hdr38, - ]); - - var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); - - var all7 = all_match({ - processors: [ - select4, - part11, - ], - on_success: processor_chain([ - setc("header_id","9997"), - dup20, - ]), - }); - - var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ - setc("header_id","9995"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("["), - field("hfld3"), - constant("]:"), - field("p0"), - ], - }), - ])); - - var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ - setc("header_id","9994"), - setc("messageid","qsfp"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("hfld1"), - constant(" qsfp "), - field("p0"), - ], - }), - ])); - - var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ - setc("header_id","9999"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hevent_type"), - constant(": "), - field("p0"), - ], - }), - ])); - - var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ - setc("header_id","9998"), - dup20, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld2"), - constant(" "), - field("process"), - constant(": "), - field("p0"), - ], - }), - ])); - - var select5 = linear_select([ - hdr1, - hdr2, - hdr3, - all1, - all2, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - all3, - all4, - all5, - hdr15, - hdr16, - hdr17, - hdr18, - hdr19, - hdr20, - hdr21, - hdr22, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - all6, - all7, - hdr39, - hdr40, - hdr41, - hdr42, - ]); - - var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","sshd exit status"), - dup23, - ])); - - var msg1 = msg("/usr/sbin/sshd", part12); - - var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","telnetd exit status"), - dup23, - ])); - - var msg2 = msg("/usr/libexec/telnetd", part13); - - var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Alarm Set or Cleared"), - dup23, - ])); - - var msg3 = msg("alarmd", part14); - - var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup21, - dup22, - setc("event_description","Node detected UP"), - dup23, - ])); - - var msg4 = msg("bigd", part15); - - var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup21, - dup22, - setc("event_description","Monitor template id"), - dup23, - ])); - - var msg5 = msg("bigd:01", part16); - - var select6 = linear_select([ - msg4, - msg5, - ]); - - var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Loading configuration file"), - dup23, - ])); - - var msg6 = msg("bigpipe", part17); - - var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","Begin config install operation"), - dup23, - ])); - - var msg7 = msg("bigpipe:01", part18); - - var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Audit"), - dup23, - ])); - - var msg8 = msg("bigpipe:02", part19); - - var select7 = linear_select([ - msg6, - msg7, - msg8, - ]); - - var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup21, - dup22, - setc("event_description","portal shutdown"), - dup23, - ])); - - var msg9 = msg("bigstart", part20); - - var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","cga address genration"), - dup23, - ])); - - var msg10 = msg("cgatool", part21); - - var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg11 = msg("chassisd:01", part22); - - var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg12 = msg("checkd", part23); - - var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup21, - dup22, - setc("event_description","checkd exiting"), - dup23, - ])); - - var msg13 = msg("checkd:01", part24); - - var select8 = linear_select([ - msg12, - msg13, - ]); - - var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","link protection for interface"), - dup23, - ])); - - var msg14 = msg("cosd", part25); - - var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License expiration warning"), - dup23, - ])); - - var msg15 = msg("craftd", part26); - - var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); - - var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); - - var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); - - var select9 = linear_select([ - part28, - part29, - ]); - - var all8 = all_match({ - processors: [ - part27, - select9, - ], - on_success: processor_chain([ - dup21, - dup22, - dup26, - dup23, - ]), - }); - - var msg16 = msg("CRON", all8); - - var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); - - var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); - - var select10 = linear_select([ - part30, - part31, - ]); - - var all9 = all_match({ - processors: [ - select10, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg17 = msg("Cmerror", all9); - - var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup21, - dup22, - setc("event_description","cron RELOAD"), - dup23, - ])); - - var msg18 = msg("cron", part32); - - var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup21, - dup22, - dup23, - dup24, - ])); - - var msg19 = msg("CROND", part33); - - var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup27, - dup22, - dup23, - dup24, - ])); - - var msg20 = msg("CROND:02", part34); - - var select11 = linear_select([ - msg19, - msg20, - ]); - - var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup28, - dup22, - dup23, - dup24, - ])); - - var msg21 = msg("crond:01", part35); - - var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Setting ignored"), - dup23, - ])); - - var msg22 = msg("dcd", part36); - - var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); - - var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); - - var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); - - var select12 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); - - var all10 = all_match({ - processors: [ - part37, - select12, - part40, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","EVENT"), - dup23, - ]), - }); - - var msg23 = msg("EVENT", all10); - - var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ - setc("eventcategory","1802000000"), - dup22, - setc("event_description","ftpd connection"), - dup23, - ])); - - var msg24 = msg("ftpd", part41); - - var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup29, - dup23, - dup22, - ])); - - var msg25 = msg("ha_rto_stats_handler", part42); - - var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","LDAP Connection not bound correctly"), - dup23, - ])); - - var msg26 = msg("hostinit", part43); - - var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug - Added entry"), - dup23, - ])); - - var msg27 = msg("ifinfo", part44); - - var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug Initializing spu"), - dup23, - ])); - - var msg28 = msg("ifinfo:01", part45); - - var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","PIC_INFO debug delete from list"), - dup23, - ])); - - var msg29 = msg("ifinfo:02", part46); - - var select13 = linear_select([ - msg27, - msg28, - msg29, - ]); - - var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup21, - dup22, - setc("event_description","IFL anydown change event"), - dup23, - ])); - - var msg30 = msg("ifp_ifl_anydown_change_event", part47); - - var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup21, - dup22, - setc("event_description","ifp ifl config_event"), - dup23, - ])); - - var msg31 = msg("ifp_ifl_config_event", part48); - - var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup21, - dup22, - setc("event_description","ifp_ifl_ext_chg"), - dup23, - ])); - - var msg32 = msg("ifp_ifl_ext_chg", part49); - - var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","connection exceeded count limit"), - dup23, - ])); - - var msg33 = msg("inetd", part50); - - var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","exited"), - dup23, - ])); - - var msg34 = msg("inetd:01", part51); - - var select14 = linear_select([ - msg33, - msg34, - ]); - - var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg35 = msg("init:04", part52); - - var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup21, - dup22, - dup31, - dup23, - ])); - - var msg36 = msg("init", part53); - - var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","failure target for routing set"), - dup23, - ])); - - var msg37 = msg("init:01", part54); - - var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup21, - dup22, - setc("event_description","ntp started"), - dup23, - ])); - - var msg38 = msg("init:02", part55); - - var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","product mask and model info"), - dup23, - ])); - - var msg39 = msg("init:03", part56); - - var select15 = linear_select([ - msg35, - msg36, - msg37, - msg38, - msg39, - ]); - - var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","IPC message exceeds MTU"), - dup23, - ])); - - var msg40 = msg("ipc_msg_write", part57); - - var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup28, - dup22, - setc("event_description","listener connection established"), - dup23, - ])); - - var msg41 = msg("connection_established", part58); - - var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); - - var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); - - var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); - - var select16 = linear_select([ - part60, - part61, - ]); - - var all11 = all_match({ - processors: [ - part59, - select16, - ], - on_success: processor_chain([ - dup27, - dup22, - setc("event_description","connection dropped"), - dup23, - ]), - }); - - var msg42 = msg("connection_dropped", all11); - - var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Asserting SONET alarm(s)"), - dup23, - ])); - - var msg43 = msg("kernel", part62); - - var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","interface down"), - dup23, - ])); - - var msg44 = msg("kernel:01", part63); - - var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","loopback suspected om interface"), - dup23, - ])); - - var msg45 = msg("kernel:02", part64); - - var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","soreceive error"), - dup23, - ])); - - var msg46 = msg("kernel:03", part65); - - var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pfe_peer_alloc state 4"), - dup23, - ])); - - var msg47 = msg("kernel:04", part66); - - var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg48 = msg("kernel:05", part67); - - var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg49 = msg("kernel:06", part68); - - var select17 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - ]); - - var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful user login"), - dup23, - ])); - - var msg50 = msg("successful_login", part69); - - var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup22, - setc("event_description","user login attempt"), - dup23, - ])); - - var msg51 = msg("login_attempt", part70); - - var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup33, - dup34, - dup37, - dup22, - setc("event_description","PAM module return from login"), - dup23, - ])); - - var msg52 = msg("login", part71); - - var select18 = linear_select([ - msg50, - msg51, - msg52, - ]); - - var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing lsys root-logical-system"), - dup23, - ])); - - var msg53 = msg("lsys_ssam_handler", part72); - - var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Removing mif from group"), - dup23, - ])); - - var msg54 = msg("mcsn", part73); - - var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup30, - dup22, - setc("event_description","Firewall rows could not be redirected on device"), - dup23, - ])); - - var msg55 = msg("mrvl_dfw_log_effuse_status", part74); - - var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup30, - dup22, - setc("event_description","mfilter already exists for add"), - dup23, - ])); - - var msg56 = msg("MRVL-L2", part75); - - var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","processing profile SP-root"), - dup23, - ])); - - var msg57 = msg("profile_ssam_handler", part76); - - var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get resource bucket"), - dup23, - ])); - - var msg58 = msg("pst_nat_binding_set_profile", part77); - - var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","reinitializing done"), - dup23, - ])); - - var msg59 = msg("task_reconfigure", part78); - - var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); - - var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); - - var select19 = linear_select([ - part79, - part80, - ]); - - var all12 = all_match({ - processors: [ - select19, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - dup24, - ]), - }); - - var msg60 = msg("tnetd", all12); - - var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup21, - dup22, - setc("event_description","Session manager active"), - dup23, - ])); - - var msg61 = msg("PFEMAN", part81); - - var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not send message to service"), - dup23, - ])); - - var msg62 = msg("mgd", part82); - - var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Resolve request came for an address matching on Wrong nh"), - dup23, - ])); - - var msg63 = msg("Resolve", part83); - - var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","service exited with status"), - dup23, - ])); - - var msg64 = msg("respawn", part84); - - var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup30, - dup22, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), - dup23, - ])); - - var msg65 = msg("root", part85); - - var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Received data for interface"), - dup23, - ])); - - var msg66 = msg("rpd", part86); - - var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","RSVP neighbor up on interface "), - dup23, - ])); - - var msg67 = msg("rpd:01", part87); - - var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup21, - dup22, - setc("event_description","reseting pending active connection"), - dup23, - ])); - - var msg68 = msg("rpd:02", part88); - - var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg69 = msg("rpd_proceeding", part89); - - var select20 = linear_select([ - msg66, - msg67, - msg68, - msg69, - ]); - - var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","user issuing command as root"), - dup23, - ])); - - var msg70 = msg("rshd", part90); - - var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup21, - dup22, - setc("event_description","sfd waiting on accept"), - dup23, - ])); - - var msg71 = msg("sfd", part91); - - var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Accepted password"), - dup23, - ])); - - var msg72 = msg("sshd", part92); - - var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Received disconnect"), - dup23, - ])); - - var msg73 = msg("sshd:02", part93); - - var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup30, - dup22, - setc("result","no identification string"), - setc("event_description","Did not receive identification string from peer"), - dup23, - ])); - - var msg74 = msg("sshd:03", part94); - - var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup30, - dup22, - setc("event_description","Could not write ident string"), - dup23, - ])); - - var msg75 = msg("sshd:04", part95); - - var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup21, - dup22, - setc("event_description","subsystem request for netconf"), - dup23, - ])); - - var msg76 = msg("sshd:05", part96); - - var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); - - var all13 = all_match({ - processors: [ - dup39, - dup137, - part97, - ], - on_success: processor_chain([ - dup29, - dup22, - setc("event_description","send message stats"), - dup23, - ]), - }); - - var msg77 = msg("sshd:06", all13); - - var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); - - var all14 = all_match({ - processors: [ - dup39, - dup137, - part98, - ], - on_success: processor_chain([ - dup42, - setc("ec_theme","Configuration"), - setc("ec_activity","Modify"), - dup37, - dup22, - setc("event_description","Added radius server"), - dup23, - ]), - }); - - var msg78 = msg("sshd:07", all14); - - var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ - setc("eventcategory","1301020000"), - dup34, - dup43, - dup22, - setc("event_description","authentication error"), - dup23, - ])); - - var msg79 = msg("sshd:08", part99); - - var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup30, - dup22, - setc("event_description","unrecognized attribute in policy"), - dup23, - ])); - - var msg80 = msg("sshd:09", part100); - - var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM module return from sshd"), - dup23, - ])); - - var msg81 = msg("sshd:10", part101); - - var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","PAM authentication chain return"), - dup23, - ])); - - var msg82 = msg("sshd:11", part102); - - var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","can't get client address"), - dup23, - ])); - - var msg83 = msg("sshd:12", part103); - - var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup30, - dup22, - setc("event_description","auth server unresponsive"), - dup23, - ])); - - var msg84 = msg("sshd:13", part104); - - var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup30, - dup22, - setc("event_description","No valid RADIUS responses received"), - dup23, - ])); - - var msg85 = msg("sshd:14", part105); - - var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup21, - dup22, - setc("event_description","Moving to next server"), - dup23, - ])); - - var msg86 = msg("sshd:15", part106); - - var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ - dup44, - dup34, - dup43, - dup22, - setc("event_description","Login failed for user"), - dup23, - ])); - - var msg87 = msg("sshd:16", part107); - - var select21 = linear_select([ - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - ]); - - var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); - - var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); - - var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); - - var select22 = linear_select([ - part109, - part110, - dup45, - ]); - - var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); - - var all15 = all_match({ - processors: [ - part108, - select22, - part111, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","authentication failure"), - dup23, - ]), - }); - - var msg88 = msg("Failed:05", all15); - - var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); - - var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); - - var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); - - var select23 = linear_select([ - part113, - part114, - ]); - - var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); - - var all16 = all_match({ - processors: [ - part112, - select23, - part115, - ], - on_success: processor_chain([ - dup46, - dup47, - dup23, - dup22, - ]), - }); - - var msg89 = msg("Failed", all16); - - var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup46, - dup23, - dup22, - ])); - - var msg90 = msg("Failed:01", part116); - - var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); - - var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); - - var select24 = linear_select([ - part117, - part118, - ]); - - var all17 = all_match({ - processors: [ - select24, - ], - on_success: processor_chain([ - dup46, - dup23, - dup22, - setf("hostname","hfld1"), - ]), - }); - - var msg91 = msg("Failed:02", all17); - - var select25 = linear_select([ - msg88, - msg89, - msg90, - msg91, - ]); - - var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup21, - dup22, - setc("event_description","syslog daemon restart"), - dup23, - ])); - - var msg92 = msg("syslogd", part119); - - var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup21, - dup22, - dup25, - dup23, - ])); - - var msg93 = msg("ucd-snmp", part120); - - var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup21, - dup22, - setc("event_description","Received TERM or STOP signal"), - dup23, - ])); - - var msg94 = msg("ucd-snmp:01", part121); - - var select26 = linear_select([ - msg93, - msg94, - ]); - - var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup27, - dup22, - setc("event_description","failed to connect to the server"), - dup23, - ])); - - var msg95 = msg("usp_ipc_client_reconnect", part122); - - var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","Trace client disconnected"), - dup23, - ])); - - var msg96 = msg("usp_trace_ipc_disconnect", part123); - - var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup30, - dup22, - setc("event_description","USP trace client cannot reconnect to server"), - dup23, - ])); - - var msg97 = msg("usp_trace_ipc_reconnect", part124); - - var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","flow_print_session_summary_output received"), - dup23, - ])); - - var msg98 = msg("uspinfo", part125); - - var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","Version build date"), - dup23, - ])); - - var msg99 = msg("Version", part126); - - var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","frequency initialized from file"), - dup23, - ])); - - var msg100 = msg("xntpd", part127); - - var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","nptd version build"), - dup23, - ])); - - var msg101 = msg("xntpd:01", part128); - - var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","kernel time sync enabled"), - dup23, - ])); - - var msg102 = msg("xntpd:02", part129); - - var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup21, - dup22, - dup32, - dup23, - ])); - - var msg103 = msg("xntpd:03", part130); - - var select27 = linear_select([ - msg100, - msg101, - msg102, - msg103, - ]); - - var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup21, - dup22, - setc("event_description","last message repeated"), - dup23, - ])); - - var msg104 = msg("last", part131); - - var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup24, - ])); - - var msg105 = msg("last:01", part132); - - var select28 = linear_select([ - msg104, - msg105, - ]); - - var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup30, - dup22, - setc("event_description","cannot write ucode mask reg"), - dup23, - ])); - - var msg106 = msg("BCHIP", part133); - - var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup21, - dup22, - setc("event_description","Slot on-line"), - dup23, - ])); - - var msg107 = msg("CM", part134); - - var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Received FC Q map"), - dup23, - ])); - - var msg108 = msg("COS", part135); - - var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","ifd error"), - dup23, - ])); - - var msg109 = msg("COSFPC", part136); - - var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","delete class to ifl link"), - dup23, - ])); - - var msg110 = msg("COSMAN", part137); - - var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","Keepalive timeout"), - dup23, - ])); - - var msg111 = msg("RDP", part138); - - var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup30, - dup22, - setc("event_description","Initial time of day set"), - dup23, - ])); - - var msg112 = msg("SNTPD", part139); - - var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup21, - dup22, - setc("event_description","Slot serial number"), - dup23, - ])); - - var msg113 = msg("SSB", part140); - - var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error"), - dup23, - ])); - - var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); - - var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to open file"), - dup23, - ])); - - var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); - - var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup49, - dup22, - setc("event_description","File size mismatch"), - dup23, - ])); - - var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); - - var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Invalid statistics record"), - dup23, - ])); - - var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); - - var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup49, - dup22, - setc("event_description","Class usage statistics error for interface"), - dup23, - ])); - - var msg118 = msg("ACCT_CU_RTSLIB_error", part145); - - var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); - - var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); - - var select29 = linear_select([ - part146, - part147, - ]); - - var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); - - var all18 = all_match({ - processors: [ - dup50, - select29, - part148, - ], - on_success: processor_chain([ - dup49, - dup22, - setc("event_description","error trying to get hostname"), - dup23, - ]), - }); - - var msg119 = msg("ACCT_GETHOSTNAME_error", all18); - - var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup51, - dup22, - setc("event_description","Memory allocation failure"), - dup23, - ])); - - var msg120 = msg("ACCT_MALLOC_FAILURE", part149); - - var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup30, - dup22, - setc("event_description","Accounting profile counter not defined in firewall"), - dup23, - ])); - - var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); - - var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","ACCT_XFER_FAILED"), - dup23, - ])); - - var msg122 = msg("ACCT_XFER_FAILED", part151); - - var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","POPEN FAIL invoking command command to transfer file"), - dup23, - ])); - - var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); - - var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup28, - dup22, - dup52, - ])); - - var msg124 = msg("APPQOS_LOG_EVENT", part153); - - var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("result","AppTrack session created"), - dup23, - ])); - - var msg125 = msg("APPTRACK_SESSION_CREATE", part154); - - var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); - - var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup55, - dup22, - dup23, - ])); - - var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); - - var select30 = linear_select([ - msg126, - msg127, - ]); - - var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup28, - dup53, - dup22, - dup52, - ])); - - var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); - - var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup28, - dup53, - dup22, - dup23, - ])); - - var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); - - var select31 = linear_select([ - msg128, - msg129, - ]); - - var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); - - var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); - - var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp connect error"), - dup23, - ])); - - var msg132 = msg("bgp_connect_start", part159); - - var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp peer state change"), - dup23, - ])); - - var msg133 = msg("bgp_event", part160); - - var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection attempt from unconfigured neighbor"), - dup23, - ])); - - var msg134 = msg("bgp_listen_accept", part161); - - var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","bgp reset"), - dup23, - ])); - - var msg135 = msg("bgp_listen_reset", part162); - - var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","peer next hop local"), - dup23, - ])); - - var msg136 = msg("bgp_nexthop_sanity", part163); - - var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup30, - dup22, - setc("event_description","code RED error NOTIFICATION sent"), - dup23, - ])); - - var msg137 = msg("bgp_process_caps", part164); - - var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg138 = msg("bgp_process_caps:01", part165); - - var select32 = linear_select([ - msg137, - msg138, - ]); - - var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup30, - dup22, - setc("event_description","connection collision"), - setc("result","dropping connection to peer"), - dup23, - ])); - - var msg139 = msg("bgp_pp_recv", part166); - - var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup30, - dup22, - setc("event_description","peer received unexpected EOF"), - dup23, - ])); - - var msg140 = msg("bgp_pp_recv:01", part167); - - var select33 = linear_select([ - msg139, - msg140, - ]); - - var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp send blocked error"), - dup23, - ])); - - var msg141 = msg("bgp_send", part168); - - var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","bgp timeout NOTIFICATION sent"), - dup23, - ])); - - var msg142 = msg("bgp_traffic_timeout", part169); - - var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot argument error"), - dup23, - ])); - - var msg143 = msg("BOOTPD_ARG_ERR", part170); - - var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","boot unexpected Id value"), - dup23, - ])); - - var msg144 = msg("BOOTPD_BAD_ID", part171); - - var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","Invalid boot string"), - dup23, - ])); - - var msg145 = msg("BOOTPD_BOOTSTRING", part172); - - var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration file error"), - dup23, - ])); - - var msg146 = msg("BOOTPD_CONFIG_ERR", part173); - - var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open configuration file"), - dup23, - ])); - - var msg147 = msg("BOOTPD_CONF_OPEN", part174); - - var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - Duplicate revision"), - dup23, - ])); - - var msg148 = msg("BOOTPD_DUP_REV", part175); - - var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup30, - dup22, - setc("event_description","boot - duplicate slot"), - dup23, - ])); - - var msg149 = msg("BOOTPD_DUP_SLOT", part176); - - var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected ID for model"), - dup23, - ])); - - var msg150 = msg("BOOTPD_MODEL_CHK", part177); - - var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unsupported model"), - dup23, - ])); - - var msg151 = msg("BOOTPD_MODEL_ERR", part178); - - var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup21, - dup22, - setc("event_description","New configuration installed"), - dup23, - ])); - - var msg152 = msg("BOOTPD_NEW_CONF", part179); - - var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","No boot string found"), - dup23, - ])); - - var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); - - var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No configuration file found"), - dup23, - ])); - - var msg154 = msg("BOOTPD_NO_CONFIG", part181); - - var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup30, - dup22, - setc("event_description","parse errors on SIGHUP"), - dup23, - ])); - - var msg155 = msg("BOOTPD_PARSE_ERR", part182); - - var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Reparsing configuration file"), - dup23, - ])); - - var msg156 = msg("BOOTPD_REPARSE", part183); - - var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","select error"), - dup23, - ])); - - var msg157 = msg("BOOTPD_SELECT_ERR", part184); - - var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup30, - dup22, - setc("event_description","timeout unreasonable"), - dup23, - ])); - - var msg158 = msg("BOOTPD_TIMEOUT", part185); - - var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup21, - dup22, - setc("event_description","boot version built"), - dup23, - ])); - - var msg159 = msg("BOOTPD_VERSION", part186); - - var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup58, - dup22, - setc("event_description","CHASSISD release built"), - dup23, - ])); - - var msg160 = msg("CHASSISD", part187); - - var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD Unknown option"), - dup23, - ])); - - var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); - - var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers are now running at normal speed"), - dup23, - ])); - - var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); - - var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup21, - dup22, - setc("event_description","Fans and impellers being set to full speed"), - dup23, - ])); - - var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); - - var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","reading midplane ID EEPROM"), - dup23, - ])); - - var msg164 = msg("CHASSISD_CB_READ", part191); - - var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK ERROR"), - dup23, - ])); - - var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); - - var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), - dup23, - ])); - - var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); - - var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Cannot set no-concatenated mode for FPC"), - dup23, - ])); - - var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); - - var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG File Problem"), - dup23, - ])); - - var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); - - var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD CONFIG WARNING"), - dup23, - ])); - - var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); - - var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd already running"), - dup23, - ])); - - var msg170 = msg("CHASSISD_EXISTS", part197); - - var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup21, - dup22, - setc("event_description","Killing existing chassisd and exiting"), - dup23, - ])); - - var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); - - var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","file open error"), - dup23, - ])); - - var msg172 = msg("CHASSISD_FILE_OPEN", part199); - - var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD file statistics error"), - dup23, - ])); - - var msg173 = msg("CHASSISD_FILE_STAT", part200); - - var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD received restart EVENT"), - dup23, - ])); - - var msg174 = msg("CHASSISD_FRU_EVENT", part201); - - var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD restart WRITE_ERROR"), - dup23, - ])); - - var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); - - var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD FRU STEP ERROR"), - dup23, - ])); - - var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); - - var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected error from gettimeofday"), - dup23, - ])); - - var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); - - var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup21, - dup22, - setc("event_description","reading host temperature sensor"), - dup23, - ])); - - var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); - - var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","detaching all pseudo devices"), - dup23, - ])); - - var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); - - var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH FPC"), - dup23, - ])); - - var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); - - var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PIC"), - dup23, - ])); - - var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); - - var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup21, - dup22, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), - dup23, - ])); - - var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); - - var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), - dup23, - ])); - - var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); - - var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","rtslib_ifdm_get_by_index failed"), - dup23, - ])); - - var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); - - var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Message Queue full"), - dup23, - ])); - - var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); - - var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Received unexpected message"), - dup23, - ])); - - var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); - - var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection pipe"), - dup23, - ])); - - var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); - - var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FRU has no connection arguments"), - dup23, - ])); - - var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); - - var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup30, - dup22, - setc("event_description","chassisd MAC address allocation error"), - dup23, - ])); - - var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); - - var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup21, - dup22, - setc("event_description","Using default MAC address base"), - dup23, - ])); - - var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); - - var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup30, - dup22, - setc("event_description","management bus failed sanity test"), - dup23, - ])); - - var msg191 = msg("CHASSISD_MBUS_ERROR", part218); - - var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup21, - dup22, - setc("event_description","Using new configuration"), - dup23, - ])); - - var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); - - var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CHASSISD PARSE ERROR"), - dup23, - ])); - - var msg193 = msg("CHASSISD_PARSE_ERROR", part220); - - var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","Parsing configuration file"), - dup23, - ])); - - var msg194 = msg("CHASSISD_PARSE_INIT", part221); - - var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to open PID file"), - dup23, - ])); - - var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); - - var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Pipe error"), - dup23, - ])); - - var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); - - var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup59, - dup22, - setc("event_description","device not powering up"), - dup23, - ])); - - var msg197 = msg("CHASSISD_POWER_CHECK", part224); - - var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup21, - dup22, - setc("event_description","Successful reconnect on soft restart"), - dup23, - ])); - - var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); - - var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup21, - dup22, - setc("event_description","Release mastership notification"), - dup23, - ])); - - var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); - - var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","re_init Invalid RE slot"), - dup23, - ])); - - var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); - - var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine mount point for root directory"), - dup23, - ])); - - var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); - - var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","ifmsg sequence gap"), - dup23, - ])); - - var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); - - var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - setc("eventcategory","1603040000"), - dup22, - setc("event_description","Version mismatch"), - dup23, - ])); - - var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); - - var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","Serial ID read error"), - dup23, - ])); - - var msg204 = msg("CHASSISD_SERIAL_ID", part231); - - var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","fpga download not complete"), - dup23, - ])); - - var msg205 = msg("CHASSISD_SMB_ERROR", part232); - - var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup58, - dup22, - setc("event_description","SNMP Trap6 generated"), - dup23, - ])); - - var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); - - var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP Trap7 generated"), - dup23, - ])); - - var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); - - var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap - FRU power on"), - dup23, - ])); - - var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); - - var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup60, - dup22, - setc("event_description","Received SIGTERM request"), - dup23, - ])); - - var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); - - var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","Taking PIC offline"), - dup23, - ])); - - var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); - - var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","UNEXPECTED EXIT"), - dup23, - ])); - - var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); - - var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup59, - dup22, - setc("event_description","Model number unsupported with this version of chassisd"), - dup23, - ])); - - var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); - - var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup59, - dup22, - setc("event_description","Chassisd Version mismatch"), - dup23, - ])); - - var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); - - var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup59, - dup22, - setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup61, - dup62, - ])); - - var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); - - var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup21, - dup22, - setc("event_description","process RESTART mode"), - dup23, - ])); - - var msg215 = msg("clean_process", part242); - - var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup21, - dup22, - setc("event_description","Chassis Linklocal to MAC"), - dup23, - ])); - - var msg216 = msg("CM_JAVA", part243); - - var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","DCD must be run as root"), - dup23, - ])); - - var msg217 = msg("DCD_AS_ROOT", part244); - - var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup30, - dup22, - setc("event_description","Filter library initialization failed"), - dup23, - ])); - - var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); - - var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); - - var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration file"), - dup23, - ])); - - var msg220 = msg("DCD_PARSE_EMERGENCY", part246); - - var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing filter index file"), - dup23, - ])); - - var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); - - var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing configuration overlay"), - dup23, - ])); - - var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); - - var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup30, - dup22, - setc("event_description","unhandled state was encountered during interface parsing"), - dup23, - ])); - - var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); - - var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup30, - dup22, - setc("event_description","errors while parsing policer indexfile"), - dup23, - ])); - - var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); - - var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to pull file"), - dup23, - ])); - - var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); - - var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DFWD ARGUMENT ERROR"), - dup23, - ])); - - var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); - - var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); - - var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup30, - dup22, - setc("event_description","errors encountered while parsing filter index file"), - dup23, - ])); - - var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); - - var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup30, - dup22, - setc("event_description","encountered unhandled state while parsing interface"), - dup23, - ])); - - var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); - - var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); - - var msg231 = msg("ECCD_DUPLICATE", dup141); - - var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD LOOP EXIT FAILURE"), - dup23, - ])); - - var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); - - var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","ECCD Must be run as root"), - dup23, - ])); - - var msg233 = msg("ECCD_NOT_ROOT", part256); - - var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD PCI FILE OPEN FAILED"), - dup23, - ])); - - var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); - - var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI read failure"), - dup23, - ])); - - var msg235 = msg("ECCD_PCI_READ_FAILED", part258); - - var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PCI write failure"), - dup23, - ])); - - var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); - - var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); - - var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); - - var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), - dup23, - ])); - - var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); - - var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","ECCD Usage"), - dup23, - ])); - - var msg240 = msg("ECCD_usage", part261); - - var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup21, - dup22, - setc("event_description","User viewed security audit log with arguments"), - dup23, - ])); - - var msg241 = msg("EVENTD_AUDIT_SHOW", part262); - - var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); - - var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to change owner of file"), - dup23, - ])); - - var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); - - var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD CONFIG ERROR"), - dup23, - ])); - - var msg244 = msg("FSAD_CONFIG_ERROR", part265); - - var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Connection timed out to client"), - dup23, - ])); - - var msg245 = msg("FSAD_CONNTIMEDOUT", part266); - - var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","FSAD_FAILED"), - dup23, - ])); - - var msg246 = msg("FSAD_FAILED", part267); - - var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup30, - dup22, - setc("event_description","Fetch to server to get file timed out"), - dup23, - ])); - - var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); - - var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","fn failed for file"), - dup23, - ])); - - var msg248 = msg("FSAD_FILE_FAILED", part269); - - var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to remove file"), - dup23, - ])); - - var msg249 = msg("FSAD_FILE_REMOVE", part270); - - var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to rename file"), - dup23, - ])); - - var msg250 = msg("FSAD_FILE_RENAME", part271); - - var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","stat failed for file"), - dup23, - ])); - - var msg251 = msg("FSAD_FILE_STAT", part272); - - var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to sync file"), - dup23, - ])); - - var msg252 = msg("FSAD_FILE_SYNC", part273); - - var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup30, - dup22, - setc("event_description","Upper limit reached in fsad"), - dup23, - ])); - - var msg253 = msg("FSAD_MAXCONN", part274); - - var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup51, - dup22, - setc("event_description","FSAD MEMORYALLOC FAILED"), - dup23, - ])); - - var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); - - var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","FSAD must be run as root"), - dup23, - ])); - - var msg255 = msg("FSAD_NOT_ROOT", part276); - - var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","invalid directory"), - dup23, - ])); - - var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); - - var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","File path cannot be a directory"), - dup23, - ])); - - var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); - - var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup30, - dup22, - setc("event_description","Not a regular file"), - dup23, - ])); - - var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); - - var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup30, - dup22, - setc("event_description","fsad received error message from client"), - dup23, - ])); - - var msg259 = msg("FSAD_RECVERROR", part280); - - var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","FSAD TERMINATED CONNECTION"), - dup23, - ])); - - var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); - - var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Received terminating signal"), - dup23, - ])); - - var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); - - var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Open operation on trace file failed"), - dup23, - ])); - - var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); - - var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","Incorrect FSAD usage"), - dup23, - ])); - - var msg263 = msg("FSAD_USAGE", part284); - - var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP FAILED"), - dup23, - ])); - - var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); - - var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), - dup23, - ])); - - var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); - - var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown trap request type"), - dup23, - ])); - - var msg266 = msg("GGSN_TRAP_SEND", part287); - - var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup69, - dup34, - setc("ec_subject","Service"), - dup43, - dup22, - setc("event_description","Authorization failed"), - dup23, - ])); - - var msg267 = msg("JADE_AUTH_ERROR", part288); - - var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE EXEC ERROR"), - dup23, - ])); - - var msg268 = msg("JADE_EXEC_ERROR", part289); - - var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup30, - dup22, - setc("event_description","Local user does not exist"), - dup23, - ])); - - var msg269 = msg("JADE_NO_LOCAL_USER", part290); - - var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JADE PAM error"), - dup23, - ])); - - var msg270 = msg("JADE_PAM_ERROR", part291); - - var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to get local username from PAM"), - dup23, - ])); - - var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); - - var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup30, - dup22, - setc("event_description","arp info overwritten"), - dup23, - ])); - - var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); - - var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup30, - dup22, - setc("event_description","security association has been established"), - dup23, - ])); - - var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); - - var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup21, - dup22, - setc("event_description","Task Reinitialized"), - dup61, - dup23, - ])); - - var msg274 = msg("L2CPD_TASK_REINIT", part295); - - var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup70, - dup23, - ])); - - var msg275 = msg("LIBJNX_EXEC_EXITED", part296); - - var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed for command"), - dup23, - ])); - - var msg276 = msg("LIBJNX_EXEC_FAILED", part297); - - var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); - - var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Command received signal"), - dup23, - ])); - - var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); - - var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup21, - dup22, - dup72, - dup23, - ])); - - var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); - - var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup73, - dup22, - setc("event_description","copy_file_to_transfer_dir failed to copy"), - dup23, - ])); - - var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); - - var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to lower privilege level"), - dup23, - ])); - - var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); - - var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Unable to raise privilege level"), - dup23, - ])); - - var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); - - var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","rcp failed"), - dup23, - ])); - - var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); - - var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), - dup23, - ])); - - var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); - - var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Client connection error"), - dup23, - ])); - - var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); - - var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup73, - dup22, - setc("event_description","Outbound request failed for command"), - dup23, - ])); - - var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); - - var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup27, - dup22, - setc("event_description","Connection closed while receiving from client"), - dup23, - ])); - - var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); - - var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to bind socket"), - dup23, - ])); - - var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); - - var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to attach socket to management routing instance"), - dup23, - ])); - - var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); - - var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LICENSE EXPIRED"), - dup23, - ])); - - var msg290 = msg("LICENSE_EXPIRED", part310); - - var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup21, - dup22, - setc("event_description","License key has expired"), - dup23, - ])); - - var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); - - var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","License key expiration soon"), - dup23, - ])); - - var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); - - var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup30, - dup22, - setc("event_description","client aborted login"), - dup23, - ])); - - var msg293 = msg("LOGIN_ABORTED", part313); - - var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - dup23, - ])); - - var msg294 = msg("LOGIN_FAILED", part314); - - var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Incorrect password for user"), - dup23, - ])); - - var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); - - var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set context for user"), - dup23, - ])); - - var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); - - var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Failed to set login ID for user"), - dup23, - ])); - - var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); - - var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Unable to resolve hostname"), - dup23, - ])); - - var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); - - var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); - - var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); - - var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); - - var select34 = linear_select([ - part321, - dup45, - ]); - - var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); - - var all19 = all_match({ - processors: [ - dup39, - dup137, - part319, - dup145, - part320, - select34, - part322, - ], - on_success: processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","Successful Login"), - dup23, - ]), - }); - - var msg299 = msg("LOGIN_INFORMATION", all19); - - var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","No entry in local password file for user"), - dup23, - ])); - - var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); - - var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Invalid username"), - dup23, - ])); - - var msg301 = msg("LOGIN_MALFORMED_USER", part324); - - var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); - - var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); - - var select35 = linear_select([ - part325, - part326, - ]); - - var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); - - var all20 = all_match({ - processors: [ - dup50, - select35, - part327, - ], - on_success: processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","PAM authentication error for user"), - dup23, - ]), - }); - - var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); - - var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - setc("event_description","PAM authentication failure"), - setc("result","Failure while authenticating user"), - dup23, - ])); - - var msg303 = msg("LOGIN_PAM_ERROR", part328); - - var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Too many retries while authenticating user"), - dup23, - ])); - - var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); - - var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","User authenticated but has no local login ID"), - dup23, - ])); - - var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); - - var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ - setc("eventcategory","1303000000"), - dup34, - dup43, - dup22, - setc("event_description","Failed to end PAM session"), - dup23, - ])); - - var msg306 = msg("LOGIN_PAM_STOP", part331); - - var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Attempt to authenticate unknown user"), - dup23, - ])); - - var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); - - var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Forcing change of expired password for user"), - dup23, - ])); - - var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); - - var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup75, - setc("result","Login of user refused"), - dup23, - ])); - - var msg309 = msg("LOGIN_REFUSED", part334); - - var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","successful login as root"), - setc("result","User logged in as root"), - dup23, - ])); - - var msg310 = msg("LOGIN_ROOT", part335); - - var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ - dup44, - dup34, - dup36, - dup43, - dup22, - dup75, - setc("result","Login attempt timed out"), - dup23, - ])); - - var msg311 = msg("LOGIN_TIMED_OUT", part336); - - var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D ATM ERROR"), - dup23, - ])); - - var msg312 = msg("MIB2D_ATM_ERROR", part337); - - var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","CONFIG CHECK FAILED"), - dup23, - ])); - - var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); - - var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); - - var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); - - var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); - - var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","mib2d initialization failure"), - dup23, - ])); - - var msg317 = msg("MIB2D_INIT_FAILURE", part340); - - var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D KVM FAILURE"), - dup23, - ])); - - var msg318 = msg("MIB2D_KVM_FAILURE", part341); - - var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D RTSLIB READ FAILURE"), - dup23, - ])); - - var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); - - var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup30, - dup22, - setc("event_description","RTSLIB sequence mismatch"), - dup23, - ])); - - var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); - - var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D SYSCTL FAILURE"), - dup23, - ])); - - var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); - - var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup30, - dup22, - setc("event_description","trap_request_header failed"), - dup23, - ])); - - var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); - - var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MIB2D TRAP SEND FAILURE"), - dup23, - ])); - - var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); - - var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup21, - dup22, - setc("event_description","user sighupped"), - dup23, - ])); - - var msg324 = msg("Multiuser", part347); - - var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate authentication handle"), - dup23, - ])); - - var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); - - var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup80, - dup34, - dup43, - dup22, - setc("event_description","authentication already in progress"), - dup23, - ])); - - var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); - - var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), - dup23, - ])); - - var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); - - var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), - dup23, - ])); - - var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); - - var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP INVALID OPCODE"), - dup23, - ])); - - var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); - - var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), - dup23, - ])); - - var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); - - var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","CHAP MESSAGE UNEXPECTED"), - dup23, - ])); - - var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); - - var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup81, - dup22, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), - dup23, - ])); - - var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); - - var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), - dup23, - ])); - - var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); - - var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); - - var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate database object"), - dup23, - ])); - - var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); - - var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DB TABLE CREATE FAILURE"), - dup23, - ])); - - var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); - - var msg337 = msg("NASD_DUPLICATE", dup141); - - var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB CREATE FAILURE"), - dup23, - ])); - - var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); - - var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","EVLIB EXIT FAILURE"), - dup23, - ])); - - var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); - - var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate LOCAL module handle"), - dup23, - ])); - - var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); - - var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","NASD must be run as root"), - dup23, - ])); - - var msg341 = msg("NASD_NOT_ROOT", part362); - - var msg342 = msg("NASD_PID_FILE_LOCK", dup142); - - var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); - - var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","POST CONFIGURE EVENT FAILED"), - dup23, - ])); - - var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); - - var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PPP READ FAILURE"), - dup23, - ])); - - var msg345 = msg("NASD_PPP_READ_FAILURE", part364); - - var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send message"), - dup23, - ])); - - var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); - - var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to send all of message"), - dup23, - ])); - - var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); - - var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup30, - dup22, - setc("event_description","Unrecognized authentication protocol"), - dup23, - ])); - - var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); - - var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS password allocation failure"), - dup23, - ])); - - var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); - - var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CONFIG FAILED"), - dup23, - ])); - - var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); - - var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to allocate RADIUS module handle"), - dup23, - ])); - - var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); - - var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS CREATE REQUEST FAILED"), - dup23, - ])); - - var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); - - var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), - dup23, - ])); - - var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); - - var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown response from RADIUS server"), - dup23, - ])); - - var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); - - var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS OPEN FAILED"), - dup23, - ])); - - var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); - - var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SELECT FAILED"), - dup23, - ])); - - var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); - - var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RADIUS SET TIMER FAILED"), - dup23, - ])); - - var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); - - var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACE FILE OPEN FAILED"), - dup23, - ])); - - var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); - - var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","NASD Usage"), - dup23, - ])); - - var msg359 = msg("NASD_usage", part378); - - var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg360 = msg("NOTICE", part379); - - var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg361 = msg("PFE_FW_SYSLOG_IP", part380); - - var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup21, - dup22, - dup82, - dup23, - ])); - - var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); - - var select36 = linear_select([ - msg361, - msg362, - ]); - - var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup22, - setc("event_description","Next-hop resolution requests throttled"), - dup23, - ])); - - var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); - - var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST COMPLETED"), - dup23, - ])); - - var msg364 = msg("PING_TEST_COMPLETED", part383); - - var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","PING TEST FAILED"), - dup23, - ])); - - var msg365 = msg("PING_TEST_FAILED", part384); - - var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); - - var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); - - var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); - - var select37 = linear_select([ - part386, - part387, - ]); - - var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); - - var all21 = all_match({ - processors: [ - dup39, - dup137, - part385, - select37, - part388, - ], - on_success: processor_chain([ - dup21, - dup22, - dup83, - dup23, - ]), - }); - - var msg366 = msg("process_mode", all21); - - var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup21, - dup22, - dup83, - dup23, - ])); - - var msg367 = msg("process_mode:01", part389); - - var select38 = linear_select([ - msg366, - msg367, - ]); - - var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","process exit with status"), - dup23, - ])); - - var msg368 = msg("PWC_EXIT", part390); - - var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup21, - dup22, - setc("event_description","Process released child from state"), - dup23, - ])); - - var msg369 = msg("PWC_HOLD_RELEASE", part391); - - var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","invalid runs argument"), - dup23, - ])); - - var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); - - var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","INVALID TIMEOUT ARGUMENT"), - dup23, - ])); - - var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); - - var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process received terminating signal"), - dup23, - ])); - - var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); - - var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup30, - dup22, - setc("event_description","pwc is sending kill event to child"), - dup23, - ])); - - var msg373 = msg("PWC_KILL_EVENT", part395); - - var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to kill process"), - dup23, - ])); - - var msg374 = msg("PWC_KILL_FAILED", part396); - - var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","kevent failed"), - dup23, - ])); - - var msg375 = msg("PWC_KQUEUE_ERROR", part397); - - var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create kqueue"), - dup23, - ])); - - var msg376 = msg("PWC_KQUEUE_INIT", part398); - - var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to register kqueue filter"), - dup23, - ])); - - var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); - - var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file has bad format"), - dup23, - ])); - - var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); - - var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file error"), - dup23, - ])); - - var msg379 = msg("PWC_LOCKFILE_ERROR", part401); - - var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not found"), - dup23, - ])); - - var msg380 = msg("PWC_LOCKFILE_MISSING", part402); - - var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","PID lock file not locked"), - dup23, - ])); - - var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); - - var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup30, - dup22, - setc("event_description","No process specified for PWC"), - dup23, - ])); - - var msg382 = msg("PWC_NO_PROCESS", part404); - - var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","pwc process exited with status"), - dup23, - ])); - - var msg383 = msg("PWC_PROCESS_EXIT", part405); - - var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process forcing hold down of child until signalled"), - dup23, - ])); - - var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); - - var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child until signalled"), - dup23, - ])); - - var msg385 = msg("PWC_PROCESS_HOLD", part407); - - var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Process not holding down child"), - dup23, - ])); - - var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); - - var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create child process with pidpopen"), - dup23, - ])); - - var msg387 = msg("PWC_PROCESS_OPEN", part409); - - var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Process holding down child"), - dup23, - ])); - - var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); - - var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Child process timed out"), - dup23, - ])); - - var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); - - var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","signal failure"), - dup23, - ])); - - var msg390 = msg("PWC_SIGNAL_INIT", part412); - - var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to connect socket to service"), - dup23, - ])); - - var msg391 = msg("PWC_SOCKET_CONNECT", part413); - - var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Failed to create socket"), - dup23, - ])); - - var msg392 = msg("PWC_SOCKET_CREATE", part414); - - var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to set socket option"), - dup23, - ])); - - var msg393 = msg("PWC_SOCKET_OPTION", part415); - - var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Write to stdout failed"), - dup23, - ])); - - var msg394 = msg("PWC_STDOUT_WRITE", part416); - - var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","PWC SYSTEM CALL"), - dup23, - ])); - - var msg395 = msg("PWC_SYSTEM_CALL", part417); - - var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup30, - dup22, - setc("event_description","Unknown kill option"), - dup23, - ])); - - var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); - - var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup30, - dup22, - setc("event_description","Multicast address not allowed"), - dup23, - ])); - - var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); - - var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), - dup23, - ])); - - var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); - - var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to convert numeric address to string"), - dup23, - ])); - - var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); - - var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","rmop_util_set_address status message invalid"), - dup23, - ])); - - var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); - - var msg401 = msg("RMOPD_DUPLICATE", dup141); - - var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup30, - dup22, - setc("event_description","Only IPv4 source address is supported"), - dup23, - ])); - - var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); - - var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup30, - dup22, - setc("event_description","No route to host"), - dup23, - ])); - - var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); - - var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NOT ACTIVE"), - dup23, - ])); - - var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); - - var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFINDEX NO INFO"), - dup23, - ])); - - var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); - - var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), - dup23, - ])); - - var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); - - var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IFNAME NO INFO"), - dup23, - ])); - - var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); - - var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","RMOPD Must be run as root"), - dup23, - ])); - - var msg408 = msg("RMOPD_NOT_ROOT", part429); - - var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","No information for routing instance"), - dup23, - ])); - - var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); - - var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TRACEROUTE ERROR"), - dup23, - ])); - - var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); - - var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","RMOPD usage"), - dup23, - ])); - - var msg411 = msg("RMOPD_usage", part432); - - var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD ABORT"), - dup23, - ])); - - var msg412 = msg("RPD_ABORT", part433); - - var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD exiting with active tasks"), - dup23, - ])); - - var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); - - var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Assertion failed"), - dup23, - ])); - - var msg414 = msg("RPD_ASSERT", part435); - - var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD Soft assertion failed"), - dup23, - ])); - - var msg415 = msg("RPD_ASSERT_SOFT", part436); - - var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD EXIT"), - dup23, - ])); - - var msg416 = msg("RPD_EXIT", part437); - - var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); - - var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); - - var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS lost adjacency"), - dup23, - ])); - - var msg419 = msg("RPD_ISIS_ADJDOWN", part438); - - var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","IS-IS new adjacency"), - dup23, - ])); - - var msg420 = msg("RPD_ISIS_ADJUP", part439); - - var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS new adjacency without an address"), - dup23, - ])); - - var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); - - var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS LSP checksum error on iterface"), - dup23, - ])); - - var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); - - var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup30, - dup22, - setc("event_description","IS-IS database overload"), - dup23, - ])); - - var msg423 = msg("RPD_ISIS_OVERLOAD", part442); - - var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","message with unsupported address family received"), - dup23, - ])); - - var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); - - var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup30, - dup22, - setc("event_description","RPD KRT CCC IFL MODIFY"), - dup23, - ])); - - var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); - - var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","received deleted routing table from kernel"), - dup23, - ])); - - var msg426 = msg("RPD_KRT_DELETED_RTT", part445); - - var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifa generation mismatch"), - dup23, - ])); - - var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); - - var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","CHANGE for ifd failed"), - dup23, - ])); - - var msg428 = msg("RPD_KRT_IFDCHANGE", part447); - - var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET SERVICE failure on interface"), - dup23, - ])); - - var msg429 = msg("RPD_KRT_IFDEST_GET", part448); - - var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup30, - dup22, - setc("event_description","GET index for ifd interface failed"), - dup23, - ])); - - var msg430 = msg("RPD_KRT_IFDGET", part449); - - var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifd generation mismatch"), - dup23, - ])); - - var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); - - var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), - dup23, - ])); - - var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); - - var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), - dup23, - ])); - - var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); - - var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","ifl generation mismatch"), - dup23, - ])); - - var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); - - var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","lost interface for route"), - dup23, - ])); - - var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); - - var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","number of next hops exceeded the maximum"), - dup23, - ])); - - var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); - - var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","No device for interface"), - dup23, - ])); - - var msg437 = msg("RPD_KRT_NOIFD", part456); - - var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","received routing table message for unknown table"), - dup23, - ])); - - var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); - - var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket version mismatch"), - dup23, - ])); - - var msg439 = msg("RPD_KRT_VERSION", part458); - - var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type not supported by kernel"), - dup23, - ])); - - var msg440 = msg("RPD_KRT_VERSIONNONE", part459); - - var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Routing socket message type version is older than expected"), - dup23, - ])); - - var msg441 = msg("RPD_KRT_VERSIONOLD", part460); - - var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Duplicate session ID detected"), - dup23, - ])); - - var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); - - var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP interface now unblocked"), - dup23, - ])); - - var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); - - var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - setc("eventcategory","1603030000"), - dup22, - setc("event_description","LDP neighbor down"), - dup23, - ])); - - var msg444 = msg("RPD_LDP_NBRDOWN", part463); - - var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","LDP neighbor up"), - dup23, - ])); - - var msg445 = msg("RPD_LDP_NBRUP", part464); - - var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LDP session down"), - dup23, - ])); - - var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); - - var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup21, - dup22, - setc("event_description","LDP session up"), - dup23, - ])); - - var msg447 = msg("RPD_LDP_SESSIONUP", part466); - - var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain a lock"), - dup23, - ])); - - var msg448 = msg("RPD_LOCK_FLOCKED", part467); - - var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to obtain service lock"), - dup23, - ])); - - var msg449 = msg("RPD_LOCK_LOCKED", part468); - - var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP CHANGE"), - dup23, - ])); - - var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); - - var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MPLS LSP DOWN"), - dup23, - ])); - - var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); - - var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP SWITCH"), - dup23, - ])); - - var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); - - var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup21, - dup22, - setc("event_description","MPLS LSP UP"), - dup23, - ])); - - var msg453 = msg("RPD_MPLS_LSP_UP", part472); - - var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","MSDP PEER DOWN"), - dup23, - ])); - - var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); - - var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","MSDP PEER UP"), - dup23, - ])); - - var msg455 = msg("RPD_MSDP_PEER_UP", part474); - - var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","OSPF neighbor down"), - dup23, - ])); - - var msg456 = msg("RPD_OSPF_NBRDOWN", part475); - - var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","OSPF neighbor up"), - dup23, - ])); - - var msg457 = msg("RPD_OSPF_NBRUP", part476); - - var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup51, - dup22, - setc("event_description","OS MEMHIGH"), - dup23, - ])); - - var msg458 = msg("RPD_OS_MEMHIGH", part477); - - var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","PIM neighbor down"), - setc("result","timeout"), - dup23, - ])); - - var msg459 = msg("RPD_PIM_NBRDOWN", part478); - - var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","PIM neighbor up"), - dup23, - ])); - - var msg460 = msg("RPD_PIM_NBRUP", part479); - - var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Bad checksum for router solicitation"), - dup23, - ])); - - var msg461 = msg("RPD_RDISC_CKSUM", part480); - - var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Ignoring interface"), - dup23, - ])); - - var msg462 = msg("RPD_RDISC_NOMULTI", part481); - - var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to locate interface for router"), - dup23, - ])); - - var msg463 = msg("RPD_RDISC_NORECVIF", part482); - - var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Expected multicast for router solicitation"), - dup23, - ])); - - var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); - - var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Nonzero ICMP code for router solicitation"), - dup23, - ])); - - var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); - - var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup30, - dup22, - setc("event_description","Insufficient length for router solicitation"), - dup23, - ])); - - var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); - - var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup30, - dup22, - setc("event_description","RIP update with invalid authentication"), - dup23, - ])); - - var msg467 = msg("RPD_RIP_AUTH", part486); - - var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - unable to get broadcast address"), - dup23, - ])); - - var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); - - var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RIP - Unable to join multicast group"), - dup23, - ])); - - var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); - - var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","RIP interface up"), - dup23, - ])); - - var msg470 = msg("RPD_RT_IFUP", part489); - - var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); - - var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup30, - dup22, - setc("event_description","excessive runtime after action of module"), - dup23, - ])); - - var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); - - var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); - - var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup30, - dup22, - setc("event_description","task extended runtime"), - dup23, - ])); - - var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); - - var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup30, - dup22, - setc("event_description","termination signal received for service"), - dup23, - ])); - - var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); - - var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","version built"), - dup23, - ])); - - var msg476 = msg("RPD_START", part493); - - var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","system command"), - dup23, - ])); - - var msg477 = msg("RPD_SYSTEM", part494); - - var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup21, - dup22, - setc("event_description","Commencing routing updates"), - dup23, - ])); - - var msg478 = msg("RPD_TASK_BEGIN", part495); - - var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task killed by signal"), - dup23, - ])); - - var msg479 = msg("RPD_TASK_CHILDKILLED", part496); - - var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","task stopped by signal"), - dup23, - ])); - - var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); - - var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork task"), - dup23, - ])); - - var msg481 = msg("RPD_TASK_FORK", part498); - - var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","RPD TASK GETWD"), - dup23, - ])); - - var msg482 = msg("RPD_TASK_GETWD", part499); - - var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup30, - dup22, - setc("event_description","Reinitialization not possible"), - dup23, - ])); - - var msg483 = msg("RPD_TASK_NOREINIT", part500); - - var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to close and remove task"), - dup23, - ])); - - var msg484 = msg("RPD_TASK_PIDCLOSED", part501); - - var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RPD TASK PIDFLOCK"), - dup23, - ])); - - var msg485 = msg("RPD_TASK_PIDFLOCK", part502); - - var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to write"), - dup23, - ])); - - var msg486 = msg("RPD_TASK_PIDWRITE", part503); - - var msg487 = msg("RPD_TASK_REINIT", dup149); - - var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","ignoring task signal"), - dup23, - ])); - - var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); - - var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","COS IPC op failed"), - dup23, - ])); - - var msg489 = msg("RT_COS", part505); - - var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); - - var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); - - var select39 = linear_select([ - part508, - dup91, - ]); - - var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); - - var select40 = linear_select([ - part510, - dup45, - ]); - - var all22 = all_match({ - processors: [ - dup87, - dup150, - part506, - dup151, - part507, - select39, - part509, - select40, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); - - var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - - var select41 = linear_select([ - part511, - dup45, - ]); - - var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); - - var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - - var select42 = linear_select([ - part513, - dup45, - ]); - - var all23 = all_match({ - processors: [ - dup87, - select41, - part512, - select42, - dup92, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - dup52, - ]), - }); - - var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); - - var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); - - var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); - - var select43 = linear_select([ - part514, - part515, - ]); - - var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); - - var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); - - var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); - - var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); - - var select44 = linear_select([ - part517, - part518, - part519, - ]); - - var all24 = all_match({ - processors: [ - select43, - part516, - select44, - ], - on_success: processor_chain([ - dup28, - dup53, - dup54, - dup22, - setc("event_description","session created"), - dup23, - ]), - }); - - var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); - - var select45 = linear_select([ - msg490, - msg491, - msg492, - ]); - - var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); - - var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); - - var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); - - var select46 = linear_select([ - part521, - part522, - dup45, - ]); - - var all25 = all_match({ - processors: [ - dup87, - dup150, - part520, - select46, - dup92, - ], - on_success: processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ]), - }); - - var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); - - var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ - dup93, - dup53, - dup94, - dup22, - dup52, - ])); - - var msg494 = msg("RT_FLOW_SESSION_DENY", part523); - - var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); - - var all26 = all_match({ - processors: [ - dup152, - part524, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); - - var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); - - var all27 = all_match({ - processors: [ - dup152, - part525, - ], - on_success: processor_chain([ - dup27, - dup53, - dup94, - dup22, - dup97, - dup23, - ]), - }); - - var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); - - var select47 = linear_select([ - msg493, - msg494, - msg495, - msg496, - ]); - - var select48 = linear_select([ - dup103, - dup45, - ]); - - var all28 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select48, - dup92, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - ]), - }); - - var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); - - var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, - dup53, - dup55, - dup22, - dup52, - ])); - - var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); - - var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); - - var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); - - var select49 = linear_select([ - part527, - part528, - ]); - - var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); - - var all29 = all_match({ - processors: [ - select49, - part529, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup22, - setc("event_description","session closed"), - dup23, - ]), - }); - - var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); - - var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - - var select50 = linear_select([ - dup103, - part530, - dup45, - ]); - - var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); - - var all30 = all_match({ - processors: [ - dup98, - dup150, - dup99, - dup151, - dup100, - dup153, - dup102, - select50, - part531, - ], - on_success: processor_chain([ - dup27, - dup53, - dup55, - dup104, - dup22, - dup52, - dup61, - ]), - }); - - var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); - - var select51 = linear_select([ - msg497, - msg498, - msg499, - msg500, - ]); - - var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup30, - dup22, - setc("event_description","Fragmented traffic"), - dup23, - ])); - - var msg501 = msg("RT_SCREEN_IP", part532); - - var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg502 = msg("RT_SCREEN_IP:01", part533); - - var select52 = linear_select([ - msg501, - msg502, - ]); - - var msg503 = msg("RT_SCREEN_TCP", dup154); - - var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); - - var msg505 = msg("RT_SCREEN_UDP", dup154); - - var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup27, - dup22, - setc("event_description","attempt to connect to interface failed"), - dup23, - ])); - - var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); - - var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup27, - dup22, - setc("event_description","unexpected termination of connection"), - dup23, - ])); - - var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); - - var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client interface connection failure"), - dup23, - ])); - - var msg508 = msg("SERVICED_CLIENT_ERROR", part537); - - var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","remote command execution failed"), - dup23, - ])); - - var msg509 = msg("SERVICED_COMMAND_FAILED", part538); - - var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","client commit configuration failed"), - dup23, - ])); - - var msg510 = msg("SERVICED_COMMIT_FAILED", part539); - - var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","configuration process failed"), - dup23, - ])); - - var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); - - var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONFIG ERROR"), - dup23, - ])); - - var msg512 = msg("SERVICED_CONFIG_ERROR", part541); - - var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service failed to read path"), - dup23, - ])); - - var msg513 = msg("SERVICED_CONFIG_FILE", part542); - - var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SERVICED CONNECTION ERROR"), - dup23, - ])); - - var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); - - var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","GGSN services disabled"), - dup23, - ])); - - var msg515 = msg("SERVICED_DISABLED_GGSN", part544); - - var msg516 = msg("SERVICED_DUPLICATE", dup141); - - var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","event function failed"), - dup23, - ])); - - var msg517 = msg("SERVICED_EVENT_FAILED", part545); - - var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","service initialization failed"), - dup23, - ])); - - var msg518 = msg("SERVICED_INIT_FAILED", part546); - - var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","memory allocation failure"), - dup23, - ])); - - var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); - - var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","NETWORK FAILURE"), - dup23, - ])); - - var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); - - var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup63, - dup22, - setc("event_description","SERVICED must be run as root"), - dup23, - ])); - - var msg521 = msg("SERVICED_NOT_ROOT", part549); - - var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); - - var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); - - var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","routing socket sequence error"), - dup23, - ])); - - var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); - - var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","set up of signal name handler failed"), - dup23, - ])); - - var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); - - var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed with error"), - dup23, - ])); - - var msg526 = msg("SERVICED_SOCKET_CREATE", part552); - - var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","socket function failed"), - dup23, - ])); - - var msg527 = msg("SERVICED_SOCKET_IO", part553); - - var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unable to set socket option"), - dup23, - ])); - - var msg528 = msg("SERVICED_SOCKET_OPTION", part554); - - var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","STDLIB FAILURE"), - dup23, - ])); - - var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); - - var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Incorrect service usage"), - dup23, - ])); - - var msg530 = msg("SERVICED_USAGE", part556); - - var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","object has unexpected value"), - dup23, - ])); - - var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); - - var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); - - var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); - - var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); - - var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup21, - dup22, - setc("event_description","AgentX subagent connected"), - dup61, - dup23, - ])); - - var msg535 = msg("SNMP_NS_LOG_INFO", part558); - - var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup21, - dup22, - setc("event_description","ns_subagent registering rows"), - dup61, - dup23, - ])); - - var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); - - var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ACCESS GROUP ERROR"), - dup23, - ])); - - var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); - - var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community to unknown community name"), - dup23, - ])); - - var msg538 = msg("SNMPD_AUTH_FAILURE", part561); - - var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","failed input interface authorization to unknown"), - dup23, - ])); - - var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); - - var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup30, - dup22, - dup105, - setc("result","unauthorized SNMP community "), - dup23, - ])); - - var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); - - var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup30, - dup22, - dup105, - dup61, - dup62, - ])); - - var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); - - var select53 = linear_select([ - msg538, - msg539, - msg540, - msg541, - ]); - - var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP request exceeded community privileges"), - dup23, - ])); - - var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); - - var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup48, - dup22, - setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), - setc("result","request not allowed"), - dup23, - ])); - - var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); - - var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","unauthorized SNMP PDU type"), - dup23, - ])); - - var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); - - var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup30, - dup22, - setc("event_description","Configuration database has errors"), - dup23, - ])); - - var msg545 = msg("SNMPD_CONFIG_ERROR", part568); - - var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD CONTEXT ERROR"), - dup23, - ])); - - var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); - - var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD ENGINE FILE FAILURE"), - dup23, - ])); - - var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); - - var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup30, - dup22, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), - dup23, - ])); - - var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); - - var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD FILE FAILURE"), - dup23, - ])); - - var msg549 = msg("SNMPD_FILE_FAILURE", part572); - - var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD GROUP ERROR"), - dup23, - ])); - - var msg550 = msg("SNMPD_GROUP_ERROR", part573); - - var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","snmpd initialization failure"), - dup23, - ])); - - var msg551 = msg("SNMPD_INIT_FAILED", part574); - - var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LIBJUNIPER FAILURE"), - dup23, - ])); - - var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); - - var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","LOOPBACK ADDR ERROR"), - dup23, - ])); - - var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); - - var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup30, - dup22, - setc("event_description","duplicate memory free"), - dup23, - ])); - - var msg554 = msg("SNMPD_MEMORY_FREED", part577); - - var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","radix_add failed"), - dup23, - ])); - - var msg555 = msg("SNMPD_RADIX_FAILURE", part578); - - var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD RECEIVE FAILURE"), - dup23, - ])); - - var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); - - var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","RMONFILE FAILURE"), - dup23, - ])); - - var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); - - var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup30, - dup22, - setc("event_description","Null cookie"), - dup23, - ])); - - var msg558 = msg("SNMPD_RMON_COOKIE", part581); - - var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","RMON EVENTLOG"), - dup23, - ])); - - var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); - - var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Received io error"), - dup23, - ])); - - var msg560 = msg("SNMPD_RMON_IOERROR", part583); - - var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","internal Get request error"), - dup23, - ])); - - var msg561 = msg("SNMPD_RMON_MIBERROR", part584); - - var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","sequence mismatch"), - dup23, - ])); - - var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); - - var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg563 = msg("SNMPD_SEND_FAILURE", part586); - - var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup30, - dup22, - dup106, - dup23, - ])); - - var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); - - var select54 = linear_select([ - msg563, - msg564, - ]); - - var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD SOCKET FAILURE"), - dup23, - ])); - - var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); - - var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup30, - dup22, - setc("event_description","No buffers available for subagent"), - dup23, - ])); - - var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); - - var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Send to subagent failed"), - dup23, - ])); - - var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); - - var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","system function failed"), - dup23, - ])); - - var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); - - var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup21, - dup22, - setc("event_description","cleared all throttled traps"), - dup23, - ])); - - var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); - - var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP trap: cold start"), - dup23, - ])); - - var msg570 = msg("SNMPD_TRAP_COLD_START", part593); - - var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); - - var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup30, - dup22, - dup107, - dup23, - ])); - - var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); - - var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP INVALID DATA"), - dup23, - ])); - - var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); - - var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR"), - dup23, - ])); - - var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); - - var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup21, - dup22, - setc("event_description","Adding trap to queue"), - dup23, - ])); - - var msg575 = msg("SNMPD_TRAP_QUEUED", part598); - - var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup21, - dup22, - setc("event_description","traps queued - sent successfully"), - dup23, - ])); - - var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); - - var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), - dup23, - ])); - - var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); - - var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP maximum queue size exceeded"), - dup23, - ])); - - var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); - - var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP traps throttled"), - dup23, - ])); - - var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); - - var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup30, - dup22, - setc("event_description","unknown SNMP trap type requested"), - dup23, - ])); - - var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); - - var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), - dup23, - ])); - - var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); - - var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), - dup23, - ])); - - var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); - - var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup21, - dup22, - setc("event_description","SNMPD TRAP WARM START"), - dup23, - ])); - - var msg583 = msg("SNMPD_TRAP_WARM_START", part606); - - var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMPD USER ERROR"), - dup23, - ])); - - var msg584 = msg("SNMPD_USER_ERROR", part607); - - var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP deleting view"), - dup23, - ])); - - var msg585 = msg("SNMPD_VIEW_DELETE", part608); - - var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup21, - dup22, - setc("event_description","installing default SNMP view"), - dup23, - ])); - - var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); - - var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","oid parsing failed for SNMP view"), - dup23, - ])); - - var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); - - var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP_GET_ERROR 1"), - dup23, - ])); - - var msg588 = msg("SNMP_GET_ERROR1", part611); - - var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 2"), - dup23, - ])); - - var msg589 = msg("SNMP_GET_ERROR2", part612); - - var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 3"), - dup23, - ])); - - var msg590 = msg("SNMP_GET_ERROR3", part613); - - var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP GET ERROR 4"), - dup23, - ])); - - var msg591 = msg("SNMP_GET_ERROR4", part614); - - var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP RTSLIB FAILURE"), - dup23, - ])); - - var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); - - var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup30, - dup22, - dup108, - dup23, - ])); - - var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); - - var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup30, - dup22, - dup108, - dup61, - dup62, - ])); - - var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); - - var select55 = linear_select([ - msg593, - msg594, - ]); - - var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup21, - dup22, - dup109, - dup23, - ])); - - var msg595 = msg("SNMP_TRAP_LINK_UP", part618); - - var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup21, - dup22, - dup109, - dup61, - dup62, - ])); - - var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); - - var select56 = linear_select([ - msg595, - msg596, - ]); - - var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING PROBE FAILED"), - dup23, - ])); - - var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); - - var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), - dup23, - ])); - - var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); - - var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP PING TEST FAILED"), - dup23, - ])); - - var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); - - var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), - dup23, - ])); - - var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); - - var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup21, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), - dup23, - ])); - - var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); - - var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup30, - dup22, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), - dup23, - ])); - - var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); - - var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup23, - ])); - - var msg603 = msg("SSHD_LOGIN_FAILED", part626); - - var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup44, - dup34, - dup35, - dup36, - dup43, - dup22, - dup110, - dup61, - dup52, - setf("process","hfld33"), - ])); - - var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); - - var select57 = linear_select([ - msg603, - msg604, - ]); - - var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","task connect failure"), - dup23, - ])); - - var msg605 = msg("task_connect", part628); - - var msg606 = msg("TASK_TASK_REINIT", dup149); - - var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Unexpected address family"), - dup23, - ])); - - var msg607 = msg("TFTPD_AF_ERR", part629); - - var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD BIND ERROR"), - dup23, - ])); - - var msg608 = msg("TFTPD_BIND_ERR", part630); - - var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CONNECT ERROR"), - dup23, - ])); - - var msg609 = msg("TFTPD_CONNECT_ERR", part631); - - var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD CONNECT INFO"), - dup23, - ])); - - var msg610 = msg("TFTPD_CONNECT_INFO", part632); - - var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD CREATE ERROR"), - dup23, - ])); - - var msg611 = msg("TFTPD_CREATE_ERR", part633); - - var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FIO ERR"), - dup23, - ])); - - var msg612 = msg("TFTPD_FIO_ERR", part634); - - var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD FORK ERROR"), - dup23, - ])); - - var msg613 = msg("TFTPD_FORK_ERR", part635); - - var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD NAK ERROR"), - dup23, - ])); - - var msg614 = msg("TFTPD_NAK_ERR", part636); - - var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup30, - dup22, - dup78, - dup23, - ])); - - var msg615 = msg("TFTPD_OPEN_ERR", part637); - - var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD RECVCOMPLETE INFO"), - dup23, - ])); - - var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); - - var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECVFROM ERROR"), - dup23, - ])); - - var msg617 = msg("TFTPD_RECVFROM_ERR", part639); - - var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD RECV ERROR"), - dup23, - ])); - - var msg618 = msg("TFTPD_RECV_ERR", part640); - - var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup21, - dup22, - setc("event_description","TFTPD SENDCOMPLETE INFO"), - dup23, - ])); - - var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); - - var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SEND ERROR"), - dup23, - ])); - - var msg620 = msg("TFTPD_SEND_ERR", part642); - - var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD SOCKET ERROR"), - dup23, - ])); - - var msg621 = msg("TFTPD_SOCKET_ERR", part643); - - var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","TFTPD STATFS ERROR"), - dup23, - ])); - - var msg622 = msg("TFTPD_STATFS_ERR", part644); - - var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup21, - dup22, - setc("event_description","adding neighbor to interface"), - dup23, - ])); - - var msg623 = msg("TNP", part645); - - var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup21, - dup22, - setc("event_description","tracing to file"), - dup23, - call({ - dest: "nwparser.filename", - fn: RMQ, - args: [ - field("fld33"), - ], - }), - ])); - - var msg624 = msg("trace_on", part646); - - var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","trace rotating file"), - dup23, - ])); - - var msg625 = msg("trace_rotate", part647); - - var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","transfered file"), - dup23, - ])); - - var msg626 = msg("transfer-file", part648); - - var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup30, - dup22, - setc("event_description","ttloop - peer died"), - dup23, - ])); - - var msg627 = msg("ttloop", part649); - - var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated user"), - dup23, - ])); - - var msg628 = msg("UI_AUTH_EVENT", part650); - - var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup30, - dup22, - setc("event_description","Received invalid authentication challenge for user response"), - dup23, - ])); - - var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); - - var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch boot time"), - dup23, - ])); - - var msg630 = msg("UI_BOOTTIME_FAILED", part652); - - var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup30, - dup22, - setc("event_description","user path unknown"), - dup23, - ])); - - var msg631 = msg("UI_CFG_AUDIT_NEW", part653); - - var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup42, - dup22, - setc("event_description"," user Inserted Security Policies in config"), - dup23, - ])); - - var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); - - var select58 = linear_select([ - msg631, - msg632, - ]); - - var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup21, - dup22, - setc("event_description","User deleted file"), - setc("action","delete"), - dup23, - ])); - - var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); - - var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup21, - dup22, - setc("event_description","User rollback file"), - dup23, - ])); - - var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); - - var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); - - var select59 = linear_select([ - part657, - dup112, - ]); - - var all31 = all_match({ - processors: [ - dup111, - select59, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","User set"), - dup23, - ]), - }); - - var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); - - var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup21, - dup22, - setc("event_description","User config replace"), - setc("action","replace"), - dup23, - ])); - - var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); - - var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ - setc("eventcategory","1701070000"), - dup22, - setc("event_description","User deactivating group(s)"), - setc("action","deactivate"), - dup23, - ])); - - var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); - - var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup113, - dup22, - setc("event_description","User updates config file"), - setc("action","update"), - dup23, - ])); - - var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); - - var select60 = linear_select([ - msg633, - msg634, - msg635, - msg636, - msg637, - msg638, - ]); - - var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); - - var select61 = linear_select([ - part661, - dup114, - ]); - - var all32 = all_match({ - processors: [ - dup111, - select61, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); - - var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); - - var select62 = linear_select([ - part662, - dup114, - ]); - - var all33 = all_match({ - processors: [ - dup111, - select62, - dup115, - ], - on_success: processor_chain([ - dup21, - dup22, - dup116, - dup23, - ]), - }); - - var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); - - var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup21, - dup22, - setc("event_description","User replace config application(s)"), - dup23, - ])); - - var msg641 = msg("UI_CFG_AUDIT_SET", part663); - - var select63 = linear_select([ - msg639, - msg640, - msg641, - ]); - - var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); - - var all34 = all_match({ - processors: [ - dup117, - dup156, - part664, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); - - var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); - - var all35 = all_match({ - processors: [ - dup117, - dup156, - part665, - ], - on_success: processor_chain([ - dup113, - dup22, - dup120, - dup23, - ]), - }); - - var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); - - var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup21, - dup22, - setc("event_description","UI CFG AUDIT SET SECRET"), - dup23, - ])); - - var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); - - var select64 = linear_select([ - msg642, - msg643, - msg644, - ]); - - var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup30, - dup22, - setc("event_description","Too many arguments for child process"), - dup23, - ])); - - var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); - - var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to switch to local user"), - dup23, - ])); - - var msg646 = msg("UI_CHILD_CHANGE_USER", part668); - - var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Child exec failed"), - dup23, - ])); - - var msg647 = msg("UI_CHILD_EXEC", part669); - - var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup30, - dup22, - setc("event_description","Child exited"), - dup23, - ])); - - var msg648 = msg("UI_CHILD_EXITED", part670); - - var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to append to log"), - dup23, - ])); - - var msg649 = msg("UI_CHILD_FOPEN", part671); - - var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create pipe for command"), - dup23, - ])); - - var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); - - var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup21, - dup22, - dup61, - setc("event_description","Child received signal"), - dup23, - ])); - - var msg651 = msg("UI_CHILD_SIGNALED", part673); - - var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup21, - dup22, - setc("event_description","Child stopped"), - dup23, - ])); - - var msg652 = msg("UI_CHILD_STOPPED", part674); - - var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup21, - dup22, - setc("event_description","Starting child"), - dup23, - ])); - - var msg653 = msg("UI_CHILD_START", part675); - - var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Cleanup child"), - dup23, - ])); - - var msg654 = msg("UI_CHILD_STATUS", part676); - - var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","waitpid failed"), - dup23, - ])); - - var msg655 = msg("UI_CHILD_WAITPID", part677); - - var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Idle timeout for user exceeded"), - dup23, - ])); - - var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); - - var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg657 = msg("UI_CMDLINE_READ_LINE", part679); - - var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Command execution failed"), - dup23, - ])); - - var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); - - var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fork command"), - dup23, - ])); - - var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); - - var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); - - var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup70, - dup23, - ])); - - var msg661 = msg("UI_CMDSET_STOPPED", part682); - - var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup30, - dup22, - dup72, - dup23, - ])); - - var msg662 = msg("UI_CMDSET_WEXITED", part683); - - var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Invalid regexp command"), - dup23, - ])); - - var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); - - var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); - - var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); - - var select65 = linear_select([ - part685, - part686, - ]); - - var all36 = all_match({ - processors: [ - dup117, - select65, - ], - on_success: processor_chain([ - dup21, - dup22, - dup122, - dup23, - ]), - }); - - var msg664 = msg("UI_COMMIT", all36); - - var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup21, - dup22, - dup122, - dup23, - ])); - - var msg665 = msg("UI_COMMIT_AT", part687); - - var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup21, - dup22, - setc("event_description","User commit successful"), - dup23, - ])); - - var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); - - var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup30, - dup22, - setc("event_description","User commit failed"), - dup23, - ])); - - var msg667 = msg("UI_COMMIT_AT_FAILED", part689); - - var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to compress file"), - dup23, - ])); - - var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); - - var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","UI COMMIT CONFIRMED"), - dup23, - ])); - - var msg669 = msg("UI_COMMIT_CONFIRMED", part691); - - var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); - - var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); - - var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); - - var select66 = linear_select([ - part693, - part694, - ]); - - var all37 = all_match({ - processors: [ - part692, - select66, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT must be confirmed within # minutes"), - dup23, - ]), - }); - - var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); - - var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); - - var all38 = all_match({ - processors: [ - dup50, - dup145, - part695, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","user performed commit confirm"), - dup23, - ]), - }); - - var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); - - var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Skipped empty object"), - dup23, - ])); - - var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); - - var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","COMMIT NOT CONFIRMED"), - dup23, - ])); - - var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); - - var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); - - var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); - - var select67 = linear_select([ - part698, - part699, - ]); - - var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); - - var all39 = all_match({ - processors: [ - dup50, - select67, - part700, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","Commit operation in progress"), - dup23, - ]), - }); - - var msg674 = msg("UI_COMMIT_PROGRESS", all39); - - var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT QUIT"), - dup23, - ])); - - var msg675 = msg("UI_COMMIT_QUIT", part701); - - var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rollback failed"), - dup23, - ])); - - var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); - - var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup21, - dup22, - setc("event_description","COMMIT SYNC"), - dup23, - ])); - - var msg677 = msg("UI_COMMIT_SYNC", part703); - - var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","All logins to local configuration database were terminated"), - dup23, - ])); - - var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); - - var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); - - var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); - - var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); - - var select68 = linear_select([ - part706, - part707, - ]); - - var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); - - var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - - var select69 = linear_select([ - part709, - dup112, - ]); - - var all40 = all_match({ - processors: [ - part705, - select68, - part708, - select69, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","CONFIGURATION ERROR"), - dup23, - ]), - }); - - var msg679 = msg("UI_CONFIGURATION_ERROR", all40); - - var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); - - var all41 = all_match({ - processors: [ - dup50, - dup157, - part710, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket connection accept failed"), - dup23, - ]), - }); - - var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); - - var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to create session child"), - dup23, - ])); - - var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); - - var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","DAEMON SELECT FAILED"), - dup23, - ])); - - var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); - - var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); - - var all42 = all_match({ - processors: [ - dup50, - dup157, - part713, - ], - on_success: processor_chain([ - dup30, - dup22, - setc("event_description","socket create failed"), - dup23, - ]), - }); - - var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); - - var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to reaccess database file"), - dup23, - ])); - - var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); - - var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup30, - dup22, - setc("event_description","Database is out of data"), - dup23, - ])); - - var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); - - var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to extend database file"), - dup23, - ])); - - var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); - - var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - setc("event_description","User entering configuration mode"), - dup23, - ])); - - var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); - - var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User exiting configuration mode"), - dup23, - ])); - - var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); - - var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header extent mismatch"), - dup23, - ])); - - var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); - - var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header major version number mismatch"), - dup23, - ])); - - var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); - - var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header minor version number mismatch"), - dup23, - ])); - - var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); - - var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup30, - dup22, - setc("event_description","Database header sequence numbers mismatch"), - dup23, - ])); - - var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); - - var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup30, - dup22, - setc("event_description","Database header size mismatch"), - dup23, - ])); - - var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); - - var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Database open failed"), - dup23, - ])); - - var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); - - var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup30, - dup22, - setc("event_description","DBASE REBUILD FAILED"), - dup23, - ])); - - var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); - - var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Automatic rebuild of the database failed"), - dup23, - ])); - - var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); - - var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); - - var select70 = linear_select([ - dup76, - part727, - ]); - - var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); - - var all43 = all_match({ - processors: [ - dup50, - select70, - part728, - ], - on_success: processor_chain([ - dup21, - dup22, - setc("event_description","DBASE REBUILD STARTED"), - dup23, - ]), - }); - - var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); - - var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup21, - dup22, - setc("event_description","user attempting database re-creation"), - dup23, - ])); - - var msg698 = msg("UI_DBASE_RECREATE", part729); - - var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup30, - dup22, - setc("event_description","Reopen of the database failed"), - dup23, - ])); - - var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); - - var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup30, - dup22, - setc("event_description","Users have the same UID"), - dup23, - ])); - - var msg700 = msg("UI_DUPLICATE_UID", part731); - - var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ - setc("eventcategory","1401050100"), - dup22, - setc("event_description","User used JUNOScript client to run command"), - dup23, - ])); - - var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); - - var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","JUNOScript error"), - dup23, - ])); - - var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); - - var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup21, - dup22, - setc("event_description","User command"), - dup23, - ])); - - var msg703 = msg("UI_LOAD_EVENT", part734); - - var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ - setc("eventcategory","1701040000"), - dup22, - setc("event_description","Loading default config from file"), - dup23, - ])); - - var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); - - var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup128, - dup23, - ])); - - var msg705 = msg("UI_LOGIN_EVENT:01", part736); - - var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup33, - dup34, - dup35, - dup36, - dup37, - dup22, - dup127, - dup23, - ])); - - var msg706 = msg("UI_LOGIN_EVENT", part737); - - var select71 = linear_select([ - msg705, - msg706, - ]); - - var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","User logout"), - dup23, - ])); - - var msg707 = msg("UI_LOGOUT_EVENT", part738); - - var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup30, - dup22, - setc("event_description","Lost connection to daemon"), - dup23, - ])); - - var msg708 = msg("UI_LOST_CONN", part739); - - var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup21, - dup22, - setc("event_description","MASTERSHIP EVENT"), - dup23, - ])); - - var msg709 = msg("UI_MASTERSHIP_EVENT", part740); - - var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup21, - dup22, - setc("event_description","Terminating operation"), - dup23, - ])); - - var msg710 = msg("UI_MGD_TERMINATE", part741); - - var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup29, - dup22, - setc("event_description","User used NETCONF client to run command"), - dup23, - ])); - - var msg711 = msg("UI_NETCONF_CMD", part742); - - var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","read failed for peer"), - dup23, - ])); - - var msg712 = msg("UI_READ_FAILED", part743); - - var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup30, - dup22, - setc("event_description","Timeout on read of peer"), - dup23, - ])); - - var msg713 = msg("UI_READ_TIMEOUT", part744); - - var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup60, - dup22, - setc("event_description","System reboot or halt"), - dup23, - ])); - - var msg714 = msg("UI_REBOOT_EVENT", part745); - - var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup29, - dup22, - setc("event_description","user restarting daemon"), - dup23, - ])); - - var msg715 = msg("UI_RESTART_EVENT", part746); - - var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema is out of date"), - dup23, - ])); - - var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); - - var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema major version mismatch"), - dup23, - ])); - - var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); - - var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema minor version mismatch"), - dup23, - ])); - - var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); - - var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup30, - dup22, - setc("event_description","Schema header sequence numbers mismatch"), - dup23, - ])); - - var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); - - var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup30, - dup22, - setc("event_description","Schema sequence number mismatch"), - dup23, - ])); - - var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); - - var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup21, - dup22, - setc("event_description","Configuration synchronization with remote Routing Engine"), - dup23, - ])); - - var msg721 = msg("UI_SYNC_OTHER_RE", part752); - - var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg722 = msg("UI_TACPLUS_ERROR", part753); - - var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup30, - dup22, - setc("event_description","Unable to fetch system version"), - dup23, - ])); - - var msg723 = msg("UI_VERSION_FAILED", part754); - - var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup21, - dup22, - setc("event_description","Re-establishing connection to peer"), - dup23, - ])); - - var msg724 = msg("UI_WRITE_RECONNECT", part755); - - var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup21, - dup22, - setc("event_description","Interface new master for User"), - dup23, - ])); - - var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); - - var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup69, - dup34, - dup35, - dup43, - dup22, - setc("event_description","Unable to authenticate client"), - dup23, - ])); - - var msg726 = msg("WEB_AUTH_FAIL", part757); - - var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup80, - dup34, - dup35, - dup37, - dup22, - setc("event_description","Authenticated client"), - dup23, - ])); - - var msg727 = msg("WEB_AUTH_SUCCESS", part758); - - var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ - setc("eventcategory","1001030300"), - dup22, - setc("event_description","web request from unauthorized interface"), - dup23, - ])); - - var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); - - var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup74, - dup22, - setc("event_description","Unable to read from client"), - dup23, - ])); - - var msg729 = msg("WEB_READ", part760); - - var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ - setc("eventcategory","1204020100"), - dup22, - setc("event_description","failed to check web request"), - dup23, - ])); - - var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); - - var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup74, - dup53, - dup43, - dup22, - dup52, - ])); - - var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); - - var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup29, - dup22, - setc("event_description","Bridge Address"), - dup23, - ])); - - var msg732 = msg("eswd", part763); - - var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup29, - dup22, - setc("event_description","ESWD STP State Change Info"), - dup23, - ])); - - var msg733 = msg("eswd:01", part764); - - var select72 = linear_select([ - msg732, - msg733, - ]); - - var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup29, - dup22, - dup26, - dup23, - ])); - - var msg734 = msg("/usr/sbin/cron", part765); - - var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","Link status change event"), - dup23, - ])); - - var msg735 = msg("chassism:02", part766); - - var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","ifd process flaps"), - dup23, - ])); - - var msg736 = msg("chassism:01", part767); - - var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup29, - dup22, - setc("event_description","IFCM "), - dup23, - ])); - - var msg737 = msg("chassism", part768); - - var select73 = linear_select([ - msg735, - msg736, - msg737, - ]); - - var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); - - var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); - - var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); - - var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); - - var select74 = linear_select([ - msg738, - msg739, - msg740, - msg741, - ]); - - var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); - - var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); - - var select75 = linear_select([ - msg742, - msg743, - ]); - - var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); - - var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup46, - dup47, - dup23, - ])); - - var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); - - var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); - - var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); - - var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ - dup48, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); - - var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup46, - dup47, - dup23, - dup22, - dup128, - ])); - - var msg749 = msg("LACPD_TIMEOUT", part778); - - var msg750 = msg("cli", dup159); - - var msg751 = msg("pfed", dup159); - - var msg752 = msg("idpinfo", dup159); - - var msg753 = msg("kmd", dup159); - - var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg754 = msg("node:01", part779); - - var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg755 = msg("node:02", part780); - - var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg756 = msg("node:03", part781); - - var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg757 = msg("node:04", part782); - - var select76 = linear_select([ - dup131, - dup132, - ]); - - var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); - - var select77 = linear_select([ - dup132, - dup131, - ]); - - var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); - - var all44 = all_match({ - processors: [ - dup130, - select76, - part783, - select77, - part784, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg758 = msg("node:05", all44); - - var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); - - var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); - - var select78 = linear_select([ - part785, - part786, - ]); - - var all45 = all_match({ - processors: [ - dup130, - select78, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - ]), - }); - - var msg759 = msg("node:06", all45); - - var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg760 = msg("node:07", part787); - - var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg761 = msg("node:08", part788); - - var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup21, - dup23, - dup22, - ])); - - var msg762 = msg("node:09", part789); - - var select79 = linear_select([ - msg754, - msg755, - msg756, - msg757, - msg758, - msg759, - msg760, - msg761, - msg762, - ]); - - var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg763 = msg("(FPC:01", part790); - - var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg764 = msg("(FPC:02", part791); - - var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); - - var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); - - var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); - - var select80 = linear_select([ - part793, - part794, - ]); - - var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); - - var all46 = all_match({ - processors: [ - part792, - select80, - part795, - ], - on_success: processor_chain([ - dup21, - dup23, - dup22, - dup24, - ]), - }); - - var msg765 = msg("(FPC:03", all46); - - var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg766 = msg("(FPC:04", part796); - - var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg767 = msg("(FPC:05", part797); - - var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup21, - dup23, - dup22, - dup24, - ])); - - var msg768 = msg("(FPC", part798); - - var select81 = linear_select([ - msg763, - msg764, - msg765, - msg766, - msg767, - msg768, - ]); - - var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup48, - dup23, - dup22, - dup24, - ])); - - var msg769 = msg("tnp.bootpd", part799); - - var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup48, - dup52, - dup22, - dup61, - ])); - - var msg770 = msg("AAMW_ACTION_LOG", part800); - - var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - dup61, - ])); - - var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); - - var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup133, - dup52, - dup22, - ])); - - var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); - - var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); - - var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup81, - dup52, - dup22, - dup61, - ])); - - var msg774 = msg("RT_SCREEN_ICMP", part804); - - var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup46, - dup52, - dup22, - dup61, - ])); - - var msg775 = msg("SECINTEL_ACTION_LOG", part805); - - var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); - - var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); - - var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); - - var select82 = linear_select([ - part807, - part808, - ]); - - var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); - - var all47 = all_match({ - processors: [ - part806, - select82, - part809, - ], - on_success: processor_chain([ - dup21, - dup22, - dup23, - ]), - }); - - var msg776 = msg("qsfp", all47); - - var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup21, - dup22, - dup121, - dup23, - ])); - - var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); - - var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup125, - dup34, - dup35, - dup126, - dup37, - dup22, - setc("event_description","LOGOUT"), - dup23, - ])); - - var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); - - var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup30, - dup22, - dup129, - dup23, - ])); - - var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); - - var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup30, - dup22, - dup57, - dup23, - ])); - - var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); - - var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup21, - dup22, - dup38, - dup23, - ])); - - var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); - - var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); - - var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); - - var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); - - var select83 = linear_select([ - part816, - part817, - ]); - - var all48 = all_match({ - processors: [ - part815, - select83, - ], - on_success: processor_chain([ - dup21, - dup22, - dup38, - dup23, - ]), - }); - - var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); - - var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup21, - dup22, - dup23, - ])); - - var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); - - var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failed "), - dup24, - ])); - - var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); - - var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - setc("event_description","Interface Monitor failure recovered"), - dup24, - ])); - - var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); - - var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup134, - dup23, - dup22, - dup24, - ])); - - var msg786 = msg("JUNOSROUTER_GENERIC", part821); - - var select84 = linear_select([ - msg777, - msg778, - msg779, - msg780, - msg781, - msg782, - msg783, - msg784, - msg785, - msg786, - ]); - - var chain1 = processor_chain([ - select5, - msgid_select({ - "(FPC": select81, - "/usr/libexec/telnetd": msg2, - "/usr/sbin/cron": msg734, - "/usr/sbin/sshd": msg1, - "AAMWD_NETWORK_CONNECT_FAILED": msg745, - "AAMW_ACTION_LOG": msg770, - "AAMW_HOST_INFECTED_EVENT_LOG": msg771, - "AAMW_MALWARE_EVENT_LOG": msg772, - "ACCT_ACCOUNTING_FERROR": msg114, - "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, - "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, - "ACCT_BAD_RECORD_FORMAT": msg117, - "ACCT_CU_RTSLIB_error": msg118, - "ACCT_GETHOSTNAME_error": msg119, - "ACCT_MALLOC_FAILURE": msg120, - "ACCT_UNDEFINED_COUNTER_NAME": msg121, - "ACCT_XFER_FAILED": msg122, - "ACCT_XFER_POPEN_FAIL": msg123, - "APPQOS_LOG_EVENT": msg124, - "APPTRACK_SESSION_CLOSE": select30, - "APPTRACK_SESSION_CREATE": msg125, - "APPTRACK_SESSION_VOL_UPDATE": select31, - "BCHIP": msg106, - "BFDD_TRAP_STATE_DOWN": msg130, - "BFDD_TRAP_STATE_UP": msg131, - "BOOTPD_ARG_ERR": msg143, - "BOOTPD_BAD_ID": msg144, - "BOOTPD_BOOTSTRING": msg145, - "BOOTPD_CONFIG_ERR": msg146, - "BOOTPD_CONF_OPEN": msg147, - "BOOTPD_DUP_REV": msg148, - "BOOTPD_DUP_SLOT": msg149, - "BOOTPD_MODEL_CHK": msg150, - "BOOTPD_MODEL_ERR": msg151, - "BOOTPD_NEW_CONF": msg152, - "BOOTPD_NO_BOOTSTRING": msg153, - "BOOTPD_NO_CONFIG": msg154, - "BOOTPD_PARSE_ERR": msg155, - "BOOTPD_REPARSE": msg156, - "BOOTPD_SELECT_ERR": msg157, - "BOOTPD_TIMEOUT": msg158, - "BOOTPD_VERSION": msg159, - "CHASSISD": msg160, - "CHASSISD_ARGUMENT_ERROR": msg161, - "CHASSISD_BLOWERS_SPEED": msg162, - "CHASSISD_BLOWERS_SPEED_FULL": msg163, - "CHASSISD_CB_READ": msg164, - "CHASSISD_COMMAND_ACK_ERROR": msg165, - "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, - "CHASSISD_CONCAT_MODE_ERROR": msg167, - "CHASSISD_CONFIG_INIT_ERROR": msg168, - "CHASSISD_CONFIG_WARNING": msg169, - "CHASSISD_EXISTS": msg170, - "CHASSISD_EXISTS_TERM_OTHER": msg171, - "CHASSISD_FILE_OPEN": msg172, - "CHASSISD_FILE_STAT": msg173, - "CHASSISD_FRU_EVENT": msg174, - "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, - "CHASSISD_FRU_STEP_ERROR": msg176, - "CHASSISD_GETTIMEOFDAY": msg177, - "CHASSISD_HIGH_TEMP_CONDITION": msg214, - "CHASSISD_HOST_TEMP_READ": msg178, - "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, - "CHASSISD_IFDEV_DETACH_FPC": msg180, - "CHASSISD_IFDEV_DETACH_PIC": msg181, - "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, - "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, - "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, - "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, - "CHASSISD_IPC_UNEXPECTED_RECV": msg186, - "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, - "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, - "CHASSISD_MAC_ADDRESS_ERROR": msg189, - "CHASSISD_MAC_DEFAULT": msg190, - "CHASSISD_MBUS_ERROR": msg191, - "CHASSISD_PARSE_COMPLETE": msg192, - "CHASSISD_PARSE_ERROR": msg193, - "CHASSISD_PARSE_INIT": msg194, - "CHASSISD_PIDFILE_OPEN": msg195, - "CHASSISD_PIPE_WRITE_ERROR": msg196, - "CHASSISD_POWER_CHECK": msg197, - "CHASSISD_RECONNECT_SUCCESSFUL": msg198, - "CHASSISD_RELEASE_MASTERSHIP": msg199, - "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, - "CHASSISD_ROOT_MOUNT_ERROR": msg201, - "CHASSISD_RTS_SEQ_ERROR": msg202, - "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, - "CHASSISD_SERIAL_ID": msg204, - "CHASSISD_SMB_ERROR": msg205, - "CHASSISD_SNMP_TRAP10": msg208, - "CHASSISD_SNMP_TRAP6": msg206, - "CHASSISD_SNMP_TRAP7": msg207, - "CHASSISD_TERM_SIGNAL": msg209, - "CHASSISD_TRACE_PIC_OFFLINE": msg210, - "CHASSISD_UNEXPECTED_EXIT": msg211, - "CHASSISD_UNSUPPORTED_MODEL": msg212, - "CHASSISD_VERSION_MISMATCH": msg213, - "CM": msg107, - "CM_JAVA": msg216, - "COS": msg108, - "COSFPC": msg109, - "COSMAN": msg110, - "CRON": msg16, - "CROND": select11, - "Cmerror": msg17, - "DCD_AS_ROOT": msg217, - "DCD_FILTER_LIB_ERROR": msg218, - "DCD_MALLOC_FAILED_INIT": msg219, - "DCD_PARSE_EMERGENCY": msg220, - "DCD_PARSE_FILTER_EMERGENCY": msg221, - "DCD_PARSE_MINI_EMERGENCY": msg222, - "DCD_PARSE_STATE_EMERGENCY": msg223, - "DCD_POLICER_PARSE_EMERGENCY": msg224, - "DCD_PULL_LOG_FAILURE": msg225, - "DFWD_ARGUMENT_ERROR": msg226, - "DFWD_MALLOC_FAILED_INIT": msg227, - "DFWD_PARSE_FILTER_EMERGENCY": msg228, - "DFWD_PARSE_STATE_EMERGENCY": msg229, - "ECCD_DAEMONIZE_FAILED": msg230, - "ECCD_DUPLICATE": msg231, - "ECCD_LOOP_EXIT_FAILURE": msg232, - "ECCD_NOT_ROOT": msg233, - "ECCD_PCI_FILE_OPEN_FAILED": msg234, - "ECCD_PCI_READ_FAILED": msg235, - "ECCD_PCI_WRITE_FAILED": msg236, - "ECCD_PID_FILE_LOCK": msg237, - "ECCD_PID_FILE_UPDATE": msg238, - "ECCD_TRACE_FILE_OPEN_FAILED": msg239, - "ECCD_usage": msg240, - "EVENT": msg23, - "EVENTD_AUDIT_SHOW": msg241, - "FLOW_REASSEMBLE_FAIL": msg731, - "FLOW_REASSEMBLE_SUCCEED": msg242, - "FSAD_CHANGE_FILE_OWNER": msg243, - "FSAD_CONFIG_ERROR": msg244, - "FSAD_CONNTIMEDOUT": msg245, - "FSAD_FAILED": msg246, - "FSAD_FETCHTIMEDOUT": msg247, - "FSAD_FILE_FAILED": msg248, - "FSAD_FILE_REMOVE": msg249, - "FSAD_FILE_RENAME": msg250, - "FSAD_FILE_STAT": msg251, - "FSAD_FILE_SYNC": msg252, - "FSAD_MAXCONN": msg253, - "FSAD_MEMORYALLOC_FAILED": msg254, - "FSAD_NOT_ROOT": msg255, - "FSAD_PARENT_DIRECTORY": msg256, - "FSAD_PATH_IS_DIRECTORY": msg257, - "FSAD_PATH_IS_SPECIAL": msg258, - "FSAD_RECVERROR": msg259, - "FSAD_TERMINATED_CONNECTION": msg260, - "FSAD_TERMINATING_SIGNAL": msg261, - "FSAD_TRACEOPEN_FAILED": msg262, - "FSAD_USAGE": msg263, - "Failed": select25, - "GGSN_ALARM_TRAP_FAILED": msg264, - "GGSN_ALARM_TRAP_SEND": msg265, - "GGSN_TRAP_SEND": msg266, - "IDP_ATTACK_LOG_EVENT": msg773, - "JADE_AUTH_ERROR": msg267, - "JADE_EXEC_ERROR": msg268, - "JADE_NO_LOCAL_USER": msg269, - "JADE_PAM_ERROR": msg270, - "JADE_PAM_NO_LOCAL_USER": msg271, - "JSRPD_HA_CONTROL_LINK_UP": msg748, - "JUNOSROUTER_GENERIC": select84, - "KERN_ARP_ADDR_CHANGE": msg272, - "KMD_PM_SA_ESTABLISHED": msg273, - "L2CPD_TASK_REINIT": msg274, - "LACPD_TIMEOUT": msg749, - "LIBJNX_EXEC_EXITED": msg275, - "LIBJNX_EXEC_FAILED": msg276, - "LIBJNX_EXEC_PIPE": msg277, - "LIBJNX_EXEC_SIGNALED": msg278, - "LIBJNX_EXEC_WEXIT": msg279, - "LIBJNX_FILE_COPY_FAILED": msg280, - "LIBJNX_PRIV_LOWER_FAILED": msg281, - "LIBJNX_PRIV_RAISE_FAILED": msg282, - "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, - "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, - "LIBSERVICED_CLIENT_CONNECTION": msg285, - "LIBSERVICED_OUTBOUND_REQUEST": msg286, - "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, - "LIBSERVICED_SOCKET_BIND": msg288, - "LIBSERVICED_SOCKET_PRIVATIZE": msg289, - "LICENSE_EXPIRED": msg290, - "LICENSE_EXPIRED_KEY_DELETED": msg291, - "LICENSE_NEARING_EXPIRY": msg292, - "LOGIN_ABORTED": msg293, - "LOGIN_FAILED": msg294, - "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, - "LOGIN_FAILED_SET_CONTEXT": msg296, - "LOGIN_FAILED_SET_LOGIN": msg297, - "LOGIN_HOSTNAME_UNRESOLVED": msg298, - "LOGIN_INFORMATION": msg299, - "LOGIN_INVALID_LOCAL_USER": msg300, - "LOGIN_MALFORMED_USER": msg301, - "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, - "LOGIN_PAM_ERROR": msg303, - "LOGIN_PAM_MAX_RETRIES": msg304, - "LOGIN_PAM_NONLOCAL_USER": msg305, - "LOGIN_PAM_STOP": msg306, - "LOGIN_PAM_USER_UNKNOWN": msg307, - "LOGIN_PASSWORD_EXPIRED": msg308, - "LOGIN_REFUSED": msg309, - "LOGIN_ROOT": msg310, - "LOGIN_TIMED_OUT": msg311, - "MIB2D_ATM_ERROR": msg312, - "MIB2D_CONFIG_CHECK_FAILED": msg313, - "MIB2D_FILE_OPEN_FAILURE": msg314, - "MIB2D_IFD_IFINDEX_FAILURE": msg315, - "MIB2D_IFL_IFINDEX_FAILURE": msg316, - "MIB2D_INIT_FAILURE": msg317, - "MIB2D_KVM_FAILURE": msg318, - "MIB2D_RTSLIB_READ_FAILURE": msg319, - "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, - "MIB2D_SYSCTL_FAILURE": msg321, - "MIB2D_TRAP_HEADER_FAILURE": msg322, - "MIB2D_TRAP_SEND_FAILURE": msg323, - "MRVL-L2": msg56, - "Multiuser": msg324, - "NASD_AUTHENTICATION_CREATE_FAILED": msg325, - "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, - "NASD_CHAP_GETHOSTNAME_FAILED": msg327, - "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, - "NASD_CHAP_INVALID_OPCODE": msg329, - "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, - "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, - "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, - "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, - "NASD_DAEMONIZE_FAILED": msg334, - "NASD_DB_ALLOC_FAILURE": msg335, - "NASD_DB_TABLE_CREATE_FAILURE": msg336, - "NASD_DUPLICATE": msg337, - "NASD_EVLIB_CREATE_FAILURE": msg338, - "NASD_EVLIB_EXIT_FAILURE": msg339, - "NASD_LOCAL_CREATE_FAILED": msg340, - "NASD_NOT_ROOT": msg341, - "NASD_PID_FILE_LOCK": msg342, - "NASD_PID_FILE_UPDATE": msg343, - "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, - "NASD_PPP_READ_FAILURE": msg345, - "NASD_PPP_SEND_FAILURE": msg346, - "NASD_PPP_SEND_PARTIAL": msg347, - "NASD_PPP_UNRECOGNIZED": msg348, - "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, - "NASD_RADIUS_CONFIG_FAILED": msg350, - "NASD_RADIUS_CREATE_FAILED": msg351, - "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, - "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, - "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, - "NASD_RADIUS_OPEN_FAILED": msg355, - "NASD_RADIUS_SELECT_FAILED": msg356, - "NASD_RADIUS_SET_TIMER_FAILED": msg357, - "NASD_TRACE_FILE_OPEN_FAILED": msg358, - "NASD_usage": msg359, - "NOTICE": msg360, - "PFEMAN": msg61, - "PFE_FW_SYSLOG_IP": select36, - "PFE_NH_RESOLVE_THROTTLED": msg363, - "PING_TEST_COMPLETED": msg364, - "PING_TEST_FAILED": msg365, - "PKID_UNABLE_TO_GET_CRL": msg746, - "PWC_EXIT": msg368, - "PWC_HOLD_RELEASE": msg369, - "PWC_INVALID_RUNS_ARGUMENT": msg370, - "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, - "PWC_KILLED_BY_SIGNAL": msg372, - "PWC_KILL_EVENT": msg373, - "PWC_KILL_FAILED": msg374, - "PWC_KQUEUE_ERROR": msg375, - "PWC_KQUEUE_INIT": msg376, - "PWC_KQUEUE_REGISTER_FILTER": msg377, - "PWC_LOCKFILE_BAD_FORMAT": msg378, - "PWC_LOCKFILE_ERROR": msg379, - "PWC_LOCKFILE_MISSING": msg380, - "PWC_LOCKFILE_NOT_LOCKED": msg381, - "PWC_NO_PROCESS": msg382, - "PWC_PROCESS_EXIT": msg383, - "PWC_PROCESS_FORCED_HOLD": msg384, - "PWC_PROCESS_HOLD": msg385, - "PWC_PROCESS_HOLD_SKIPPED": msg386, - "PWC_PROCESS_OPEN": msg387, - "PWC_PROCESS_TIMED_HOLD": msg388, - "PWC_PROCESS_TIMEOUT": msg389, - "PWC_SIGNAL_INIT": msg390, - "PWC_SOCKET_CONNECT": msg391, - "PWC_SOCKET_CREATE": msg392, - "PWC_SOCKET_OPTION": msg393, - "PWC_STDOUT_WRITE": msg394, - "PWC_SYSTEM_CALL": msg395, - "PWC_UNKNOWN_KILL_OPTION": msg396, - "RDP": msg111, - "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, - "RMOPD_ADDRESS_SOURCE_INVALID": msg398, - "RMOPD_ADDRESS_STRING_FAILURE": msg399, - "RMOPD_ADDRESS_TARGET_INVALID": msg400, - "RMOPD_DUPLICATE": msg401, - "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, - "RMOPD_ICMP_SENDMSG_FAILURE": msg403, - "RMOPD_IFINDEX_NOT_ACTIVE": msg404, - "RMOPD_IFINDEX_NO_INFO": msg405, - "RMOPD_IFNAME_NOT_ACTIVE": msg406, - "RMOPD_IFNAME_NO_INFO": msg407, - "RMOPD_NOT_ROOT": msg408, - "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, - "RMOPD_TRACEROUTE_ERROR": msg410, - "RMOPD_usage": msg411, - "RPD_ABORT": msg412, - "RPD_ACTIVE_TERMINATE": msg413, - "RPD_ASSERT": msg414, - "RPD_ASSERT_SOFT": msg415, - "RPD_EXIT": msg416, - "RPD_IFL_INDEXCOLLISION": msg417, - "RPD_IFL_NAMECOLLISION": msg418, - "RPD_ISIS_ADJDOWN": msg419, - "RPD_ISIS_ADJUP": msg420, - "RPD_ISIS_ADJUPNOIP": msg421, - "RPD_ISIS_LSPCKSUM": msg422, - "RPD_ISIS_OVERLOAD": msg423, - "RPD_KRT_AFUNSUPRT": msg424, - "RPD_KRT_CCC_IFL_MODIFY": msg425, - "RPD_KRT_DELETED_RTT": msg426, - "RPD_KRT_IFA_GENERATION": msg427, - "RPD_KRT_IFDCHANGE": msg428, - "RPD_KRT_IFDEST_GET": msg429, - "RPD_KRT_IFDGET": msg430, - "RPD_KRT_IFD_GENERATION": msg431, - "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, - "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, - "RPD_KRT_IFL_GENERATION": msg434, - "RPD_KRT_KERNEL_BAD_ROUTE": msg435, - "RPD_KRT_NEXTHOP_OVERFLOW": msg436, - "RPD_KRT_NOIFD": msg437, - "RPD_KRT_UNKNOWN_RTT": msg438, - "RPD_KRT_VERSION": msg439, - "RPD_KRT_VERSIONNONE": msg440, - "RPD_KRT_VERSIONOLD": msg441, - "RPD_LDP_INTF_BLOCKED": msg442, - "RPD_LDP_INTF_UNBLOCKED": msg443, - "RPD_LDP_NBRDOWN": msg444, - "RPD_LDP_NBRUP": msg445, - "RPD_LDP_SESSIONDOWN": msg446, - "RPD_LDP_SESSIONUP": msg447, - "RPD_LOCK_FLOCKED": msg448, - "RPD_LOCK_LOCKED": msg449, - "RPD_MPLS_LSP_CHANGE": msg450, - "RPD_MPLS_LSP_DOWN": msg451, - "RPD_MPLS_LSP_SWITCH": msg452, - "RPD_MPLS_LSP_UP": msg453, - "RPD_MSDP_PEER_DOWN": msg454, - "RPD_MSDP_PEER_UP": msg455, - "RPD_OSPF_NBRDOWN": msg456, - "RPD_OSPF_NBRUP": msg457, - "RPD_OS_MEMHIGH": msg458, - "RPD_PIM_NBRDOWN": msg459, - "RPD_PIM_NBRUP": msg460, - "RPD_RDISC_CKSUM": msg461, - "RPD_RDISC_NOMULTI": msg462, - "RPD_RDISC_NORECVIF": msg463, - "RPD_RDISC_SOLICITADDR": msg464, - "RPD_RDISC_SOLICITICMP": msg465, - "RPD_RDISC_SOLICITLEN": msg466, - "RPD_RIP_AUTH": msg467, - "RPD_RIP_JOIN_BROADCAST": msg468, - "RPD_RIP_JOIN_MULTICAST": msg469, - "RPD_RT_IFUP": msg470, - "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, - "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, - "RPD_SCHED_MODULE_LONGRUNTIME": msg473, - "RPD_SCHED_TASK_LONGRUNTIME": msg474, - "RPD_SIGNAL_TERMINATE": msg475, - "RPD_START": msg476, - "RPD_SYSTEM": msg477, - "RPD_TASK_BEGIN": msg478, - "RPD_TASK_CHILDKILLED": msg479, - "RPD_TASK_CHILDSTOPPED": msg480, - "RPD_TASK_FORK": msg481, - "RPD_TASK_GETWD": msg482, - "RPD_TASK_NOREINIT": msg483, - "RPD_TASK_PIDCLOSED": msg484, - "RPD_TASK_PIDFLOCK": msg485, - "RPD_TASK_PIDWRITE": msg486, - "RPD_TASK_REINIT": msg487, - "RPD_TASK_SIGNALIGNORE": msg488, - "RT_COS": msg489, - "RT_FLOW_SESSION_CLOSE": select51, - "RT_FLOW_SESSION_CREATE": select45, - "RT_FLOW_SESSION_DENY": select47, - "RT_SCREEN_ICMP": msg774, - "RT_SCREEN_IP": select52, - "RT_SCREEN_SESSION_LIMIT": msg504, - "RT_SCREEN_TCP": msg503, - "RT_SCREEN_UDP": msg505, - "Resolve": msg63, - "SECINTEL_ACTION_LOG": msg775, - "SECINTEL_ERROR_OTHERS": msg747, - "SECINTEL_NETWORK_CONNECT_FAILED": msg744, - "SERVICED_CLIENT_CONNECT": msg506, - "SERVICED_CLIENT_DISCONNECTED": msg507, - "SERVICED_CLIENT_ERROR": msg508, - "SERVICED_COMMAND_FAILED": msg509, - "SERVICED_COMMIT_FAILED": msg510, - "SERVICED_CONFIGURATION_FAILED": msg511, - "SERVICED_CONFIG_ERROR": msg512, - "SERVICED_CONFIG_FILE": msg513, - "SERVICED_CONNECTION_ERROR": msg514, - "SERVICED_DISABLED_GGSN": msg515, - "SERVICED_DUPLICATE": msg516, - "SERVICED_EVENT_FAILED": msg517, - "SERVICED_INIT_FAILED": msg518, - "SERVICED_MALLOC_FAILURE": msg519, - "SERVICED_NETWORK_FAILURE": msg520, - "SERVICED_NOT_ROOT": msg521, - "SERVICED_PID_FILE_LOCK": msg522, - "SERVICED_PID_FILE_UPDATE": msg523, - "SERVICED_RTSOCK_SEQUENCE": msg524, - "SERVICED_SIGNAL_HANDLER": msg525, - "SERVICED_SOCKET_CREATE": msg526, - "SERVICED_SOCKET_IO": msg527, - "SERVICED_SOCKET_OPTION": msg528, - "SERVICED_STDLIB_FAILURE": msg529, - "SERVICED_USAGE": msg530, - "SERVICED_WORK_INCONSISTENCY": msg531, - "SNMPD_ACCESS_GROUP_ERROR": msg537, - "SNMPD_AUTH_FAILURE": select53, - "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, - "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, - "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, - "SNMPD_CONFIG_ERROR": msg545, - "SNMPD_CONTEXT_ERROR": msg546, - "SNMPD_ENGINE_FILE_FAILURE": msg547, - "SNMPD_ENGINE_PROCESS_ERROR": msg548, - "SNMPD_FILE_FAILURE": msg549, - "SNMPD_GROUP_ERROR": msg550, - "SNMPD_INIT_FAILED": msg551, - "SNMPD_LIBJUNIPER_FAILURE": msg552, - "SNMPD_LOOPBACK_ADDR_ERROR": msg553, - "SNMPD_MEMORY_FREED": msg554, - "SNMPD_RADIX_FAILURE": msg555, - "SNMPD_RECEIVE_FAILURE": msg556, - "SNMPD_RMONFILE_FAILURE": msg557, - "SNMPD_RMON_COOKIE": msg558, - "SNMPD_RMON_EVENTLOG": msg559, - "SNMPD_RMON_IOERROR": msg560, - "SNMPD_RMON_MIBERROR": msg561, - "SNMPD_RTSLIB_ASYNC_EVENT": msg562, - "SNMPD_SEND_FAILURE": select54, - "SNMPD_SOCKET_FAILURE": msg565, - "SNMPD_SUBAGENT_NO_BUFFERS": msg566, - "SNMPD_SUBAGENT_SEND_FAILED": msg567, - "SNMPD_SYSLIB_FAILURE": msg568, - "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, - "SNMPD_TRAP_COLD_START": msg570, - "SNMPD_TRAP_GEN_FAILURE": msg571, - "SNMPD_TRAP_GEN_FAILURE2": msg572, - "SNMPD_TRAP_INVALID_DATA": msg573, - "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, - "SNMPD_TRAP_QUEUED": msg575, - "SNMPD_TRAP_QUEUE_DRAINED": msg576, - "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, - "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, - "SNMPD_TRAP_THROTTLED": msg579, - "SNMPD_TRAP_TYPE_ERROR": msg580, - "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, - "SNMPD_TRAP_VERSION_ERROR": msg582, - "SNMPD_TRAP_WARM_START": msg583, - "SNMPD_USER_ERROR": msg584, - "SNMPD_VIEW_DELETE": msg585, - "SNMPD_VIEW_INSTALL_DEFAULT": msg586, - "SNMPD_VIEW_OID_PARSE": msg587, - "SNMP_GET_ERROR1": msg588, - "SNMP_GET_ERROR2": msg589, - "SNMP_GET_ERROR3": msg590, - "SNMP_GET_ERROR4": msg591, - "SNMP_NS_LOG_INFO": msg535, - "SNMP_RTSLIB_FAILURE": msg592, - "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, - "SNMP_TRAP_LINK_DOWN": select55, - "SNMP_TRAP_LINK_UP": select56, - "SNMP_TRAP_PING_PROBE_FAILED": msg597, - "SNMP_TRAP_PING_TEST_COMPLETED": msg598, - "SNMP_TRAP_PING_TEST_FAILED": msg599, - "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, - "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, - "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, - "SNTPD": msg112, - "SSB": msg113, - "SSHD_LOGIN_FAILED": select57, - "SSL_PROXY_SESSION_IGNORE": msg534, - "SSL_PROXY_SSL_SESSION_ALLOW": msg532, - "SSL_PROXY_SSL_SESSION_DROP": msg533, - "TASK_TASK_REINIT": msg606, - "TFTPD_AF_ERR": msg607, - "TFTPD_BIND_ERR": msg608, - "TFTPD_CONNECT_ERR": msg609, - "TFTPD_CONNECT_INFO": msg610, - "TFTPD_CREATE_ERR": msg611, - "TFTPD_FIO_ERR": msg612, - "TFTPD_FORK_ERR": msg613, - "TFTPD_NAK_ERR": msg614, - "TFTPD_OPEN_ERR": msg615, - "TFTPD_RECVCOMPLETE_INFO": msg616, - "TFTPD_RECVFROM_ERR": msg617, - "TFTPD_RECV_ERR": msg618, - "TFTPD_SENDCOMPLETE_INFO": msg619, - "TFTPD_SEND_ERR": msg620, - "TFTPD_SOCKET_ERR": msg621, - "TFTPD_STATFS_ERR": msg622, - "TNP": msg623, - "UI_AUTH_EVENT": msg628, - "UI_AUTH_INVALID_CHALLENGE": msg629, - "UI_BOOTTIME_FAILED": msg630, - "UI_CFG_AUDIT_NEW": select58, - "UI_CFG_AUDIT_OTHER": select60, - "UI_CFG_AUDIT_SET": select63, - "UI_CFG_AUDIT_SET_SECRET": select64, - "UI_CHILD_ARGS_EXCEEDED": msg645, - "UI_CHILD_CHANGE_USER": msg646, - "UI_CHILD_EXEC": msg647, - "UI_CHILD_EXITED": msg648, - "UI_CHILD_FOPEN": msg649, - "UI_CHILD_PIPE_FAILED": msg650, - "UI_CHILD_SIGNALED": msg651, - "UI_CHILD_START": msg653, - "UI_CHILD_STATUS": msg654, - "UI_CHILD_STOPPED": msg652, - "UI_CHILD_WAITPID": msg655, - "UI_CLI_IDLE_TIMEOUT": msg656, - "UI_CMDLINE_READ_LINE": msg657, - "UI_CMDSET_EXEC_FAILED": msg658, - "UI_CMDSET_FORK_FAILED": msg659, - "UI_CMDSET_PIPE_FAILED": msg660, - "UI_CMDSET_STOPPED": msg661, - "UI_CMDSET_WEXITED": msg662, - "UI_CMD_AUTH_REGEX_INVALID": msg663, - "UI_COMMIT": msg664, - "UI_COMMIT_AT": msg665, - "UI_COMMIT_AT_COMPLETED": msg666, - "UI_COMMIT_AT_FAILED": msg667, - "UI_COMMIT_COMPRESS_FAILED": msg668, - "UI_COMMIT_CONFIRMED": msg669, - "UI_COMMIT_CONFIRMED_REMINDER": msg670, - "UI_COMMIT_CONFIRMED_TIMED": msg671, - "UI_COMMIT_EMPTY_CONTAINER": msg672, - "UI_COMMIT_NOT_CONFIRMED": msg673, - "UI_COMMIT_PROGRESS": msg674, - "UI_COMMIT_QUIT": msg675, - "UI_COMMIT_ROLLBACK_FAILED": msg676, - "UI_COMMIT_SYNC": msg677, - "UI_COMMIT_SYNC_FORCE": msg678, - "UI_CONFIGURATION_ERROR": msg679, - "UI_DAEMON_ACCEPT_FAILED": msg680, - "UI_DAEMON_FORK_FAILED": msg681, - "UI_DAEMON_SELECT_FAILED": msg682, - "UI_DAEMON_SOCKET_FAILED": msg683, - "UI_DBASE_ACCESS_FAILED": msg684, - "UI_DBASE_CHECKOUT_FAILED": msg685, - "UI_DBASE_EXTEND_FAILED": msg686, - "UI_DBASE_LOGIN_EVENT": msg687, - "UI_DBASE_LOGOUT_EVENT": msg688, - "UI_DBASE_MISMATCH_EXTENT": msg689, - "UI_DBASE_MISMATCH_MAJOR": msg690, - "UI_DBASE_MISMATCH_MINOR": msg691, - "UI_DBASE_MISMATCH_SEQUENCE": msg692, - "UI_DBASE_MISMATCH_SIZE": msg693, - "UI_DBASE_OPEN_FAILED": msg694, - "UI_DBASE_REBUILD_FAILED": msg695, - "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, - "UI_DBASE_REBUILD_STARTED": msg697, - "UI_DBASE_RECREATE": msg698, - "UI_DBASE_REOPEN_FAILED": msg699, - "UI_DUPLICATE_UID": msg700, - "UI_JUNOSCRIPT_CMD": msg701, - "UI_JUNOSCRIPT_ERROR": msg702, - "UI_LOAD_EVENT": msg703, - "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, - "UI_LOGIN_EVENT": select71, - "UI_LOGOUT_EVENT": msg707, - "UI_LOST_CONN": msg708, - "UI_MASTERSHIP_EVENT": msg709, - "UI_MGD_TERMINATE": msg710, - "UI_NETCONF_CMD": msg711, - "UI_READ_FAILED": msg712, - "UI_READ_TIMEOUT": msg713, - "UI_REBOOT_EVENT": msg714, - "UI_RESTART_EVENT": msg715, - "UI_SCHEMA_CHECKOUT_FAILED": msg716, - "UI_SCHEMA_MISMATCH_MAJOR": msg717, - "UI_SCHEMA_MISMATCH_MINOR": msg718, - "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, - "UI_SCHEMA_SEQUENCE_ERROR": msg720, - "UI_SYNC_OTHER_RE": msg721, - "UI_TACPLUS_ERROR": msg722, - "UI_VERSION_FAILED": msg723, - "UI_WRITE_RECONNECT": msg724, - "VRRPD_NEWMASTER_TRAP": msg725, - "Version": msg99, - "WEBFILTER_REQUEST_NOT_CHECKED": msg730, - "WEBFILTER_URL_BLOCKED": select75, - "WEBFILTER_URL_PERMITTED": select74, - "WEB_AUTH_FAIL": msg726, - "WEB_AUTH_SUCCESS": msg727, - "WEB_INTERFACE_UNAUTH": msg728, - "WEB_READ": msg729, - "alarmd": msg3, - "bgp_connect_start": msg132, - "bgp_event": msg133, - "bgp_listen_accept": msg134, - "bgp_listen_reset": msg135, - "bgp_nexthop_sanity": msg136, - "bgp_pp_recv": select33, - "bgp_process_caps": select32, - "bgp_send": msg141, - "bgp_traffic_timeout": msg142, - "bigd": select6, - "bigpipe": select7, - "bigstart": msg9, - "cgatool": msg10, - "chassisd": msg11, - "chassism": select73, - "checkd": select8, - "clean_process": msg215, - "cli": msg750, - "cosd": msg14, - "craftd": msg15, - "cron": msg18, - "crond": msg21, - "dcd": msg22, - "eswd": select72, - "ftpd": msg24, - "ha_rto_stats_handler": msg25, - "hostinit": msg26, - "idpinfo": msg752, - "ifinfo": select13, - "ifp_ifl_anydown_change_event": msg30, - "ifp_ifl_config_event": msg31, - "ifp_ifl_ext_chg": msg32, - "inetd": select14, - "init": select15, - "ipc_msg_write": msg40, - "kernel": select17, - "kmd": msg753, - "last": select28, - "login": select18, - "lsys_ssam_handler": msg53, - "mcsn": msg54, - "mgd": msg62, - "mrvl_dfw_log_effuse_status": msg55, - "node": select79, - "pfed": msg751, - "process_mode": select38, - "profile_ssam_handler": msg57, - "pst_nat_binding_set_profile": msg58, - "qsfp": msg776, - "respawn": msg64, - "root": msg65, - "rpd": select20, - "rshd": msg70, - "sfd": msg71, - "sshd": select21, - "syslogd": msg92, - "task_connect": msg605, - "task_reconfigure": msg59, - "tnetd": msg60, - "tnp.bootpd": msg769, - "trace_on": msg624, - "trace_rotate": msg625, - "transfer-file": msg626, - "ttloop": msg627, - "ucd-snmp": select26, - "usp_ipc_client_reconnect": msg95, - "usp_trace_ipc_disconnect": msg96, - "usp_trace_ipc_reconnect": msg97, - "uspinfo": msg98, - "xntpd": select27, - }), - ]); - - var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - - var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - - var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); - - var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); - - var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); - - var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); - - var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); - - var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); - - var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - - var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); - - var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); - - var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); - - var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); - - var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); - - var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); - - var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); - - var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); - - var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); - - var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); - - var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); - - var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); - - var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); - - var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); - - var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); - - var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); - - var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); - - var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); - - var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); - - var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); - - var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); - - var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); - - var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); - - var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - - var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); - - var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); - - var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); - - var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); - - var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); - - var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); - - var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); - - var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); - - var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); - - var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); - - var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); - - var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); - - var select85 = linear_select([ - dup14, - dup15, - dup16, - dup17, - ]); - - var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ - dup13, - ])); - - var select86 = linear_select([ - dup40, - dup41, - ]); - - var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup21, - dup22, - dup56, - dup23, - ])); - - var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup51, - dup22, - dup64, - dup23, - ])); - - var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup30, - dup22, - dup65, - dup23, - ])); - - var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup30, - dup22, - dup66, - dup23, - ])); - - var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup30, - dup22, - dup67, - dup23, - ])); - - var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup30, - dup22, - dup68, - dup23, - ])); - - var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup30, - dup22, - dup71, - dup23, - ])); - - var select87 = linear_select([ - dup76, - dup77, - ]); - - var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup30, - dup22, - dup79, - dup23, - ])); - - var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup30, - dup22, - dup84, - dup23, - ])); - - var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup30, - dup22, - dup85, - dup23, - ])); - - var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup21, - dup22, - dup86, - dup23, - ])); - - var select88 = linear_select([ - dup88, - dup89, - ]); - - var select89 = linear_select([ - dup90, - dup45, - ]); - - var select90 = linear_select([ - dup95, - dup96, - ]); - - var select91 = linear_select([ - dup101, - dup91, - ]); - - var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup27, - dup22, - dup52, - ])); - - var select92 = linear_select([ - dup118, - dup119, - ]); - - var select93 = linear_select([ - dup123, - dup124, - ]); - - var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup30, - dup22, - dup52, - ])); - - var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ - dup48, - dup47, - dup23, - dup22, - ])); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/juniper_junos/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_junos/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ada8fd74ec..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -description: Pipeline for Juniper JUNOS - -processors: - - set: - field: ecs.version - value: '8.2.0' - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper_junos/0.2.1/data_stream/log/fields/agent.yml b/packages/juniper_junos/0.2.1/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/juniper_junos/0.2.1/data_stream/log/fields/base-fields.yml b/packages/juniper_junos/0.2.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index d93730c7a7..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_junos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_junos.log -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_junos/0.2.1/data_stream/log/fields/ecs.yml b/packages/juniper_junos/0.2.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 78ddffacce..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,541 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/juniper_junos/0.2.1/data_stream/log/fields/fields.yml b/packages/juniper_junos/0.2.1/data_stream/log/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/juniper_junos/0.2.1/data_stream/log/manifest.yml b/packages/juniper_junos/0.2.1/data_stream/log/manifest.yml deleted file mode 100755 index 43a7a807a9..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Juniper JUNOS logs -release: experimental -type: logs -streams: - - input: udp - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9512 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9512 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: filestream - enabled: false - title: Juniper JUNOS logs - description: Collect Juniper JUNOS logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-junos.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-junos - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper_junos/0.2.1/data_stream/log/sample_event.json b/packages/juniper_junos/0.2.1/data_stream/log/sample_event.json deleted file mode 100755 index 571e780ab8..0000000000 --- a/packages/juniper_junos/0.2.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "6a56393e-9900-4580-9cd7-a2468e6398de", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_junos.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "RPD_SCHED_TASK_LONGRUNTIME", - "agent_id_status": "verified", - "code": "RPD_SCHED_TASK_LONGRUNTIME", - "dataset": "juniper_junos.log", - "ingested": "2022-01-25T12:44:44Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:36281" - } - }, - "message": "task extended runtime", - "observer": { - "product": "Junos", - "type": "Routers", - "vendor": "Juniper" - }, - "process": { - "name": "ceroinBC.exe", - "pid": 6713 - }, - "rsa": { - "counters": { - "dclass_c1": 7309, - "dclass_c2": 5049 - }, - "internal": { - "event_desc": "task extended runtime", - "messageid": "RPD_SCHED_TASK_LONGRUNTIME" - }, - "misc": { - "client": ": exe", - "event_type": "RPD_SCHED_TASK_LONGRUNTIME", - "pid": "6713" - }, - "time": { - "day": "29", - "event_time": "2021-01-29T06:09:59.000Z", - "month": "Jan" - } - }, - "tags": [ - "juniper-junos", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/juniper_junos/0.2.1/docs/README.md b/packages/juniper_junos/0.2.1/docs/README.md deleted file mode 100755 index 077678084f..0000000000 --- a/packages/juniper_junos/0.2.1/docs/README.md +++ /dev/null @@ -1,925 +0,0 @@ -# Juniper JunOS integration - -This is an integration for ingesting logs from [Juniper JunOS](https://www.juniper.net/documentation/product/us/en/junos-os). For more information on sending syslog messages from JunOS to a remote destination such as a file / syslog host, see: [Directing System Log Messages to a Remote Machine or the Other Routing Engine](https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/directing-system-log-messages-to-a-remote-destination.html). - -### Log - -The `log` dataset collects Juniper JunOS logs. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "6a56393e-9900-4580-9cd7-a2468e6398de", - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "juniper_junos.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "action": "RPD_SCHED_TASK_LONGRUNTIME", - "agent_id_status": "verified", - "code": "RPD_SCHED_TASK_LONGRUNTIME", - "dataset": "juniper_junos.log", - "ingested": "2022-01-25T12:44:44Z", - "timezone": "+00:00" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.30.0.4:36281" - } - }, - "message": "task extended runtime", - "observer": { - "product": "Junos", - "type": "Routers", - "vendor": "Juniper" - }, - "process": { - "name": "ceroinBC.exe", - "pid": 6713 - }, - "rsa": { - "counters": { - "dclass_c1": 7309, - "dclass_c2": 5049 - }, - "internal": { - "event_desc": "task extended runtime", - "messageid": "RPD_SCHED_TASK_LONGRUNTIME" - }, - "misc": { - "client": ": exe", - "event_type": "RPD_SCHED_TASK_LONGRUNTIME", - "pid": "6713" - }, - "time": { - "day": "29", - "event_time": "2021-01-29T06:09:59.000Z", - "month": "Jan" - } - }, - "tags": [ - "juniper-junos", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/juniper_junos/0.2.1/img/logo.svg b/packages/juniper_junos/0.2.1/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_junos/0.2.1/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_junos/0.2.1/manifest.yml b/packages/juniper_junos/0.2.1/manifest.yml deleted file mode 100755 index 23d0d28294..0000000000 --- a/packages/juniper_junos/0.2.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_junos -title: Juniper JunOS -version: 0.2.1 -description: Collect logs from Juniper JunOS with Elastic Agent. -categories: ["network", "security"] -release: experimental -license: basic -type: integration -conditions: - kibana.version: "^8.0.0" -policy_templates: - - name: juniper - title: Juniper JunOS logs - description: Collect Juniper JunOS logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper JunOS via UDP - description: Collecting syslog from Juniper JunOS via UDP. - - type: tcp - title: Collect logs from Juniper JunOS via TCP - description: Collecting syslog from Juniper JunOS via TCP. - - type: filestream - title: Collect logs from Juniper JunOS via file - description: Collecting syslog from Juniper JunOS via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/juniper_srx/1.3.1/changelog.yml b/packages/juniper_srx/1.3.1/changelog.yml deleted file mode 100755 index d55dfa39aa..0000000000 --- a/packages/juniper_srx/1.3.1/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: Add link to juniper documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3135 -- version: "1.3.0" - changes: - - description: Add TLS and custom options support to TCP input - type: enhancement - link: https://github.com/elastic/integrations/pull/3320 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "1.1.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.1" - changes: - - description: Add Ingest Pipeline script to map IANA Protocol Numbers - type: bugfix - link: https://github.com/elastic/integrations/pull/2470 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2418 -- version: "1.0.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.0" - changes: - - description: Initial release of new package split from oroginal Juniper package - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/2068 diff --git a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 6bafca7cc9..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -prospector.scanner.exclude_files: ['\.gz$'] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 12309d4b4e..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 0696ac9d89..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,16 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/atp.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/atp.yml deleted file mode 100755 index 44d01d3639..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/atp.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (atp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.category - value: malware - if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" -- append: - field: event.type - value: - - allowed - - connection - if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" -- set: - field: event.action - value: malware_detected - if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server != null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" -- rename: - field: juniper.srx.hostname - target_field: source.domain - ignore_missing: true - if: "ctx.juniper?.srx?.hostname != null" -- rename: - field: juniper.srx.client_ip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.client_ip != null" - -###################### -## ECS URL Mapping ## -###################### -- rename: - field: juniper.srx.http_host - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.http_host != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -############### -## Timestamp ## -############### -- date: - if: 'ctx.juniper.srx?.timestamp != null' - field: juniper.srx.timestamp - target_field: juniper.srx.timestamp - formats: - - 'EEE MMM dd HH:mm:ss yyyy' - - 'EEE MMM d HH:mm:ss yyyy' - on_failure: - - remove: - field: - - juniper.srx.timestamp - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7399a1fe75..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,321 +0,0 @@ ---- -# This module only supports syslog messages in the format "structured-data + brief" -# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html -description: Pipeline for parsing junipersrx firewall logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:_temp_.original}\]$' - -# split Juniper-SRX fields - - kv: - field: _temp_.original - field_split: " (?=[a-z0-9\\_\\-]+=)" - value_split: "=" - prefix: "juniper.srx." - ignore_missing: true - ignore_failure: false - trim_value: "\"" - -# Converts all kebab-case key names to snake_case - - script: - lang: painless - source: >- - ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); - -# -# Parse the date -# - - date: - if: "ctx?.event?.timezone == null" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 - - date: - if: "ctx?.event?.timezone != null" - timezone: "{{ event.timezone }}" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 - -# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. -# -> juniper.srx.elapsed_time - - rename: - field: juniper.srx.elapsed_time - target_field: juniper.srx.duration - if: "ctx?.juniper?.srx?.elapsed_time != null" - -# Sets starts, end and duration when start and duration is known - - script: - lang: painless - if: ctx?.juniper?.srx?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); - -# Removes all empty fields - - script: - lang: painless - params: - values: - - "None" - - "UNKNOWN" - - "N/A" - - "-" - source: >- - ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - -####################### -## ECS Event Mapping ## -####################### - - convert: - field: syslog_pri - type: long - target_field: event.severity - ignore_failure: true - -##################### -## ECS Log Mapping ## -##################### -# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes - - set: - field: "log.level" - if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' - value: emergency - - set: - field: "log.level" - if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' - value: alert - - set: - field: "log.level" - if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' - value: critical - - set: - field: "log.level" - if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' - value: error - - set: - field: "log.level" - if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' - value: warning - - set: - field: "log.level" - if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' - value: notification - - set: - field: "log.level" - if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' - value: informational - - set: - field: "log.level" - if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' - value: debug - -########################## -## ECS Observer Mapping ## -########################## - - set: - field: observer.vendor - value: Juniper - - set: - field: observer.product - value: SRX - - set: - field: observer.type - value: firewall - - rename: - field: syslog_hostname - target_field: observer.name - ignore_missing: true - - rename: - field: juniper.srx.packet_incoming_interface - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.destination_interface_name - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.source_interface_name - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.interface_name - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: juniper.srx.source_zone_name - target_field: observer.ingress.zone - ignore_missing: true - - rename: - field: juniper.srx.source_zone - target_field: observer.ingress.zone - ignore_missing: true - - rename: - field: juniper.srx.destination_zone_name - target_field: observer.egress.zone - ignore_missing: true - - rename: - field: juniper.srx.destination_zone - target_field: observer.egress.zone - ignore_missing: true - - rename: - field: syslog_program - target_field: juniper.srx.process - ignore_missing: true - - rename: - field: log_type - target_field: juniper.srx.tag - ignore_missing: true - - -############# -## Cleanup ## -############# - - remove: - field: - - message - - _temp_ - - juniper.srx.duration - - juniper.srx.dir_disp - - juniper.srx.srczone - - juniper.srx.dstzone - - juniper.srx.duration - - syslog_pri - ignore_missing: true - -################################ -## Product Specific Pipelines ## -################################ - - pipeline: - name: '{{ IngestPipeline "flow" }}' - if: "ctx.juniper?.srx?.process == 'RT_FLOW'" - - pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.juniper?.srx?.process == 'RT_UTM'" - - pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDP'" - - pipeline: - name: '{{ IngestPipeline "ids" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDS'" - - pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.juniper?.srx?.process == 'RT_AAMW'" - - pipeline: - name: '{{ IngestPipeline "secintel" }}' - if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" - - script: - lang: painless - ignore_failure: true - if: ctx?.network?.iana_number != null - source: | - def iana_number = ctx.network.iana_number; - if (iana_number == '0') { - ctx.network.transport = 'hopopt'; - } else if (iana_number == '1') { - ctx.network.transport = 'icmp'; - } else if (iana_number == '2') { - ctx.network.transport = 'igmp'; - } else if (iana_number == '6') { - ctx.network.transport = 'tcp'; - } else if (iana_number == '8') { - ctx.network.transport = 'egp'; - } else if (iana_number == '17') { - ctx.network.transport = 'udp'; - } else if (iana_number == '47') { - ctx.network.transport = 'gre'; - } else if (iana_number == '50') { - ctx.network.transport = 'esp'; - } else if (iana_number == '58') { - ctx.network.transport = 'ipv6-icmp'; - } else if (iana_number == '112') { - ctx.network.transport = 'vrrp'; - } else if (iana_number == '132') { - ctx.network.transport = 'sctp'; - } - -######################### -## ECS Related Mapping ## -######################### - - append: - if: 'ctx.source?.ip != null' - field: related.ip - value: '{{source.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.destination?.ip != null' - field: related.ip - value: '{{destination.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.source?.nat?.ip != null' - field: related.ip - value: '{{source.nat.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - value: '{{destination.nat.ip}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.url?.domain != null' - field: related.hosts - value: '{{url.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.source?.domain != null' - field: related.hosts - value: '{{source.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx.destination?.domain != null' - field: related.hosts - value: '{{destination.domain}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.source?.user?.name != null' - field: related.user - value: '{{source.user.name}}' - ignore_failure: true - allow_duplicates: false - - append: - if: 'ctx?.destination?.user?.name != null' - field: related.user - value: '{{destination.user.name}}' - ignore_failure: true - allow_duplicates: false - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/flow.yml deleted file mode 100755 index bf9fcbeb05..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/flow.yml +++ /dev/null @@ -1,363 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (flow pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- convert: - field: juniper.srx.application_risk - type: float - target_field: event.risk_score - ignore_missing: true - ignore_failure: true -- append: - field: event.type - value: - - start - - allowed - - connection - if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" -- append: - field: event.type - value: - - end - - allowed - - connection - if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" -- set: - field: event.action - value: flow_started - if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" -- set: - field: event.action - value: flow_close - if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" -- set: - field: event.action - value: flow_deny - if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx?.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server != null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.policy_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.policy_name != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" - if: "ctx?.client?.packets != null && ctx?.server?.packets != null" - ignore_failure: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.application_risk - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/idp.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/idp.yml deleted file mode 100755 index 0b26118a9f..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/idp.yml +++ /dev/null @@ -1,288 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (idp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: intrusion_detection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: application_ddos - if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: security_threat - if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx['nat_destination_port'] != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.inbound_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.inbound_bytes != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.inbound_packets - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.inbound_packets !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.outbound_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.outbound_bytes != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.outbound_packets - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.outbound_packets != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.rulebase_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.rulebase_name != null" -- rename: - field: juniper.srx.rule_name - target_field: rule.id - ignore_missing: true - if: "ctx.juniper?.srx?.rule_name != null" - -######################### -## ECS Network Mapping ## -######################### -- rename: - field: juniper.srx.protocol_name - target_field: network.protocol - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_name != null" - -######################### -## ECS message Mapping ## -######################### -- rename: - field: juniper.srx.message - target_field: message - ignore_missing: true - if: "ctx.juniper?.srx?.message != null" - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.outbound_bytes - - juniper.srx.outbound_packets - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.inbound_bytes - - juniper.srx.inbound_packets - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/ids.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/ids.yml deleted file mode 100755 index 9b39206834..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/ids.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (ids pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: intrusion_detection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: flood_detected - if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: scan_detected - if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" -- set: - field: event.action - value: sweep_detected - if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: fragment_detected - if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: spoofing_detected - if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" -- set: - field: event.action - value: session_limit_detected - if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: attack_detected - if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: illegal_tcp_flag_detected - if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' -- set: - field: event.action - value: tunneling_screen - if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml deleted file mode 100755 index 790a8aa9cb..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/secintel.yml +++ /dev/null @@ -1,350 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- set: - field: event.kind - value: alert - if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.category - value: malware - if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.juniper?.srx?.action == 'BLOCK'" -- append: - field: event.type - value: - - allowed - - connection - if: "ctx.juniper?.srx?.action != 'BLOCK'" -- set: - field: event.action - value: malware_detected - if: "ctx.juniper?.srx?.action == 'BLOCK'" - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" -- rename: - field: juniper.srx.hostname - target_field: source.address - ignore_missing: true - if: "ctx.juniper?.srx?.hostname != null" -- rename: - field: juniper.srx.client_ip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.client_ip != null" - -###################### -## ECS URL Mapping ## -###################### -- rename: - field: juniper.srx.http_host - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.http_host != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml deleted file mode 100755 index 056f23dbe1..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/elasticsearch/ingest_pipeline/utm.yml +++ /dev/null @@ -1,391 +0,0 @@ ---- -description: Pipeline for parsing junipersrx firewall logs (utm pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: "ctx.juniper?.srx?.tag != null" -- append: - field: event.category - value: network -- convert: - field: juniper.srx.urlcategory_risk - type: float - target_field: event.risk_score - ignore_missing: true - ignore_failure: true -- set: - field: event.kind - value: alert - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.category - value: malware - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- append: - field: event.type - value: - - allowed - - connection - if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: web_filter - if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: content_filter - if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: antispam_filter - if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' -- set: - field: event.action - value: virus_detected - if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' - - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: juniper.srx.destination_address - target_field: destination.ip - ignore_missing: true - if: "ctx.juniper?.srx?.destination_address != null" -- set: - field: server.ip - value: '{{destination.ip}}' - if: "ctx.destination?.ip != null" -- rename: - field: juniper.srx.nat_destination_address - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_address != null" -- convert: - field: juniper.srx.destination_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.destination_port != null" -- set: - field: server.port - value: '{{destination.port}}' - if: "ctx.destination?.port != null" -- convert: - field: server.port - target_field: server.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.port != null" -- convert: - field: juniper.srx.nat_destination_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_destination_port != null" -- set: - field: server.nat.port - value: '{{destination.nat.port}}' - if: "ctx.destination?.nat?.port != null" -- convert: - field: server.nat.port - target_field: server.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_server - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_server != null" -- set: - field: server.bytes - value: '{{destination.bytes}}' - if: "ctx.destination?.bytes != null" -- convert: - field: server.bytes - target_field: server.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.bytes != null" -- convert: - field: juniper.srx.packets_from_server - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_server !=null" -- set: - field: server.packets - value: '{{destination.packets}}' - if: "ctx.destination?.packets != null" -- convert: - field: server.packets - target_field: server.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.server?.packets != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: juniper.srx.source_address - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.source_address != null" -- set: - field: client.ip - value: '{{source.ip}}' - if: "ctx.source?.ip != null" -- rename: - field: juniper.srx.nat_source_address - target_field: source.nat.ip - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_address != null" -- rename: - field: juniper.srx.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.juniper?.srx?.sourceip != null" -- convert: - field: juniper.srx.source_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.source_port != null" -- set: - field: client.port - value: '{{source.port}}' - if: "ctx.source?.port != null" -- convert: - field: client.port - target_field: client.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.port != null" -- convert: - field: juniper.srx.nat_source_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.nat_source_port != null" -- set: - field: client.nat.port - value: '{{source.nat.port}}' - if: "ctx.source?.nat?.port != null" -- convert: - field: client.nat.port - target_field: client.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.nat?.port != null" -- convert: - field: juniper.srx.bytes_from_client - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.bytes_from_client != null" -- set: - field: client.bytes - value: '{{source.bytes}}' - if: "ctx.source?.bytes != null" -- convert: - field: client.bytes - target_field: client.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.bytes != null" -- convert: - field: juniper.srx.packets_from_client - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.juniper?.srx?.packets_from_client != null" -- set: - field: client.packets - value: '{{source.packets}}' - if: "ctx.source?.packets != null" -- convert: - field: client.packets - target_field: client.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.client?.packets != null" -- rename: - field: juniper.srx.username - target_field: source.user.name - ignore_missing: true - if: "ctx.juniper?.srx?.username != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: juniper.srx.policy_name - target_field: rule.name - ignore_missing: true - if: "ctx.juniper?.srx?.policy_name != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: juniper.srx.url - target_field: url.domain - ignore_missing: true - if: "ctx.juniper?.srx?.url != null" -- rename: - field: juniper.srx.obj - target_field: url.path - ignore_missing: true - if: "ctx.juniper?.srx?.obj != null" - -###################### -## ECS File Mapping ## -###################### -- rename: - field: juniper.srx.filename - target_field: file.name - ignore_missing: true - if: "ctx.juniper?.srx?.filename != null" - -######################### -## ECS Network Mapping ## -######################### -- rename: - field: juniper.srx.protocol - target_field: network.protocol - ignore_missing: true - if: "ctx.juniper?.srx?.protocol != null" - -############################# -## ECS Network/Geo Mapping ## -############################# -- rename: - field: juniper.srx.protocol_id - target_field: network.iana_number - ignore_missing: true - if: "ctx.juniper?.srx?.protocol_id != null" -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - juniper.srx.destination_port - - juniper.srx.nat_destination_port - - juniper.srx.bytes_from_client - - juniper.srx.packets_from_client - - juniper.srx.source_port - - juniper.srx.nat_source_port - - juniper.srx.bytes_from_server - - juniper.srx.packets_from_server - - juniper.srx.urlcategory_risk - ignore_missing: true - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper_srx/1.3.1/data_stream/log/fields/agent.yml b/packages/juniper_srx/1.3.1/data_stream/log/fields/agent.yml deleted file mode 100755 index c5d5959b5a..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Byte offset of the log line within its file. -- name: log.source.address - type: keyword - description: Source address of the syslog message. diff --git a/packages/juniper_srx/1.3.1/data_stream/log/fields/base-fields.yml b/packages/juniper_srx/1.3.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 5b1dbba23c..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: juniper_srx -- name: event.dataset - type: constant_keyword - description: Event dataset - value: juniper_srx.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/juniper_srx/1.3.1/data_stream/log/fields/ecs.yml b/packages/juniper_srx/1.3.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 70c0a6dd39..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,2598 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Extended build information for the agent. - This field is intended to contain any build information that a data source may provide, no specific formatting is required. - name: agent.build.original - type: keyword -- description: |- - Ephemeral identifier of this agent (if one exists). - This id normally changes across restarts, but `agent.id` does not. - name: agent.ephemeral_id - type: keyword -- description: |- - Unique identifier of this agent (if one exists). - Example: For Beats this would be beat.id. - name: agent.id - type: keyword -- description: |- - Custom name of the agent. - This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. - If no name is given, the name is often left empty. - name: agent.name - type: keyword -- description: |- - Type of the agent. - The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - name: agent.type - type: keyword -- description: Version of the agent. - name: agent.version - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: as.organization.name - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: client.geo.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.port - type: long -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.domain - type: keyword -- description: User email address. - name: client.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: client.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: client.user.group.id - type: keyword -- description: Name of the group. - name: client.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: client.user.hash - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: client.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: client.user.roles - type: keyword -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Availability zone in which this host, resource, or service is located. - name: cloud.availability_zone - type: keyword -- description: Instance ID of the host machine. - name: cloud.instance.id - type: keyword -- description: Instance name of the host machine. - name: cloud.instance.name - type: keyword -- description: Machine type of the host machine. - name: cloud.machine.type - type: keyword -- description: |- - The cloud project identifier. - Examples: Google Cloud Project id, Azure Project id. - name: cloud.project.id - type: keyword -- description: |- - The cloud project name. - Examples: Google Cloud Project name, Azure Project name. - name: cloud.project.name - type: keyword -- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - name: cloud.provider - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: Boolean to capture if a signature is present. - name: code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: code_signature.status - type: keyword -- description: Subject name of the code signer - name: code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: code_signature.valid - type: boolean -- description: Unique container id. - name: container.id - type: keyword -- description: Name of the image the container was built on. - name: container.image.name - type: keyword -- description: Container image tags. - name: container.image.tag - type: keyword -- description: Image labels. - name: container.labels - type: object -- description: Container name. - name: container.name - type: keyword -- description: Runtime managing this container. - name: container.runtime - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: User email address. - name: destination.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: destination.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: destination.user.group.id - type: keyword -- description: Name of the group. - name: destination.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: destination.user.hash - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: destination.user.roles - type: keyword -- description: Boolean to capture if a signature is present. - name: dll.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: dll.code_signature.status - type: keyword -- description: Subject name of the code signer - name: dll.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: dll.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: dll.code_signature.valid - type: boolean -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA1 hash. - name: dll.hash.sha1 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: SHA512 hash. - name: dll.hash.sha512 - type: keyword -- description: |- - Name of the library. - This generally maps to the name of the file on disk. - name: dll.name - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: CPU architecture target for the file. - name: dll.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: dll.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: dll.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: dll.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: dll.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: dll.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: dll.pe.product - type: keyword -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error code describing the error. - name: error.code - type: keyword -- description: Unique identifier for the error. - name: error.id - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: The stack trace of this error in plain text. - multi_fields: - - name: text - type: match_only_text - name: error.stack_trace - type: wildcard -- description: The type of the error, for example the class name of the exception. - name: error.type - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Reference URL linking to additional information about this event. - This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.reference - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: |- - Normalized risk score or priority of the event, on a scale of 0 to 100. - This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - name: event.risk_score_norm - type: float -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Boolean to capture if a signature is present. - name: file.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: file.code_signature.status - type: keyword -- description: Subject name of the code signer - name: file.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: file.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: file.code_signature.valid - type: boolean -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Device that is the source of the file. - name: file.device - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - Drive letter where the file is located. This field is only relevant on Windows. - The value should be uppercase, and not include the colon. - name: file.drive_letter - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Primary group ID (GID) of the file. - name: file.gid - type: keyword -- description: Primary group name of the file. - name: file.group - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: Inode representing the file in the filesystem. - name: file.inode - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Mode of the file in octal representation. - name: file.mode - type: keyword -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: File owner's username. - name: file.owner - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: CPU architecture target for the file. - name: file.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: file.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: file.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: file.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: file.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: file.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: file.pe.product - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Target path for symlinks. - multi_fields: - - name: text - type: match_only_text - name: file.target_path - type: keyword -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: The user ID (UID) or security identifier (SID) of the file owner. - name: file.uid - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: file.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: file.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: file.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: file.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: file.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: file.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: file.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: file.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: file.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: file.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: file.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: file.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: file.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: file.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: file.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: file.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: file.x509.version_number - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Name of the continent. - name: geo.continent_name - type: keyword -- description: Country ISO code. - name: geo.country_iso_code - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: Longitude and latitude. - name: geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region ISO code. - name: geo.region_iso_code - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: MD5 hash. - name: hash.md5 - type: keyword -- description: SHA1 hash. - name: hash.sha1 - type: keyword -- description: SHA256 hash. - name: hash.sha256 - type: keyword -- description: SHA512 hash. - name: hash.sha512 - type: keyword -- description: Operating system architecture. - name: host.architecture - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: host.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: host.geo.name - type: keyword -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: host.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: host.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: host.os.platform - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Type of host. - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - name: host.type - type: keyword -- description: Seconds the host has been up. - name: host.uptime - type: long -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: The full HTTP request body. - multi_fields: - - name: text - type: match_only_text - name: http.request.body.content - type: wildcard -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: The full HTTP response body. - multi_fields: - - name: text - type: match_only_text - name: http.response.body.content - type: wildcard -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: interface.id - type: keyword -- description: Interface name as reported by the system. - name: interface.name - type: keyword -- description: |- - Custom key/value pairs. - Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. - Example: `docker` and `k8s` labels. - name: labels - type: object -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: log.syslog - type: object -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - name: network.inner - type: object -- description: VLAN ID as reported by the observer. - name: network.inner.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.inner.vlan.name - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: VLAN ID as reported by the observer. - name: network.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: network.vlan.name - type: keyword -- description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: observer.egress - type: object -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: observer.egress.interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: observer.egress.interface.id - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.egress.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: observer.egress.vlan.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Name of the continent. - name: observer.geo.continent_name - type: keyword -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: observer.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: observer.geo.name - type: keyword -- description: Region ISO code. - name: observer.geo.region_iso_code - type: keyword -- description: Region name. - name: observer.geo.region_name - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - name: observer.ingress - type: object -- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - name: observer.ingress.interface.alias - type: keyword -- description: Interface ID as reported by an observer (typically SNMP interface ID). - name: observer.ingress.interface.id - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.ingress.vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: observer.ingress.vlan.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - type: keyword -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: observer.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: observer.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: observer.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: observer.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: observer.os.platform - type: keyword -- description: Operating system version as a raw string. - name: observer.os.version - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: os.platform - type: keyword -- description: Operating system version as a raw string. - name: os.version - type: keyword -- description: Package architecture. - name: package.architecture - type: keyword -- description: |- - Additional information about the build version of the installed package. - For example use the commit SHA of a non-released package. - name: package.build_version - type: keyword -- description: Checksum of the installed package for verification. - name: package.checksum - type: keyword -- description: Description of the package. - name: package.description - type: keyword -- description: Indicating how the package was installed, e.g. user-local, global. - name: package.install_scope - type: keyword -- description: Time when package was installed. - name: package.installed - type: date -- description: |- - License under which the package was released. - Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - name: package.license - type: keyword -- description: Package name - name: package.name - type: keyword -- description: Path where the package is installed. - name: package.path - type: keyword -- description: Home page or reference URL of the software in this package, if available. - name: package.reference - type: keyword -- description: Package size in bytes. - name: package.size - type: long -- description: |- - Type of package. - This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - name: package.type - type: keyword -- description: Package version - name: package.version - type: keyword -- description: CPU architecture target for the file. - name: pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: pe.product - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: Boolean to capture if a signature is present. - name: process.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.code_signature.status - type: keyword -- description: Subject name of the code signer - name: process.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: process.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: process.code_signature.valid - type: boolean -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.exit_code - type: long -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.parent.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.parent.args_count - type: long -- description: Boolean to capture if a signature is present. - name: process.parent.code_signature.exists - type: boolean -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.parent.code_signature.status - type: keyword -- description: Subject name of the code signer - name: process.parent.code_signature.subject_name - type: keyword -- description: |- - Stores the trust status of the certificate chain. - Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - name: process.parent.code_signature.trusted - type: boolean -- description: |- - Boolean to capture if the digital signature is verified against the binary content. - Leave unpopulated if a certificate was unchecked. - name: process.parent.code_signature.valid - type: boolean -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: |- - The exit code of the process, if this is a termination event. - The field should be absent if there is no exit code for the event (e.g. process start). - name: process.parent.exit_code - type: long -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.parent.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: SHA512 hash. - name: process.parent.hash.sha512 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: CPU architecture target for the file. - name: process.parent.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: process.parent.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: process.parent.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: process.parent.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: process.parent.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: process.parent.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: process.parent.pe.product - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.parent.pgid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.parent.start - type: date -- description: Thread ID. - name: process.parent.thread.id - type: long -- description: Thread name. - name: process.parent.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Seconds the process has been up. - name: process.parent.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.parent.working_directory - type: keyword -- description: CPU architecture target for the file. - name: process.pe.architecture - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: process.pe.company - type: keyword -- description: Internal description of the file, provided at compile-time. - name: process.pe.description - type: keyword -- description: Internal version of the file, provided at compile-time. - name: process.pe.file_version - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: process.pe.imphash - type: keyword -- description: Internal name of the file, provided at compile-time. - name: process.pe.original_file_name - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: process.pe.product - type: keyword -- description: |- - Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. - Identifier of the group of processes the process belongs to. - name: process.pgid - type: long -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Thread ID. - name: process.thread.id - type: long -- description: Thread name. - name: process.thread.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Seconds the process has been up. - name: process.uptime - type: long -- description: The working directory of the process. - multi_fields: - - name: text - type: match_only_text - name: process.working_directory - type: keyword -- description: |- - Original bytes written with base64 encoding. - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. - name: registry.data.bytes - type: keyword -- description: |- - Content when writing string types. - Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - name: registry.data.strings - type: wildcard -- description: Standard registry type for encoding contents - name: registry.data.type - type: keyword -- description: Abbreviated name for the hive. - name: registry.hive - type: keyword -- description: Hive-relative path of keys. - name: registry.key - type: keyword -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: Name of the value written. - name: registry.value - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - name: rule.author - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Name of the license under which the rule used to generate this event is made available. - name: rule.license - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Reference URL to additional information about the rule used to generate this event. - The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - name: rule.reference - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - name: rule.uuid - type: keyword -- description: The version / revision of the rule being used for analysis. - name: rule.version - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: server.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: server.as.organization.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: City name. - name: server.geo.city_name - type: keyword -- description: Name of the continent. - name: server.geo.continent_name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Country name. - name: server.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: server.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: server.geo.name - type: keyword -- description: Region ISO code. - name: server.geo.region_iso_code - type: keyword -- description: Region name. - name: server.geo.region_name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: |- - MAC address of the server. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: server.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.ip - type: ip -- description: |- - Translated port of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: server.nat.port - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: Port of the server. - name: server.port - type: long -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.domain - type: keyword -- description: User email address. - name: server.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: server.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: server.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: server.user.group.id - type: keyword -- description: Name of the group. - name: server.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: server.user.hash - type: keyword -- description: Unique identifier of the user. - name: server.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: server.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: server.user.roles - type: keyword -- description: |- - Ephemeral identifier of this service (if one exists). - This id normally changes across restarts, but `service.id` does not. - name: service.ephemeral_id - type: keyword -- description: |- - Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. - This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. - Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - name: service.id - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Name of a service node. - This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. - In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. - name: service.node.name - type: keyword -- description: Current state of the service. - name: service.state - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword -- description: |- - Version of the service the data was collected from. - This allows to look at a data set only for a specific version of a service. - name: service.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: User email address. - name: source.user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: source.user.group.id - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: source.user.hash - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: Array of user roles at the time of the event. - name: source.user.roles - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.reference - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - type: keyword -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Unique identifier of the span within the scope of its trace. - A span represents an operation within a transaction, such as a request to another service, or a database query. - name: span.id - type: keyword -- description: |- - Unique identifier of the trace. - A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. - name: trace.id - type: keyword -- description: |- - Unique identifier of the transaction within the scope of its trace. - A transaction is the highest level of work measured within a service, such as a request to a server. - name: transaction.id - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: |- - Unique user hash to correlate information for a user in anonymized form. - Useful if `user.id` or `user.name` contain confidential information and cannot be used. - name: user.hash - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: VLAN ID as reported by the observer. - name: vlan.id - type: keyword -- description: Optional VLAN name as reported by the observer. - name: vlan.name - type: keyword -- description: |- - The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) - This field must be an array. - name: vulnerability.category - type: keyword -- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) - name: vulnerability.classification - type: keyword -- description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) - multi_fields: - - name: text - type: match_only_text - name: vulnerability.description - type: keyword -- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) - name: vulnerability.enumeration - type: keyword -- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] - name: vulnerability.id - type: keyword -- description: A resource that provides additional information, context, and mitigations for the identified vulnerability. - name: vulnerability.reference - type: keyword -- description: The report or scan identification number. - name: vulnerability.report_id - type: keyword -- description: The name of the vulnerability scanner vendor. - name: vulnerability.scanner.vendor - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.environmental - type: float -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.temporal - type: float -- description: |- - The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. - CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.score.version - type: keyword -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: x509.subject.common_name - type: keyword -- description: List of country (C) code - name: x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: x509.version_number - type: keyword diff --git a/packages/juniper_srx/1.3.1/data_stream/log/fields/fields.yml b/packages/juniper_srx/1.3.1/data_stream/log/fields/fields.yml deleted file mode 100755 index f1c609ea12..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,388 +0,0 @@ -- name: juniper.srx - type: group - release: ga - fields: - - name: reason - type: keyword - description: | - reason - - name: connection_tag - type: keyword - description: | - connection tag - - name: service_name - type: keyword - description: | - service name - - name: nat_connection_tag - type: keyword - description: | - nat connection tag - - name: src_nat_rule_type - type: keyword - description: | - src nat rule type - - name: src_nat_rule_name - type: keyword - description: | - src nat rule name - - name: dst_nat_rule_type - type: keyword - description: | - dst nat rule type - - name: dst_nat_rule_name - type: keyword - description: | - dst nat rule name - - name: protocol_id - type: keyword - description: | - protocol id - - name: policy_name - type: keyword - description: | - policy name - - name: session_id_32 - type: keyword - description: | - session id 32 - - name: session_id - type: keyword - description: | - session id - - name: outbound_packets - type: integer - description: | - packets from client - - name: outbound_bytes - type: integer - description: | - bytes from client - - name: inbound_packets - type: integer - description: | - packets from server - - name: inbound_bytes - type: integer - description: | - bytes from server - - name: elapsed_time - type: date - description: | - elapsed time - - name: application - type: keyword - description: | - application - - name: nested_application - type: keyword - description: | - nested application - - name: username - type: keyword - description: | - username - - name: roles - type: keyword - description: | - roles - - name: encrypted - type: keyword - description: | - encrypted - - name: application_category - type: keyword - description: | - application category - - name: application_sub_category - type: keyword - description: | - application sub category - - name: application_characteristics - type: keyword - description: | - application characteristics - - name: secure_web_proxy_session_type - type: keyword - description: | - secure web proxy session type - - name: peer_session_id - type: keyword - description: | - peer session id - - name: peer_source_address - type: ip - description: | - peer source address - - name: peer_source_port - type: integer - description: | - peer source port - - name: peer_destination_address - type: ip - description: | - peer destination address - - name: peer_destination_port - type: integer - description: | - peer destination port - - name: hostname - type: keyword - description: | - hostname - - name: src_vrf_grp - type: keyword - description: | - src_vrf_grp - - name: dst_vrf_grp - type: keyword - description: | - dst_vrf_grp - - name: icmp_type - type: integer - description: | - icmp type - - name: process - type: keyword - description: | - process that generated the message - - name: apbr_rule_type - type: keyword - description: | - apbr rule type - - name: dscp_value - type: integer - description: | - apbr rule type - - name: logical_system_name - type: keyword - description: | - logical system name - - name: profile_name - type: keyword - description: | - profile name - - name: routing_instance - type: keyword - description: | - routing instance - - name: rule_name - type: keyword - description: | - rule name - - name: uplink_tx_bytes - type: integer - description: | - uplink tx bytes - - name: uplink_rx_bytes - type: integer - description: | - uplink rx bytes - - name: obj - type: keyword - description: | - url path - - name: url - type: keyword - description: | - url domain - - name: profile - type: keyword - description: | - filter profile - - name: category - type: keyword - description: | - filter category - - name: filename - type: keyword - description: | - filename - - name: temporary_filename - type: keyword - description: | - temporary_filename - - name: name - type: keyword - description: | - name - - name: error_message - type: keyword - description: | - error_message - - name: error_code - type: keyword - description: | - error_code - - name: action - type: keyword - description: | - action - - name: protocol - type: keyword - description: | - protocol - - name: protocol_name - type: keyword - description: | - protocol name - - name: type - type: keyword - description: | - type - - name: repeat_count - type: integer - description: | - repeat count - - name: alert - type: keyword - description: | - repeat alert - - name: message_type - type: keyword - description: | - message type - - name: threat_severity - type: keyword - description: | - threat severity - - name: application_name - type: keyword - description: | - application name - - name: attack_name - type: keyword - description: | - attack name - - name: index - type: keyword - description: | - index - - name: message - type: keyword - description: | - mesagge - - name: epoch_time - type: date - description: | - epoch time - - name: packet_log_id - type: integer - description: | - packet log id - - name: export_id - type: integer - description: | - packet log id - - name: ddos_application_name - type: keyword - description: | - ddos application name - - name: connection_hit_rate - type: integer - description: | - connection hit rate - - name: time_scope - type: keyword - description: | - time scope - - name: context_hit_rate - type: integer - description: | - context hit rate - - name: context_value_hit_rate - type: integer - description: | - context value hit rate - - name: time_count - type: integer - description: | - time count - - name: time_period - type: integer - description: | - time period - - name: context_value - type: keyword - description: | - context value - - name: context_name - type: keyword - description: | - context name - - name: ruleebase_name - type: keyword - description: | - ruleebase name - - name: verdict_source - type: keyword - description: | - verdict source - - name: verdict_number - type: integer - description: | - verdict number - - name: file_category - type: keyword - description: | - file category - - name: sample_sha256 - type: keyword - description: | - sample sha256 - - name: malware_info - type: keyword - description: | - malware info - - name: client_ip - type: ip - description: | - client ip - - name: tenant_id - type: keyword - description: | - tenant id - - name: timestamp - type: date - description: | - timestamp - - name: th - type: keyword - description: | - th - - name: status - type: keyword - description: | - status - - name: state - type: keyword - description: | - state - - name: file_hash_lookup - type: keyword - description: | - file hash lookup - - name: file_name - type: keyword - description: | - file name - - name: action_detail - type: keyword - description: | - action detail - - name: sub_category - type: keyword - description: | - sub category - - name: feed_name - type: keyword - description: | - feed name - - name: occur_count - type: integer - description: | - occur count - - name: tag - type: keyword - description: |- - system log message tag, which uniquely identifies the message. diff --git a/packages/juniper_srx/1.3.1/data_stream/log/manifest.yml b/packages/juniper_srx/1.3.1/data_stream/log/manifest.yml deleted file mode 100755 index 3ef0bbef69..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -type: logs -title: Juniper SRX logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9006 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Juniper SRX logs - description: Collect Juniper SRX logs via TCP - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - multi: false - required: true - show_user: true - default: 9006 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Juniper SRX logs - description: Collect Juniper SRX logs via UDP - - input: filestream - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/juniper-srx.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - juniper-srx - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: logfile.yml.hbs - title: Juniper SRX logs - description: Read Juniper SRX logs from a file diff --git a/packages/juniper_srx/1.3.1/data_stream/log/sample_event.json b/packages/juniper_srx/1.3.1/data_stream/log/sample_event.json deleted file mode 100755 index ea03571008..0000000000 --- a/packages/juniper_srx/1.3.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "@timestamp": "2016-02-18T01:32:50.391Z", - "agent": { - "ephemeral_id": "468e3921-9867-43fa-8cc6-d8b5ccb54a25", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "ip": "192.168.1.100", - "port": 58071 - }, - "data_stream": { - "dataset": "juniper_srx.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.13", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "web_filter", - "agent_id_status": "verified", - "category": [ - "network", - "malware" - ], - "dataset": "juniper_srx.log", - "ingested": "2022-01-01T23:05:23Z", - "kind": "alert", - "outcome": "success", - "severity": 12, - "timezone": "+00:00", - "type": [ - "info", - "denied", - "connection" - ] - }, - "input": { - "type": "udp" - }, - "juniper": { - "srx": { - "category": "cat1", - "process": "RT_UTM", - "profile": "uf1", - "reason": "BY_BLACK_LIST", - "tag": "WEBFILTER_URL_BLOCKED" - } - }, - "log": { - "level": "warning", - "source": { - "address": "172.18.0.7:60328" - } - }, - "observer": { - "name": "utm-srx550-b", - "product": "SRX", - "type": "firewall", - "vendor": "Juniper" - }, - "related": { - "hosts": [ - "www.baidu.com" - ], - "ip": [ - "192.168.1.100", - "67.43.156.13" - ], - "user": [ - "user01" - ] - }, - "server": { - "ip": "67.43.156.13", - "port": 80 - }, - "source": { - "ip": "192.168.1.100", - "port": 58071, - "user": { - "name": "user01" - } - }, - "tags": [ - "juniper-srx", - "forwarded" - ], - "url": { - "domain": "www.baidu.com", - "path": "/" - } -} \ No newline at end of file diff --git a/packages/juniper_srx/1.3.1/docs/README.md b/packages/juniper_srx/1.3.1/docs/README.md deleted file mode 100755 index f642b59969..0000000000 --- a/packages/juniper_srx/1.3.1/docs/README.md +++ /dev/null @@ -1,870 +0,0 @@ -# Juniper SRX integration - -This is an integration for ingesting logs from [Juniper SRX](https://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/). - -### Log - -The SRX Log integration only supports syslog messages in the format "structured-data + brief". See the [JunOS Documentation on structured-data.](https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html) - -To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging.](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502) -The syslog format choosen should be `Default`. - -The following processes and tags are supported: - -| JunOS processes | JunOS tags | -|-----------------|-------------------------------------------| -| RT_FLOW | RT_FLOW_SESSION_CREATE | -| | RT_FLOW_SESSION_CLOSE | -| | RT_FLOW_SESSION_DENY | -| | APPTRACK_SESSION_CREATE | -| | APPTRACK_SESSION_CLOSE | -| | APPTRACK_SESSION_VOL_UPDATE | -| RT_IDS | RT_SCREEN_TCP | -| | RT_SCREEN_UDP | -| | RT_SCREEN_ICMP | -| | RT_SCREEN_IP | -| | RT_SCREEN_TCP_DST_IP | -| | RT_SCREEN_TCP_SRC_IP | -| RT_UTM | WEBFILTER_URL_PERMITTED | -| | WEBFILTER_URL_BLOCKED | -| | AV_VIRUS_DETECTED_MT | -| | CONTENT_FILTERING_BLOCKED_MT | -| | ANTISPAM_SPAM_DETECTED_MT | -| RT_IDP | IDP_ATTACK_LOG_EVENT | -| | IDP_APPDDOS_APP_STATE_EVENT | -| RT_AAMW | SRX_AAMW_ACTION_LOG | -| | AAMW_MALWARE_EVENT_LOG | -| | AAMW_HOST_INFECTED_EVENT_LOG | -| | AAMW_ACTION_LOG | -| RT_SECINTEL | SECINTEL_ACTION_LOG | - - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | -| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | -| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | -| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | -| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | -| agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| as.organization.name | Organization name. | keyword | -| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | -| client.packets | Packets sent from the client to the server. | long | -| client.port | Port of the client. | long | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.email | User email address. | keyword | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| client.user.group.name | Name of the group. | keyword | -| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| client.user.id | Unique identifier of the user. | keyword | -| client.user.name | Short name or login of the user. | keyword | -| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | -| client.user.roles | Array of user roles at the time of the event. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| code_signature.exists | Boolean to capture if a signature is present. | boolean | -| code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| code_signature.subject_name | Subject name of the code signer | keyword | -| code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.image.tag | Container image tags. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.email | User email address. | keyword | -| destination.user.full_name | User's full name, if available. | keyword | -| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | -| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| destination.user.roles | Array of user roles at the time of the event. | keyword | -| dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| dll.code_signature.subject_name | Subject name of the code signer | keyword | -| dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.hash.sha512 | SHA512 hash. | keyword | -| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | -| dll.path | Full file path of the library. | keyword | -| dll.pe.architecture | CPU architecture target for the file. | keyword | -| dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| dll.pe.description | Internal description of the file, provided at compile-time. | keyword | -| dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.code | Error code describing the error. | keyword | -| error.id | Unique identifier for the error. | keyword | -| error.message | Error message. | match_only_text | -| error.stack_trace | The stack trace of this error in plain text. | wildcard | -| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | -| error.type | The type of the error, for example the class name of the exception. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| file.code_signature.subject_name | Subject name of the code signer | keyword | -| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.device | Device that is the source of the file. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.gid | Primary group ID (GID) of the file. | keyword | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.mode | Mode of the file in octal representation. | keyword | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.owner | File owner's username. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.architecture | CPU architecture target for the file. | keyword | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.description | Internal description of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.target_path | Target path for symlinks. | keyword | -| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | -| file.type | File type (file, dir, or symlink). | keyword | -| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.issuer.country | List of country (C) codes | keyword | -| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| file.x509.issuer.locality | List of locality names (L) | keyword | -| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| file.x509.public_key_size | The size of the public key space in bits. | long | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| file.x509.subject.country | List of country (C) code | keyword | -| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| file.x509.subject.locality | List of locality names (L) | keyword | -| file.x509.subject.organization | List of organizations (O) of subject. | keyword | -| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.version_number | Version of x509 format. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | -| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| hash.md5 | MD5 hash. | keyword | -| hash.sha1 | SHA1 hash. | keyword | -| hash.sha256 | SHA256 hash. | keyword | -| hash.sha512 | SHA512 hash. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.full | Operating system name, including the version or code name. | keyword | -| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| host.uptime | Seconds the host has been up. | long | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.body.content | The full HTTP request body. | wildcard | -| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.body.content | The full HTTP response body. | wildcard | -| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type. | keyword | -| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| interface.name | Interface name as reported by the system. | keyword | -| juniper.srx.action | action | keyword | -| juniper.srx.action_detail | action detail | keyword | -| juniper.srx.alert | repeat alert | keyword | -| juniper.srx.apbr_rule_type | apbr rule type | keyword | -| juniper.srx.application | application | keyword | -| juniper.srx.application_category | application category | keyword | -| juniper.srx.application_characteristics | application characteristics | keyword | -| juniper.srx.application_name | application name | keyword | -| juniper.srx.application_sub_category | application sub category | keyword | -| juniper.srx.attack_name | attack name | keyword | -| juniper.srx.category | filter category | keyword | -| juniper.srx.client_ip | client ip | ip | -| juniper.srx.connection_hit_rate | connection hit rate | integer | -| juniper.srx.connection_tag | connection tag | keyword | -| juniper.srx.context_hit_rate | context hit rate | integer | -| juniper.srx.context_name | context name | keyword | -| juniper.srx.context_value | context value | keyword | -| juniper.srx.context_value_hit_rate | context value hit rate | integer | -| juniper.srx.ddos_application_name | ddos application name | keyword | -| juniper.srx.dscp_value | apbr rule type | integer | -| juniper.srx.dst_nat_rule_name | dst nat rule name | keyword | -| juniper.srx.dst_nat_rule_type | dst nat rule type | keyword | -| juniper.srx.dst_vrf_grp | dst_vrf_grp | keyword | -| juniper.srx.elapsed_time | elapsed time | date | -| juniper.srx.encrypted | encrypted | keyword | -| juniper.srx.epoch_time | epoch time | date | -| juniper.srx.error_code | error_code | keyword | -| juniper.srx.error_message | error_message | keyword | -| juniper.srx.export_id | packet log id | integer | -| juniper.srx.feed_name | feed name | keyword | -| juniper.srx.file_category | file category | keyword | -| juniper.srx.file_hash_lookup | file hash lookup | keyword | -| juniper.srx.file_name | file name | keyword | -| juniper.srx.filename | filename | keyword | -| juniper.srx.hostname | hostname | keyword | -| juniper.srx.icmp_type | icmp type | integer | -| juniper.srx.inbound_bytes | bytes from server | integer | -| juniper.srx.inbound_packets | packets from server | integer | -| juniper.srx.index | index | keyword | -| juniper.srx.logical_system_name | logical system name | keyword | -| juniper.srx.malware_info | malware info | keyword | -| juniper.srx.message | mesagge | keyword | -| juniper.srx.message_type | message type | keyword | -| juniper.srx.name | name | keyword | -| juniper.srx.nat_connection_tag | nat connection tag | keyword | -| juniper.srx.nested_application | nested application | keyword | -| juniper.srx.obj | url path | keyword | -| juniper.srx.occur_count | occur count | integer | -| juniper.srx.outbound_bytes | bytes from client | integer | -| juniper.srx.outbound_packets | packets from client | integer | -| juniper.srx.packet_log_id | packet log id | integer | -| juniper.srx.peer_destination_address | peer destination address | ip | -| juniper.srx.peer_destination_port | peer destination port | integer | -| juniper.srx.peer_session_id | peer session id | keyword | -| juniper.srx.peer_source_address | peer source address | ip | -| juniper.srx.peer_source_port | peer source port | integer | -| juniper.srx.policy_name | policy name | keyword | -| juniper.srx.process | process that generated the message | keyword | -| juniper.srx.profile | filter profile | keyword | -| juniper.srx.profile_name | profile name | keyword | -| juniper.srx.protocol | protocol | keyword | -| juniper.srx.protocol_id | protocol id | keyword | -| juniper.srx.protocol_name | protocol name | keyword | -| juniper.srx.reason | reason | keyword | -| juniper.srx.repeat_count | repeat count | integer | -| juniper.srx.roles | roles | keyword | -| juniper.srx.routing_instance | routing instance | keyword | -| juniper.srx.rule_name | rule name | keyword | -| juniper.srx.ruleebase_name | ruleebase name | keyword | -| juniper.srx.sample_sha256 | sample sha256 | keyword | -| juniper.srx.secure_web_proxy_session_type | secure web proxy session type | keyword | -| juniper.srx.service_name | service name | keyword | -| juniper.srx.session_id | session id | keyword | -| juniper.srx.session_id_32 | session id 32 | keyword | -| juniper.srx.src_nat_rule_name | src nat rule name | keyword | -| juniper.srx.src_nat_rule_type | src nat rule type | keyword | -| juniper.srx.src_vrf_grp | src_vrf_grp | keyword | -| juniper.srx.state | state | keyword | -| juniper.srx.status | status | keyword | -| juniper.srx.sub_category | sub category | keyword | -| juniper.srx.tag | system log message tag, which uniquely identifies the message. | keyword | -| juniper.srx.temporary_filename | temporary_filename | keyword | -| juniper.srx.tenant_id | tenant id | keyword | -| juniper.srx.th | th | keyword | -| juniper.srx.threat_severity | threat severity | keyword | -| juniper.srx.time_count | time count | integer | -| juniper.srx.time_period | time period | integer | -| juniper.srx.time_scope | time scope | keyword | -| juniper.srx.timestamp | timestamp | date | -| juniper.srx.type | type | keyword | -| juniper.srx.uplink_rx_bytes | uplink rx bytes | integer | -| juniper.srx.uplink_tx_bytes | uplink tx bytes | integer | -| juniper.srx.url | url domain | keyword | -| juniper.srx.username | username | keyword | -| juniper.srx.verdict_number | verdict number | integer | -| juniper.srx.verdict_source | verdict source | keyword | -| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Byte offset of the log line within its file. | long | -| log.source.address | Source address of the syslog message. | keyword | -| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| network.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.os.full | Operating system name, including the version or code name. | keyword | -| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | -| observer.os.kernel | Operating system kernel version as a raw string. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.os.version | Operating system version as a raw string. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| organization.id | Unique identifier for the organization. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| os.full | Operating system name, including the version or code name. | keyword | -| os.full.text | Multi-field of `os.full`. | match_only_text | -| os.kernel | Operating system kernel version as a raw string. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| os.version | Operating system version as a raw string. | keyword | -| package.architecture | Package architecture. | keyword | -| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | -| package.checksum | Checksum of the installed package for verification. | keyword | -| package.description | Description of the package. | keyword | -| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | -| package.installed | Time when package was installed. | date | -| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | -| package.name | Package name | keyword | -| package.path | Path where the package is installed. | keyword | -| package.reference | Home page or reference URL of the software in this package, if available. | keyword | -| package.size | Package size in bytes. | long | -| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | -| package.version | Package version | keyword | -| pe.architecture | CPU architecture target for the file. | keyword | -| pe.company | Internal company name of the file, provided at compile-time. | keyword | -| pe.description | Internal description of the file, provided at compile-time. | keyword | -| pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.subject_name | Subject name of the code signer | keyword | -| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.hash.sha512 | SHA512 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | -| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | -| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.hash.sha512 | SHA512 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pe.architecture | CPU architecture target for the file. | keyword | -| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.parent.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.thread.id | Thread ID. | long | -| process.parent.thread.name | Thread name. | keyword | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.parent.uptime | Seconds the process has been up. | long | -| process.parent.working_directory | The working directory of the process. | keyword | -| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | -| process.pe.architecture | CPU architecture target for the file. | keyword | -| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| process.pe.description | Internal description of the file, provided at compile-time. | keyword | -| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | -| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.thread.id | Thread ID. | long | -| process.thread.name | Thread name. | keyword | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| process.uptime | Seconds the process has been up. | long | -| process.working_directory | The working directory of the process. | keyword | -| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | -| registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | -| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| registry.data.type | Standard registry type for encoding contents | keyword | -| registry.hive | Abbreviated name for the hive. | keyword | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| rule.version | The version / revision of the rule being used for analysis. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| server.as.organization.name | Organization name. | keyword | -| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | -| server.packets | Packets sent from the server to the client. | long | -| server.port | Port of the server. | long | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.email | User email address. | keyword | -| server.user.full_name | User's full name, if available. | keyword | -| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | -| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| server.user.group.name | Name of the group. | keyword | -| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| server.user.id | Unique identifier of the user. | keyword | -| server.user.name | Short name or login of the user. | keyword | -| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | -| server.user.roles | Array of user roles at the time of the event. | keyword | -| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | -| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | -| service.state | Current state of the service. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.email | User email address. | keyword | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| source.user.roles | Array of user roles at the time of the event. | keyword | -| span.id | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | -| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| vlan.id | VLAN ID as reported by the observer. | keyword | -| vlan.name | Optional VLAN name as reported by the observer. | keyword | -| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | -| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | -| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | -| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | -| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | -| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | -| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | -| vulnerability.report_id | The report or scan identification number. | keyword | -| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| x509.issuer.country | List of country (C) codes | keyword | -| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| x509.issuer.locality | List of locality names (L) | keyword | -| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.not_after | Time at which the certificate is no longer considered valid. | date | -| x509.not_before | Time at which the certificate is first considered valid. | date | -| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| x509.public_key_size | The size of the public key space in bits. | long | -| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| x509.subject.common_name | List of common names (CN) of subject. | keyword | -| x509.subject.country | List of country (C) code | keyword | -| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| x509.subject.locality | List of locality names (L) | keyword | -| x509.subject.organization | List of organizations (O) of subject. | keyword | -| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.version_number | Version of x509 format. | keyword | diff --git a/packages/juniper_srx/1.3.1/img/logo.svg b/packages/juniper_srx/1.3.1/img/logo.svg deleted file mode 100755 index 8802414a5a..0000000000 --- a/packages/juniper_srx/1.3.1/img/logo.svg +++ /dev/null @@ -1,72 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/juniper_srx/1.3.1/manifest.yml b/packages/juniper_srx/1.3.1/manifest.yml deleted file mode 100755 index e92c8a32d9..0000000000 --- a/packages/juniper_srx/1.3.1/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: juniper_srx -title: Juniper SRX -version: 1.3.1 -description: Collect logs from Juniper SRX devices with Elastic Agent. -categories: ["network", "security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: ^8.0.0 -policy_templates: - - name: juniper - title: Juniper SRX logs - description: Collect Juniper SRX logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Juniper SRX via UDP - description: Collecting syslog from Juniper SRX via UDP. - - type: tcp - title: Collect logs from Juniper SRX via TCP - description: Collecting syslog from Juniper SRX via TCP. - - type: filestream - title: Collect logs from Juniper SRX via file - description: Collecting syslog from Juniper SRX via file. -icons: - - src: /img/logo.svg - title: Juniper logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_sqlserver/1.1.0/changelog.yml b/packages/microsoft_sqlserver/1.1.0/changelog.yml deleted file mode 100755 index 901c672605..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/changelog.yml +++ /dev/null @@ -1,68 +0,0 @@ -# newer versions go on top - -- version: "1.1.0" - changes: - - description: Added performance datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3391 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.4.5" - changes: - - description: Update Readme. Added links to Microsoft documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3058 -- version: "0.4.4" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.3" - changes: - - description: Fix field conflict for `winlog.record_id` - type: bugfix - link: https://github.com/elastic/integrations/pull/2894 -- version: "0.4.2" - changes: - - description: Fix mapper_parsing_exception when parsing sqlserver.audit.event_time. - type: bugfix - link: https://github.com/elastic/integrations/pull/2813 -- version: "0.4.1" - changes: - - description: Change owner to SEI - type: bugfix - link: https://github.com/elastic/integrations/pull/2650 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2493 -- version: "0.3.0" - changes: - - description: Expose winlog input ignore_older option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 - - description: Fix preserve original event option - type: bugfix - link: https://github.com/elastic/integrations/pull/2542 - - description: Make order of options consistent with other winlog based integrations. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 -- version: "0.2.0" - changes: - - description: Expose winlog input language option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2344 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2009 diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/agent/stream/winlog.yml.hbs b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/agent/stream/winlog.yml.hbs deleted file mode 100755 index ed053196d1..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -name: {{channel}} -condition: ${host.platform} == 'windows' -event_id: {{event_id}} -{{#if ignore_older}} -ignore_older: {{ignore_older}} -{{/if}} -{{#if language}} -language: {{language}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1c21df6a8a..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1280 +0,0 @@ ---- -description: Pipeline for processing SQL Server audit logs -processors: -- set: - field: ecs.version - value: 8.2.0 -- gsub: - description: Strip final dot from param1. - field: winlog.event_data.param1 - pattern: '(?m)^\.$' - replacement: '' - if: ctx?.winlog?.event_id == "33205" -- dissect: - description: Extract statement - pattern: "%{}statement:%{_temp.stmt}\nadditional_information:%{}" - field: winlog.event_data.param1 -- gsub: - field: winlog.event_data.param1 - pattern: 'statement:(.*\s)*(?=additional_information:)' - replacement: '' -- kv: - field: winlog.event_data.param1 - field_split: \n - value_split: ':' - target_field: sqlserver.audit - trim_key: \n - trim_value: \n -- set: - field: sqlserver.audit.statement - copy_from: _temp.stmt -- set: - field: log.level - copy_from: winlog.log.level - ignore_empty_value: true - if: ctx?.winlog?.log?.level != "" -- date: - field: sqlserver.audit.event_time - formats: - - "yyyy-MM-dd HH:mm:ss.SSSSSSS" -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: database -- trim: - field: sqlserver.audit.action_id - ignore_missing: true -- trim: - field: sqlserver.audit.class_type - ignore_missing: true -- uppercase: - field: sqlserver.audit.action_id - ignore_missing: true -- uppercase: - field: sqlserver.audit.class_type - ignore_missing: true -- script: - lang: painless - description: The script processor enables setting event type, action and category based on action_id and class_type fields. - params: - classtypes: - "DB": "DATABASE" - "OB": "OBJECT" - "TY": "TYPE" - "SC": "SCHEMA" - "SX": "XML SCHEMA COLLECTION" - "AS": "ASSEMBLY" - "US": "USER" - "RL": "ROLE" - "AR": "APPLICATION ROLE" - "MT": "MESSAGE TYPE" - "CT": "CONTRACT" - "SV": "SERVICE" - "BN": "REMOTE SERVICE BINDING" - "RT": "ROUTE" - "FC": "FULLTEXT CATALOG" - "FL": "FULLTEXT STOPLIST" - "FP": "SEARCH PROPERTY LIST" - "SK": "SYMMETRIC KEY" - "CR": "CERTIFICATE" - "AK": "ASYMMETRIC KEY" - "DC": "DATABASE SCOPED CREDENTIAL" - "EL": "EXTERNAL LIBRARY" - "LA": "EXTERNAL LANGUAGE" - "SR": "SERVER" - "EP": "ENDPOINT" - "SG": "SERVER ROLE" - "AG": "AVAILABILITY GROUP" - "LX": "LOGIN" - "CK": "COLUMN ENCRYPTION KEY" - "CM": "COLUMN MASTER KEY" - "DA": "DATABASE AUDIT SPECIFICATION" - "DU": "AUDIT" - "DS": "DATABASE SCOPED CONFIGURATION" - "DR": "DATABASE SCOPED RESOURCE GOVERNOR" - "DN": "EVENT NOTIFICATION DATABASE" - "DT": "TRIGGER DATABASE" - "MK": "MASTER KEY" - "DK": "DATABASE ENCRYPTION KEY" - "ON": "EVENT NOTIFICATION OBJECT" - "PF": "PARTITION FUNCTION" - "PR": "BROKER PRIORITY" - "PS": "PARTITION SCHEME" - "DE": "DATABASE EVENT SESSION" - "AQ": "ADHOC QUERY" - "AF": "AGGREGATE" - "AP": "Undocumented" - "C": "CHECK CONSTRAINT" - "D": "DEFAULT" - "EC": "EDGE CONSTRAINT" - "EN": "EVENT NOTIFICATION" - "F": "FOREIGN KEY CONSTRAINT" - "FS": "FUNCTION SCALAR ASSEMBLY" - "FT": "FUNCTION TABLE-VALUED ASSEMBLY" - "FN": "FUNCTION SCALAR SQL" - "IX": "INDEX" - "IF": "FUNCTION TABLE-VALUED INLINE SQL" - "IS": "FUNCTION SCALAR INLINE SQL" - "IT": "INTERNAL TABLE" - "PQ": "PREPARED ADHOC QUERY" - "PK": "PRIMARY KEY" - "P": "STORED PROCEDURE" - "PC": "STORED PROCEDURE ASSEMBLY" - "RF": "STORED PROCEDURE REPLICATION FILTER" - "R": "RULE" - "SP": "SECURITY POLICY" - "SO": "SEQUENCE OBJECT" - "ST": "STATISTICS" - "SQ": "QUEUE" - "SN": "SYNONYM" - "S": "TABLE SYSTEM" - "TF": "FUNCTION TABLE-VALUED SQL" - "TA": "TRIGGER ASSEMBLY" - "TR": "TRIGGER" - "UQ": "UNIQUE CONSTRAINT" - "U": "TABLE" - "V": "VIEW" - "X": "STORED PROCEDURE EXTENDED" - "XR": "XREL TREE" - "AU": "ASYMMETRIC KEY USER" - "CU": "CERTIFICATE USER" - "GU": "GROUP USER" - "SU": "SQL USER" - "WU": "WINDOWS USER" - "XU": "EXTERNAL USER" - "PU": "EXTERNAL GROUP USER" - "A": "SERVER AUDIT" - "CD": "CREDENTIAL" - "CP": "CRYPTOGRAPHIC PROVIDER" - "ED": "EXTERNAL DATA SOURCE" - "EF": "EXTERNAL FILE FORMAT" - "RG": "RESOURCE GOVERNOR" - "SA": "SERVER AUDIT SPECIFICATION" - "SD": "EVENT NOTIFICATION SERVER" - "T": "TRIGGER SERVER" - "SE": "EVENT SESSION" - "CO": "SERVER CONFIG" - "AL": "ASYMMETRIC KEY LOGIN" - "CL": "CERTIFICATE LOGIN" - "SL": "SQL LOGIN" - "WG": "WINDOWS GROUP" - "WL": "WINDOWS LOGIN" - "ER": "EXTERNAL RESOURCE POOL" - "EX": "EXTERNAL SCRIPT QUERY" - "PL": "EXTERNAL GROUP LOGIN" - "XL": "EXTERNAL LOGIN" - actions: - "ACDO": - value: "DATABASE_OBJECT_ACCESS_GROUP" - type: - - access - action: database-object-accessed - "ACO": - value: "SCHEMA_OBJECT_ACCESS_GROUP" - type: - - access - action: schema-object-permission-checked - "ADBO": - value: "BULK ADMIN" - type: - - change - action: bulk-admin-operation - "ADDP": - value: "DATABASE_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-database-role - "ADFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "ADD FEATURE RESTRICTION" - type: - - info - action: add-feature-restriction - "ADSC": - value: "ADD SENSITIVITY CLASSIFICATION" - type: - - change - action: add-sensitivity-classification-to-db-columns - "ADSP": - value: "SERVER_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-server-role - "AL": - value: "ALTER" - type: - - change - action: alter-object - "ALCN": - value: "ALTER CONNECTION" - type: - - change - - connection - category: - - network - action: alter-connection - "ALRS": - value: "ALTER RESOURCES" - type: - - change - action: alter-resources - "ALSS": - value: "ALTER SERVER STATE" - type: - - change - action: alter-server-state - "ALST": - value: "ALTER SETTINGS" - type: - - change - category: - - configuration - action: alter-settings - "ALTR": - value: "ALTER TRACE" - type: - - change - action: alter-trace - "APRL": - value: "ADD MEMBER" - type: - - change - action: add-member - "AS": - value: "ACCESS" - type: - - access - action: access-object - "AUSC": - # To troubleshoot what goes on after this event - # configure login auditing - # https://docs.microsoft.com/en-us/sql/ssms/configure-login-auditing-sql-server-management-studio - value: "AUDIT SESSION CHANGED" - type: - - change - action: audit-session-changed - "AUSF": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/create-server-audit-transact-sql - # See ON_FAILURE - value: "AUDIT SHUTDOWN ON FAILURE" - type: - - error - action: audit-write-failed-database-shutdown - "AUTH": - # Changing authentication mode for login - value: "AUTHENTICATE" - type: - - info - action: authenticate - "BA": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP" - type: - - info - action: database-backup-executed - "BAL": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP LOG" - type: - - info - action: transaction-log-backup-executed - "BCM": - value: "BATCH COMPLETED" - type: - - info - action: transact-sql-batch-completed - "BCMG": - value: "BATCH_COMPLETED_GROUP" - type: - - info - action: batch-text-stored-proc-or-txn-mgmt-op-ended - "BRDB": - value: "BACKUP_RESTORE_GROUP" - type: - - admin - action: backup-or-restore-command-issued - "BST": - value: "BATCH STARTED" - type: - - info - action: transact-sql-batch-started - "BSTG": - value: "BATCH_STARTED_GROUP" - type: - - info - action: batch-text-stored-proc-txn-mgmt-op-started - "C2OF": - # https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option - value: "TRACE AUDIT C2OFF" - type: - - change - action: c2-audit-mode-server-config-off - "C2ON": - value: "TRACE AUDIT C2ON" - type: - - info - action: c2-audit-mode-server-config-on - "CCLG": - value: "CHANGE LOGIN CREDENTIAL" - type: - - change - action: change-login-credential - "CMLG": - value: "CREDENTIAL MAP TO LOGIN" - type: - - change - action: credential-mapped-to-sql-server-login - "CNAU": - value: "AUDIT_CHANGE_GROUP" - type: - - change - action: audit-or-audit-spec-changed - "CO": - # nodoc or TSQL - value: "CONNECT" - type: - - info - action: connect - "CP": - value: "CHECKPOINT" - type: - - info - action: checkpoint-created - "CR": - value: "CREATE" - type: - - info - action: create - "DABO": - # bulk ops like bulk insert, copy, load - # and so on. - value: "DATABASE BULK ADMIN" - type: - - change - action: database-bulk-admin - "DAGF": - # principal login to contained database failed. - # https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable - value: "FAILED_DATABASE_AUTHENTICATION_GROUP" - type: - - error - action: principal-login-failed - "DAGL": - value: "DATABASE_LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: contained-database-user-logout - "DAGS": - value: "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP" - type: - - info - - start - category: - - session - action: principal-login-to-contained-database-successful - "DBAF": - # nodoc - value: "DATABASE AUTHENTICATION FAILED" - type: - - error - action: database-authentication-failed - "DBAS": - value: "DATABASE AUTHENTICATION SUCCEEDED" - type: - - access - - info - action: database-authentication-succeeded - "DBCC": - # https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-transact-sql - value: "DBCC" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBCG": - value: "DBCC_GROUP" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBL": - # nodoc - value: "DATABASE LOGOUT" - type: - - end - category: - - session - action: database-logout - "D": - # TSQL - value: "DENY" - type: - - info - action: permission-denied-to-principal - "DL": - # nodoc - # TSQL DELETE - value: "DELETE" - type: - - change - action: delete - "DPRL": - # ? https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-droprolemember-transact-sql - value: "DROP MEMBER" - type: - - info - action: drop-security-account-from-role - "DR": - value: "DROP" - type: - - change - action: drop-object - "DRFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "DROP FEATURE RESTRICTION" - type: - - change - action: drop-feature-restriction - "DRSC": - value: "DROP SENSITIVITY CLASSIFICATION" - type: - - change - action: drop-sensitivity-classification-from-db-columns - "DWC": - # TSQL - value: "DENY WITH CASCADE" - type: - - change - action: permission-denied-with-cascade - "EX": - value: "EXECUTE" - type: - - info - action: execute-stored-proc-or-function - "FRCG": - # nodoc - # 2019 feature see ADFR and DRFR - value: "FEATURE_RESTRICTION_CHANGE_GROUP" - type: - - change - action: feature-restriction-changed - "FT": - # nodoc - # using FTG - value: "FULLTEXT" - type: - - info - action: fulltext-event-occurred - "FTG": - value: "FULLTEXT_GROUP" - type: - - info - action: fulltext-event-occurred - "G": - # TSQL - value: "GRANT" - type: - - info - action: grant-permission-to-principal - "GRDB": - value: "DATABASE_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission - "GRDO": - value: "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-or-assemblies - "GRO": - # schema objects like database tables, views etc. - value: "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-objects - "GRSO": - value: "SERVER_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-server-objects - "GRSV": - value: "SERVER_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-issued-in-server-scope - "GWG": - # TSQL - value: "GRANT WITH GRANT" - type: - - info - action: grant-with-grant-issued-to-principal - "IMDP": - value: "DATABASE_PRINCIPAL_IMPERSONATION_GROUP" - type: - - info - action: database-user-impersonation-occurred - "IMP": - # nodoc - # using IMDP - value: "IMPERSONATE" - type: - - info - action: database-user-impersonation-occurred - "IMSP": - value: "SERVER_PRINCIPAL_IMPERSONATION_GROUP" - type: - - user - action: server-login-impersonation-occurred - "IN": - value: "INSERT" - type: - - info - action: insert - "LGB": - # nodoc - # using LGBG - value: "BROKER LOGIN" - type: - - info - action: service-broker-transport-security-event - "LGBG": - value: "BROKER_LOGIN_GROUP" - type: - - info - action: service-broker-transport-security-event - "LGDA": - # Can be disable trigger or indexes and constraints - value: "DISABLE" - type: - - change - action: disable - "LGDB": - value: "CHANGE DEFAULT DATABASE" - type: - - change - action: change-default-database - "LGEA": - value: "ENABLE" - type: - - info - action: enable - "LGFL": - value: "FAILED_LOGIN_GROUP" - type: - - error - category: - - authentication - action: principal-login-failed - "LGGG": - # nodoc - value: "GLOBAL_TRANSACTIONS_LOGIN_GROUP" - type: - - info - action: global-transactions-login - "LGG": - # nodoc - # https://www.manageengine.com/products/eventlog/sql-auditing/global-transaction-login-in-sql-server-24337.html - value: "GLOBAL TRANSACTIONS LOGIN" - type: - - info - action: global-transactions-login - "LGIF": - value: "LOGIN FAILED" - type: - - error - category: - - authentication - action: login-failed - "LGIS": - value: "LOGIN SUCCEEDED" - type: - - info - - start - category: - - session - action: login-succeeded - "LGLG": - value: "CHANGE DEFAULT LANGUAGE" - type: - - change - action: change-default-language - "LGM": - # using LGMG - value: "DATABASE MIRRORING LOGIN" - type: - - info - action: database-mirroring-transport-security-event - "LGMG": - value: "DATABASE_MIRRORING_LOGIN_GROUP" - type: - - info - action: database-mirroring-transport-security-event - "LGNM": - value: "NAME CHANGE" - type: - - change - action: name-change - "LGO": - value: "LOGOUT" - type: - - end - category: - - session - action: logout - "LGSD": - value: "SUCCESSFUL_LOGIN_GROUP" - type: - - info - - start - category: - - session - action: user-login-succeeded - "LGSG": - # nodoc - value: "STORAGE_LOGIN_GROUP" - type: - - info - action: storage-login - "LGS": - # nodoc - value: "STORAGE LOGIN" - type: - - info - action: storage-login - "LO": - value: "LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: user-logout-succeeded - "MNDB": - value: "DATABASE_CHANGE_GROUP" - type: - - change - action: database-created-altered-or-dropped - "MNDO": - value: "DATABASE_OBJECT_CHANGE_GROUP" - type: - - change - action: database-object-created-altered-or-dropped - "MNDP": - value: "DATABASE_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: principals-created-altered-or-dropped - "MNO": - value: "SCHEMA_OBJECT_CHANGE_GROUP" - type: - - change - action: schema-object-create-alter-or-dropped - "MNSO": - # server objects like databases or endpoints - value: "SERVER_OBJECT_CHANGE_GROUP" - type: - - change - action: server-object-create-alter-or-dropped - "MNSP": - value: "SERVER_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: server-principal-create-alter-or-dropped - "NMLG": - # no credential map to login probably unable to execute - # external operation - # https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-credential - value: "NO CREDENTIAL MAP TO LOGIN" - type: - - error - action: no-credential-map-to-login - "OPDB": - value: "DATABASE_OPERATION_GROUP" - type: - - info - action: db-checkpoint-or-subscribe-query-notification-executed - "OP": - # open cursor - value: "OPEN" - type: - - access - action: open - "OPSV": - value: "SERVER_OPERATION_GROUP" - type: - - change - action: alter-settings-resources-or-external-access - "PWAR": - value: "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-changed-for-application-role - "PWC": - # nodoc - # using PWAR - value: "CHANGE PASSWORD" - type: - - change - action: password-changed-for-application-role - "PWCG": - value: "LOGIN_CHANGE_PASSWORD_GROUP" - type: - - change - action: login-password-changed-via-alter-or-sp-password - "PWCS": - # nodoc - value: "CHANGE OWN PASSWORD" - type: - - change - action: change-own-password - "PWEX": - # nodoc - value: "PASSWORD EXPIRATION" - type: - - info - action: password-expired - "PWMC": - # nodoc - value: "MUST CHANGE PASSWORD" - type: - - info - action: must-change-password - "PWPL": - # nodoc - value: "PASSWORD POLICY" - type: - - info - action: password-policy - "PWR": - # nodoc - value: "RESET PASSWORD" - type: - - change - action: reset-password - "PWRS": - # nodoc - value: "RESET OWN PASSWORD" - type: - - change - action: reset-own-password - "PWU": - # TSQL ALTER LOGIN UNLOCK - value: "UNLOCK ACCOUNT" - type: - - change - action: unlock-sql-server-login-account - "RCM": - value: "RPC COMPLETED" - type: - - end - category: - - network - action: rpc-completed - "RC": - value: "RECEIVE" - type: - - access - action: retrieve-message-from-queue - "RF": - value: "REFERENCES" - type: - - info - action: references - "R": - value: "REVOKE" - type: - - change - action: remove-granted-or-denied-permission - "RS": - value: "RESTORE" - type: - - change - action: restore-database-backup - "RST": - value: "RPC STARTED" - type: - - start - category: - - network - action: rpc-started - "RWC": - value: "REVOKE WITH CASCADE" - type: - - change - action: revoke-granted-or-denied-permission-with-cascade - "RWG": - value: "REVOKE WITH GRANT" - type: - - change - action: revoke-with-grant - "SCCG": - # sensitivity classification for columns - # https://docs.microsoft.com/en-us/sql/t-sql/statements/add-sensitivity-classification-transact-sql - value: "SENSITIVITY_CLASSIFICATION_CHANGE_GROUP" - type: - - change - action: sensitivity-classification-changed - "SL": - value: "SELECT" - type: - - access - action: select - "SN": - value: "SEND" - type: - - access - action: send-message-to-queue - "SPLN": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/set-showplan-all-transact-sql - value: "SHOW PLAN" - type: - - info - action: show-plan - "STSV": - value: "SERVER_STATE_CHANGE_GROUP" - type: - - info - action: server-service-state-changed - "SUQN": - value: "SUBSCRIBE QUERY NOTIFICATION" - type: - - info - action: subscribe-query-notification - "SVCN": - value: "SERVER CONTINUE" - type: - - change - action: server-service-state-changed-to-continue - "SVPD": - value: "SERVER PAUSED" - type: - - change - action: server-service-state-changed-to-paused - "SVSD": - value: "SERVER SHUTDOWN" - type: - - change - action: server-service-state-changed-to-shutdown - "SVSR": - value: "SERVER STARTED" - type: - - change - action: server-service-state-changed-to-start - "TASA": - # nodoc - value: "TRACE AUDIT START" - type: - - info - action: trace-audit-start - "TASP": - # nodoc - value: "TRACE AUDIT STOP" - type: - - info - action: trace-audit-stop - "TODB": - value: "DATABASE_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: permission-check-performed-to-change-database-owner - "TODO": - value: "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: database-object-owner-changed - "TOO": - value: "SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - info - action: permission-check-performed-to-change-schema-object - "TOSO": - value: "SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: server-scoped-object-owner-changed - "TO": - # nodoc - value: "TAKE OWNERSHIP" - type: - - info - action: take-ownership - "TRBC": - value: "TRANSACTION BEGIN COMPLETED" - type: - - info - action: transaction-begin-completed - "TRBS": - value: "TRANSACTION BEGIN STARTING" - type: - - info - action: transaction-begin-starting - "TRCC": - value: "TRANSACTION COMMIT COMPLETED" - type: - - info - action: transaction-commit-completed - "TRCG": - value: "TRACE_CHANGE_GROUP" - type: - - info - action: permission-checked-for-alter-trace - "TRCS": - value: "TRANSACTION COMMIT STARTING" - type: - - info - action: transaction-commit-starting - "TRGC": - value: "TRANSACTION PROPAGATE COMPLETED" - type: - - info - action: transaction-propogation-completed - "TRGS": - value: "TRANSACTION PROPAGATE STARTING" - type: - - info - action: transaction-propogation-starting - "TRO": - value: "TRANSFER" - type: - - info - action: data-transfer - "TRPC": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE COMPLETED" - type: - - info - action: local-to-distributed-transaction-promote-completed - "TRPS": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE STARTING" - type: - - info - action: local-to-distributed-transaction-promote-starting - "TRRC": - value: "TRANSACTION ROLLBACK COMPLETED" - type: - - info - action: transaction-rollback-completed - "TRRS": - value: "TRANSACTION ROLLBACK STARTING" - type: - - info - action: transaction-rollback-starting - "TRSC": - value: "TRANSACTION SAVEPOINT COMPLETED" - type: - - info - action: transaction-savepoint-completed - "TRSS": - value: "TRANSACTION SAVEPOINT STARTING" - type: - - info - action: transaction-savepoint-starting - "TXBG": - value: "TRANSACTION BEGIN" - type: - - info - action: transaction-begin - "TXCG": - value: "TRANSACTION_COMMIT_GROUP" - type: - - info - action: transaction-commit-group-event - "TXCM": - value: "TRANSACTION COMMIT" - type: - - info - action: transaction-commit - "TXGG": - value: "TRANSACTION_BEGIN_GROUP" - type: - - info - action: transaction-begin-group-event - "TXRB": - value: "TRANSACTION ROLLBACK" - type: - - info - action: transaction-rollback - "TXRG": - value: "TRANSACTION_ROLLBACK_GROUP" - type: - - info - action: transaction-rollback-group - "TX": - value: "TRANSACTION_GROUP" - type: - - info - action: transaction-event-occurred - "UCGP": - value: "USER_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-of-contained-database-user-changed - "UDAG": - value: "USER_DEFINED_AUDIT_GROUP" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UDAU": - value: "USER DEFINED AUDIT" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UNDG": - value: "STATEMENT_ROLLBACK_GROUP" - type: - - info - action: statement-rollback-group - "UNDO": - value: "STATEMENT ROLLBACK" - type: - - info - action: statement-rollback - "UP": - value: "UPDATE" - type: - - change - action: update - "USAF": - value: "CHANGE USERS LOGIN AUTO" - type: - - change - action: change-users-login-auto - "USLG": - value: "CHANGE USERS LOGIN" - type: - - change - action: change-users-login - "USTC": - # https://docs.microsoft.com/en-us/troubleshoot/sql/security/transfer-logins-passwords-between-instances - value: "COPY PASSWORD" - type: - - info - action: password-copied - "VDST": - value: "VIEW DATABASE STATE" - type: - - info - action: view-database-state - "VSST": - value: "VIEW SERVER STATE" - type: - - info - action: view-server-state - "VWCT": - value: "VIEW CHANGETRACKING" - type: - - info - action: view-change-tracking - "VW": - value: "VIEW" - type: - - info - action: view - "XA": - # see EXTERNAL_ACCESS - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "EXTERNAL ACCESS ASSEMBLY" - type: - - access - category: - - network - - registry - action: external-access-assembly - "XU": - # see UNSAFE - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "UNSAFE ASSEMBLY" - type: - - access - action: unsafe-assembly - source: |- - def actionIdKey = ctx.sqlserver.audit.action_id; - def actions = params.get('actions'); - def classTypes = params.get('classtypes'); - // handle class type - // overwrite the abbreviated key with its value - def ct = classTypes.get(ctx.sqlserver.audit.class_type); - if (ct != null) { - ctx.sqlserver.audit.class_type = ct; - } - // error case - for unhandled action ids - def actionData = actions.get(actionIdKey); - if (actionData == null) { - ctx.event.action = 'unknown-' + actionIdKey.toLowerCase(); - ctx.event.type = ['info']; - return; - } - // overwrite the action id with its actual value - ctx.sqlserver.audit.action_id = actionData.get('value'); - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } -- convert: - field: sqlserver.audit.sequence_number - type: integer - ignore_missing: true -- convert: - field: sqlserver.audit.succeeded - type: boolean - ignore_missing: true -- convert: - field: sqlserver.audit.affected_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.response_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.is_column_permission - type: boolean - ignore_missing: true -- script: - lang: painless - description: Convert ms to ns and set it to event.duration - source: |- - def v = ctx?.sqlserver?.audit?.duration_milliseconds; - if (v != null) { - ctx.event.duration = Long.parseLong(v) * 1000000; - } -- rename: - field: winlog.process - target_field: process - ignore_missing: true -## -# Set user.name, user.domain and user.id values from -# SPN -## -- dissect: - description: Extract user domain and name - pattern: "%{_temp.domain}\\%{_temp.username}" - field: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' - ignore_missing: true -- set: - description: Set username as is if domain is not present - field: user.name - copy_from: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && !ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' -- set: - description: Set username if it was extracted from Domain\User format - field: user.name - copy_from: _temp.username - if: "ctx?._temp?.username != null" -- set: - description: Set domain if it was extracted from Domain\User format - field: user.domain - copy_from: _temp.domain - if: "ctx?._temp?.domain != null" -- set: - field: user.id - copy_from: sqlserver.audit.server_principal_sid -- set: - field: user.target.name - copy_from: sqlserver.audit.target_server_principal_name -- set: - field: user.target.id - copy_from: sqlserver.audit.target_server_principal_sid - -- convert: - field: winlog.record_id - type: string - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - winlog.event_data.param1 - - sqlserver.audit.event_time - - sqlserver.audit.additional_information - - sqlserver.audit.duration_milliseconds - - sqlserver.audit.server_principal_name - - sqlserver.audit.server_principal_sid - - sqlserver.audit.target_server_principal_name - - sqlserver.audit.target_server_principal_sid - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/base-fields.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/ecs.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 523f9134da..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Thread ID. - name: process.thread.id - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/fields.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 7985824ba4..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,139 +0,0 @@ -- name: sqlserver - type: group - description: All fields specific to SQL Server events - fields: - - name: audit - type: group - description: All fields specific to SQL Server audit events. - fields: - - name: audit_schema_version - type: keyword - description: Audit event schema version. - - name: event_time - type: date - description: Date/time when the auditable action is fired. - - name: sequence_number - type: integer - description: > - Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. - - - name: action_id - type: keyword - description: ID of the action - - name: succeeded - type: boolean - description: > - Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. - - - name: permission_bitmask - type: keyword - description: > - When applicable shows the permissions that were granted, denied or revoked. - - - name: is_column_permission - type: boolean - description: Flag indicating a column level permission - - name: session_id - type: integer - description: ID of the session on which the event occurred. - - name: server_principal_id - type: keyword - description: ID of the login context that the action is performed in. - - name: database_principal_id - type: keyword - description: ID of the database user context that the action is performed in. - - name: object_id - type: keyword - description: > - "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." - - - name: target_server_principal_id - type: keyword - description: Server principal that the auditable action applies to. - - name: target_database_principal_id - type: keyword - description: Database principal that the auditable action applies to. - - name: class_type - type: keyword - description: Type of auditable entity that the audit occurs on. - - name: session_server_principal_name - type: keyword - description: Server principal for the session. - - name: server_principal_name - type: keyword - description: Current login. - - name: server_principal_sid - type: keyword - description: Current login SID. - - name: database_principal_name - type: keyword - description: Current user. - - name: target_server_principal_name - type: keyword - description: Target login of the action. - - name: target_server_principal_sid - type: keyword - description: SID of the target login. - - name: target_database_principal_name - type: keyword - description: Target user of the action. - - name: server_instance_name - type: keyword - description: > - "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." - - - name: database_name - type: keyword - description: The database context in which the action occurred. - - name: schema_name - type: keyword - description: The schema context in which the action occurred. - - name: object_name - type: keyword - description: > - "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." - - - name: statement - type: text - description: "TSQL statement (if any)" - - name: additional_information - type: text - description: Any additional information about the event stored as XML. - - name: affected_rows - type: long - description: Number of rows affected by the operation. - - name: application_name - type: keyword - description: Name of the application that caused the audit event. - - name: client_ip - type: keyword - description: > - "Name or IP address of the machine running the application that caused the audit event." - - - name: connection_id - type: keyword - description: Connection ID (unique UUID for the connection) - - name: data_sensitivity_information - type: keyword - description: Sensitivity information about the operation. - - name: duration_milliseconds - type: long - description: Duration of the operation in milliseconds. - - name: host_name - type: keyword - description: SQL Server host name. - - name: response_rows - type: long - description: Number of rows returned. - - name: sequence_group_id - type: keyword - description: Sequence group ID (unique UUID). - - name: transaction_id - type: keyword - description: Transaction ID - - name: user_defined_event_id - type: integer - description: User defined event ID. - - name: user_defined_information - type: text - description: User defined information diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/winlog.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/winlog.yml deleted file mode 100755 index 075d40345d..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/fields/winlog.yml +++ /dev/null @@ -1,155 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/manifest.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/audit/manifest.yml deleted file mode 100755 index da4c3838e1..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: "SQL Server audit events" -type: logs -streams: - - input: winlog - title: SQL Server audit events from Windows event logs - description: Collect SQL Server audit events from the Windows event logs - template_path: winlog.yml.hbs - vars: - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: >- - Preserves a raw copy of the original XML event, added to the field `event.original` - type: bool - multi: false - default: false - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - Defaults to 33205. Change the default only if SQL Server uses another documented event ID for audits. Setting a value other than an SQL Server audit event ID will cause the package to malfunction. A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 33205), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - default: 33205 - - name: channel - description: Channel name where audit events are configured to be sent. - type: text - title: Channel - multi: false - required: true - default: Security - show_user: true - - name: ignore_older - type: text - title: Ignore events older than - default: 72h - required: false - show_user: false - description: >- - If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - - name: language - type: text - title: Language ID - description: >- - The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US - required: false - show_user: false - default: 0 - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/agent/stream/stream.yml.hbs b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/agent/stream/stream.yml.hbs deleted file mode 100755 index d7007a3cc1..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -metricsets: ["query"] -# Specify hosts in the below format. TODO: hosts need to be updated to support multiple entries. -hosts: - - sqlserver://{{username}}:{{password}}@{{hosts}}:{{port}} -period: {{period}} -raw_data.enabled: true -# Below dynamic_counter_name handles the dynamic counter name passing it to SQL query -dynamic_counter_name: {{dynamic_counter_name}} -driver: "mssql" -sql_queries: - - query: "SELECT cntr_value As 'user_connections' FROM sys.dm_os_performance_counters WHERE counter_name= 'User Connections'" - response_format: table - - query: "SELECT cntr_value As 'active_temp_tables' FROM sys.dm_os_performance_counters WHERE counter_name = 'Active Temp Tables' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_cache_hit_ratio' FROM sys.dm_os_performance_counters WHERE counter_name = 'Buffer cache hit ratio' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'page_splits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page splits/sec'" - response_format: table - - query: "SELECT cntr_value As 'lock_waits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Lock Waits/sec' AND instance_name = '_Total'" - response_format: table - - query: "SELECT cntr_value As 'compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Compilations/sec'" - response_format: table - - query: "SELECT cntr_value As 'batch_requests_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Batch Requests/sec'" - response_format: table - - query: "SELECT cntr_value As 'buffer_checkpoint_pages_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Checkpoint pages/sec' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_database_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Database pages' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_page_life_expectancy' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page life expectancy' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_target_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Target pages' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'connection_reset_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Connection Reset/sec' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'logins_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logins/sec' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'logouts_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logouts/sec' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'transactions' FROM sys.dm_os_performance_counters WHERE counter_name = 'Transactions' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 're_compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Re-Compilations/sec'" - response_format: table - - query: "SELECT counter_name As 'dynamic_counter.name', cntr_value As 'dynamic_counter.value' FROM sys.dm_os_performance_counters WHERE counter_name= '{{dynamic_counter_name}}'" - response_format: table diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05662deb30..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -description: Pipeline for processing mssql performance -processors: -- remove: - field: sql.driver - ignore_missing: true - ignore_failure: true -- remove: - field: sql.query - ignore_missing: true - ignore_failure: true -- rename: - field: sql - target_field: mssql - ignore_missing: true - ignore_failure: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/base-fields.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/base-fields.yml deleted file mode 100755 index d64174c19b..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/ecs.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/ecs.yml deleted file mode 100755 index b485c25d5a..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/fields.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/fields.yml deleted file mode 100755 index 59bb3d10ea..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/fields/fields.yml +++ /dev/null @@ -1,70 +0,0 @@ -- name: mssql - type: group - release: beta - fields: - - name: metrics - type: group - fields: - - name: page_splits_per_sec - type: float - metric_type: gauge - description: Number of page splits per second that occur as the result of overflowing index pages. - - name: lock_waits_per_sec - type: float - metric_type: gauge - description: Number of lock requests per second that required the caller to wait. - - name: user_connections - type: long - description: Total number of user connections. - - name: active_temp_tables - type: long - description: Number of temporary tables/table variables in use. - - name: transactions - type: long - description: Total number of transactions - - name: connection_reset_per_sec - type: float - metric_type: gauge - description: Total number of logins started per second from the connection pool. - - name: logins_per_sec - type: float - metric_type: gauge - description: Total number of logins started per second. This does not include pooled connections. - - name: logouts_per_sec - type: float - metric_type: gauge - description: Total number of logout operations started per second. - - name: re_compilations_per_sec - type: float - metric_type: gauge - description: Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low. - - name: compilations_per_sec - type: float - metric_type: gauge - description: Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state. - - name: batch_requests_per_sec - type: float - metric_type: gauge - description: Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput. - - name: buffer_cache_hit_ratio - type: double - description: The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high. - - name: buffer_page_life_expectancy - type: long - description: Indicates the number of seconds a page will stay in the buffer pool without references (in seconds). - - name: buffer_checkpoint_pages_per_sec - type: float - metric_type: gauge - description: Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed. - - name: buffer_database_pages - type: long - description: Indicates the number of pages in the buffer pool with database content. - - name: buffer_target_pages - type: long - description: Ideal number of pages in the buffer pool. - - name: dynamic_counter.value - type: long - description: Dynamic counter value is fetched from performance table for the dynamic counter name which is provided by user. - - name: dynamic_counter.name - type: keyword - description: Dynamic counter name is given by user. diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/manifest.yml b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/manifest.yml deleted file mode 100755 index 2d0a3a93b0..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -type: metrics -title: Microsoft SQL Server performance metrics -release: beta -streams: - - input: sql/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - - name: dynamic_counter_name - type: text - title: Dynamic Counter Name - multi: false - required: false - show_user: true - default: Memory Grants Pending - description: Collect the dynamic counter value for the provided counter name from the performance table. - title: Microsoft SQL Server performance metrics - description: Collect Microsoft SQL Server performance metrics diff --git a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/sample_event.json b/packages/microsoft_sqlserver/1.1.0/data_stream/performance/sample_event.json deleted file mode 100755 index f967ddb103..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/data_stream/performance/sample_event.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "@timestamp": "2022-06-08T13:35:05.558Z", - "agent": { - "ephemeral_id": "16ad2de8-8ba3-496f-98d1-cbe19441c168", - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "name": "docker-fleet-agent", - "type": "metricbeat", - "version": "8.3.0" - }, - "cloud": { - "account": {}, - "instance": { - "id": "b30e45e6-7900-4900-8d67-e37cb13374bc", - "name": "obs-int-windows-dev" - }, - "machine": { - "type": "Standard_D16ds_v5" - }, - "provider": "azure", - "region": "CentralIndia", - "service": { - "name": "Virtual Machines" - } - }, - "data_stream": { - "dataset": "microsoft_sqlserver.performance", - "namespace": "ep", - "type": "metrics" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "microsoft_sqlserver.performance", - "duration": 7151724, - "ingested": "2022-06-08T13:35:06Z", - "module": "sql" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "mssql": { - "metrics": { - "user_connections": 1 - } - }, - "service": { - "address": "elastic-package-service-microsoft_sqlserver-1:1433", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.0/docs/README.md b/packages/microsoft_sqlserver/1.1.0/docs/README.md deleted file mode 100755 index ccc8b0d7b4..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/docs/README.md +++ /dev/null @@ -1,156 +0,0 @@ -# Microsoft SQL Server Integration - -The Microsoft SQL Server integration package allows you to search, observe and visualize the SQL Server audit events through Elasticsearch. -Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. -SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. -See: [SQL Server Audit page](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15) for more information on SQL Server auditing. - -## Compatibility - -The package collects audit events from the event log. Other log sources such as file are not supported. - -## Configuration - -There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. - -See: [SQL Server Audit Action Groups and Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15) for more information on the different audit levels. - -See: [Instructions on how to enable auditing for SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?view=sql-server-ver15). - ->Note: For the integration package to be able to read and send audit events the event target must be configured to be Windows event log. - -### Audit Events - -Enable to collect SQL Server audit events from the specified windows event log channel. - -## Logs - -### Audit - -The SQL Server audit dataset provides events from the configured Windows event log channel. All SQL Server audit specific fields are available in the `sqlserver.audit` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sqlserver.audit.action_id | ID of the action | keyword | -| sqlserver.audit.additional_information | Any additional information about the event stored as XML. | text | -| sqlserver.audit.affected_rows | Number of rows affected by the operation. | long | -| sqlserver.audit.application_name | Name of the application that caused the audit event. | keyword | -| sqlserver.audit.audit_schema_version | Audit event schema version. | keyword | -| sqlserver.audit.class_type | Type of auditable entity that the audit occurs on. | keyword | -| sqlserver.audit.client_ip | "Name or IP address of the machine running the application that caused the audit event." | keyword | -| sqlserver.audit.connection_id | Connection ID (unique UUID for the connection) | keyword | -| sqlserver.audit.data_sensitivity_information | Sensitivity information about the operation. | keyword | -| sqlserver.audit.database_name | The database context in which the action occurred. | keyword | -| sqlserver.audit.database_principal_id | ID of the database user context that the action is performed in. | keyword | -| sqlserver.audit.database_principal_name | Current user. | keyword | -| sqlserver.audit.duration_milliseconds | Duration of the operation in milliseconds. | long | -| sqlserver.audit.event_time | Date/time when the auditable action is fired. | date | -| sqlserver.audit.host_name | SQL Server host name. | keyword | -| sqlserver.audit.is_column_permission | Flag indicating a column level permission | boolean | -| sqlserver.audit.object_id | "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." | keyword | -| sqlserver.audit.object_name | "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." | keyword | -| sqlserver.audit.permission_bitmask | When applicable shows the permissions that were granted, denied or revoked. | keyword | -| sqlserver.audit.response_rows | Number of rows returned. | long | -| sqlserver.audit.schema_name | The schema context in which the action occurred. | keyword | -| sqlserver.audit.sequence_group_id | Sequence group ID (unique UUID). | keyword | -| sqlserver.audit.sequence_number | Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. | integer | -| sqlserver.audit.server_instance_name | "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." | keyword | -| sqlserver.audit.server_principal_id | ID of the login context that the action is performed in. | keyword | -| sqlserver.audit.server_principal_name | Current login. | keyword | -| sqlserver.audit.server_principal_sid | Current login SID. | keyword | -| sqlserver.audit.session_id | ID of the session on which the event occurred. | integer | -| sqlserver.audit.session_server_principal_name | Server principal for the session. | keyword | -| sqlserver.audit.statement | TSQL statement (if any) | text | -| sqlserver.audit.succeeded | Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. | boolean | -| sqlserver.audit.target_database_principal_id | Database principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_database_principal_name | Target user of the action. | keyword | -| sqlserver.audit.target_server_principal_id | Server principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_server_principal_name | Target login of the action. | keyword | -| sqlserver.audit.target_server_principal_sid | SID of the target login. | keyword | -| sqlserver.audit.transaction_id | Transaction ID | keyword | -| sqlserver.audit.user_defined_event_id | User defined event ID. | integer | -| sqlserver.audit.user_defined_information | User defined information | text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - diff --git a/packages/microsoft_sqlserver/1.1.0/img/microsoft-sql-server-logo.svg b/packages/microsoft_sqlserver/1.1.0/img/microsoft-sql-server-logo.svg deleted file mode 100755 index 30758ba323..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/img/microsoft-sql-server-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-dashboard.png b/packages/microsoft_sqlserver/1.1.0/img/sqlserver-dashboard.png deleted file mode 100755 index 8929f7c2a9..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-perf-dashboard.png b/packages/microsoft_sqlserver/1.1.0/img/sqlserver-perf-dashboard.png deleted file mode 100755 index fa26d165a7..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-perf-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-transaction-dashboard.png b/packages/microsoft_sqlserver/1.1.0/img/sqlserver-transaction-dashboard.png deleted file mode 100755 index 9486af435b..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.0/img/sqlserver-transaction-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json deleted file mode 100755 index 3ab14432ae..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "attributes": { - "description": "Microsoft SQL Server Audit Events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\":{\"columnOrder\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\",\"a6937f39-2999-4be2-8371-619b5bf2fb67\"],\"columns\":{\"70000b7b-124a-439e-8ef2-6a8dad15c166\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"a6937f39-2999-4be2-8371-619b5bf2fb67\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\"],\"layerId\":\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false,\"timeRange\":{\"from\":\"now-2d\",\"to\":\"now\"}},\"gridData\":{\"h\":13,\"i\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"w\":18,\"x\":0,\"y\":0},\"panelIndex\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"title\":\"Microsoft SQL Server Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"w\":17,\"x\":18,\"y\":0},\"panelIndex\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action: \\\"login-failed\\\" \"},\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"041831df-5315-4457-98a4-2be03a47fc31\",\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"columns\":{\"041831df-5315-4457-98a4-2be03a47fc31\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"5m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Principal Changes\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"SQL LOGIN\",\"SQL USER\",\"WINDOWS LOGIN\",\"LOGIN\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL USER\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"WINDOWS LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"LOGIN\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"041831df-5315-4457-98a4-2be03a47fc31\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"w\":13,\"x\":0,\"y\":13},\"panelIndex\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"title\":\"Database Principal Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Role Member Changes\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"ROLE\",\"SERVER ROLE\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"ROLE\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER ROLE\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"w\":13,\"x\":13,\"y\":13},\"panelIndex\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"title\":\"Role Member Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count()\",\"operationType\":\"formula\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}},\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"scale\":\"ratio\"},\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of count()\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"15m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"DATABASE AUDIT SPECIFICATION\",\"SERVER AUDIT SPECIFICATION\",\"AUDIT\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"DATABASE AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"AUDIT\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":-90,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Number of Audit Changes\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"w\":13,\"x\":26,\"y\":13},\"panelIndex\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"title\":\"Audit Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03553b27-f941-4b4b-bcb6-8e1943c154f3\":{\"columnOrder\":[\"d4a0fc9f-f361-4113-b529-f55dd6faab93\"],\"columns\":{\"d4a0fc9f-f361-4113-b529-f55dd6faab93\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"login-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"login-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d4a0fc9f-f361-4113-b529-f55dd6faab93\",\"layerId\":\"03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"w\":9,\"x\":39,\"y\":13},\"panelIndex\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"title\":\"Number of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "[Logs Microsoft SQL Server Audit Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-1", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json b/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json deleted file mode 100755 index b338e5ff8f..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "A dashboard with key metrics about a Microsoft SQL Server instance performance", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-c298fa42-a98b-441a-8fc4-7e829887f213\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c298fa42-a98b-441a-8fc4-7e829887f213\":{\"columnOrder\":[\"76d13381-0680-4440-93f3-0a0311532eed\",\"6f0873fb-8f74-42dd-9428-0337640b84e6\"],\"columns\":{\"6f0873fb-8f74-42dd-9428-0337640b84e6\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.user_connections\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.user_connections\"},\"76d13381-0680-4440-93f3-0a0311532eed\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"6f0873fb-8f74-42dd-9428-0337640b84e6\"],\"layerId\":\"c298fa42-a98b-441a-8fc4-7e829887f213\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"76d13381-0680-4440-93f3-0a0311532eed\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"733a1dbb-abdd-45d9-a908-026db7545a29\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"733a1dbb-abdd-45d9-a908-026db7545a29\",\"title\":\"User Connections [Metrics Microsoft SqlServer]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-1ef8ef96-34a6-4ed3-915c-44e3f187e683\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1ef8ef96-34a6-4ed3-915c-44e3f187e683\":{\"columnOrder\":[\"dac33725-ae01-4473-a253-75f68ac4e304\",\"b16cccae-de67-46b3-8ecf-767bd9a35d39\"],\"columns\":{\"b16cccae-de67-46b3-8ecf-767bd9a35d39\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.batch_requests_per_sec\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.batch_requests_per_sec\"},\"dac33725-ae01-4473-a253-75f68ac4e304\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"b16cccae-de67-46b3-8ecf-767bd9a35d39\"],\"layerId\":\"1ef8ef96-34a6-4ed3-915c-44e3f187e683\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"dac33725-ae01-4473-a253-75f68ac4e304\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"eeb38cf1-3e35-4a16-b910-21ef1aca2142\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"eeb38cf1-3e35-4a16-b910-21ef1aca2142\",\"title\":\"Batch Requests/sec [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-f37f21be-12f6-4e30-b8e4-de8e37889cc6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f37f21be-12f6-4e30-b8e4-de8e37889cc6\":{\"columnOrder\":[\"4f11499b-34b7-4a54-b152-a9d6fe287532\",\"fb17b987-a0f4-44a9-98ab-72c2be506774\"],\"columns\":{\"4f11499b-34b7-4a54-b152-a9d6fe287532\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"fb17b987-a0f4-44a9-98ab-72c2be506774\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.lock_waits_per_sec\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.lock_waits_per_sec\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"fb17b987-a0f4-44a9-98ab-72c2be506774\"],\"layerId\":\"f37f21be-12f6-4e30-b8e4-de8e37889cc6\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4f11499b-34b7-4a54-b152-a9d6fe287532\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9537c5f9-fdeb-4101-a50c-419834b6bdc3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"9537c5f9-fdeb-4101-a50c-419834b6bdc3\",\"title\":\"Lock Waits/sec [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-c804f10c-9dee-4bc5-b3ca-2a4b900f925d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c804f10c-9dee-4bc5-b3ca-2a4b900f925d\":{\"columnOrder\":[\"e74730e8-4677-4f80-ae0f-c074149942d6\",\"83388502-1a33-44fd-b43a-b70eb88ff1f2\"],\"columns\":{\"83388502-1a33-44fd-b43a-b70eb88ff1f2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of mssql.metrics.buffer_cache_hit_ratio\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.buffer_cache_hit_ratio\"},\"e74730e8-4677-4f80-ae0f-c074149942d6\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"83388502-1a33-44fd-b43a-b70eb88ff1f2\"],\"layerId\":\"c804f10c-9dee-4bc5-b3ca-2a4b900f925d\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e74730e8-4677-4f80-ae0f-c074149942d6\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ceec42f-23d1-4ca2-8d59-c14ad798850f\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3ceec42f-23d1-4ca2-8d59-c14ad798850f\",\"title\":\"Buffer Cache Hit Ratio [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-3619ed84-0368-47cc-aa48-6edc35465d9c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3619ed84-0368-47cc-aa48-6edc35465d9c\":{\"columnOrder\":[\"3f74497d-d9f1-48fe-9c8a-327170bfacea\",\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\"],\"columns\":{\"3f74497d-d9f1-48fe-9c8a-327170bfacea\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.transactions\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.transactions\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\"],\"layerId\":\"3619ed84-0368-47cc-aa48-6edc35465d9c\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3f74497d-d9f1-48fe-9c8a-327170bfacea\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1b64a2ab-638e-483a-826d-c2a8563b7fcf\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"1b64a2ab-638e-483a-826d-c2a8563b7fcf\",\"title\":\"Transactions [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Microsoft SQL Server] Performance", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "733a1dbb-abdd-45d9-a908-026db7545a29:indexpattern-datasource-layer-c298fa42-a98b-441a-8fc4-7e829887f213", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eeb38cf1-3e35-4a16-b910-21ef1aca2142:indexpattern-datasource-layer-1ef8ef96-34a6-4ed3-915c-44e3f187e683", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9537c5f9-fdeb-4101-a50c-419834b6bdc3:indexpattern-datasource-layer-f37f21be-12f6-4e30-b8e4-de8e37889cc6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3ceec42f-23d1-4ca2-8d59-c14ad798850f:indexpattern-datasource-layer-c804f10c-9dee-4bc5-b3ca-2a4b900f925d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1b64a2ab-638e-483a-826d-c2a8563b7fcf:indexpattern-datasource-layer-3619ed84-0368-47cc-aa48-6edc35465d9c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.0/manifest.yml b/packages/microsoft_sqlserver/1.1.0/manifest.yml deleted file mode 100755 index ced93470ed..0000000000 --- a/packages/microsoft_sqlserver/1.1.0/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -format_version: 1.0.0 -name: microsoft_sqlserver -title: "Microsoft SQL Server" -version: 1.1.0 -license: basic -description: Collect events from Microsoft SQL Server with Elastic Agent -type: integration -categories: - - datastore - - security -release: ga -conditions: - kibana.version: "^8.3.0" -screenshots: - - src: /img/sqlserver-dashboard.png - title: Microsoft SQL Server Dashboard - size: 600x600 - type: image/png - - src: /img/sqlserver-perf-dashboard.png - title: Microsoft SQL Server Performance Dashboard - size: 600x600 - type: image/png - - src: /img/sqlserver-transaction-dashboard.png - title: Microsoft SQL Server transaction log Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/microsoft-sql-server-logo.svg - title: Microsof SQL Server - size: 32x32 - type: image/svg+xml -policy_templates: - - name: audit_logs - title: Microsoft SQL Server logs and metrics - description: Collect logs and metrics from Microsoft SQL Server - inputs: - - type: winlog - title: Collect audit events from Windows event logs - description: Collecting audit events from Windows event logs - - type: sql/metrics - vars: - - name: hosts - type: text - title: Hosts - multi: true - required: true - show_user: true - default: - - localhost - - name: password - type: password - title: Password - multi: false - required: true - show_user: true - default: verysecurepassword - - name: username - type: text - title: Username - multi: false - required: true - show_user: true - default: domain\username - - name: port - type: integer - title: Instance Port - multi: false - required: true - show_user: true - default: 1433 - title: Collect Microsoft SQL Server performance and transaction_log metrics - description: Collecting performance and transaction_log metrics from Microsoft SQL Server instances -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_sqlserver/1.1.1/changelog.yml b/packages/microsoft_sqlserver/1.1.1/changelog.yml deleted file mode 100755 index 11f354c267..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/changelog.yml +++ /dev/null @@ -1,72 +0,0 @@ -# newer versions go on top -- version: "1.1.1" - changes: - - description: Added transaction log datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3395 -- version: "1.1.0" - changes: - - description: Added performance datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3391 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.4.5" - changes: - - description: Update Readme. Added links to Microsoft documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3058 -- version: "0.4.4" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.3" - changes: - - description: Fix field conflict for `winlog.record_id` - type: bugfix - link: https://github.com/elastic/integrations/pull/2894 -- version: "0.4.2" - changes: - - description: Fix mapper_parsing_exception when parsing sqlserver.audit.event_time. - type: bugfix - link: https://github.com/elastic/integrations/pull/2813 -- version: "0.4.1" - changes: - - description: Change owner to SEI - type: bugfix - link: https://github.com/elastic/integrations/pull/2650 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2493 -- version: "0.3.0" - changes: - - description: Expose winlog input ignore_older option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 - - description: Fix preserve original event option - type: bugfix - link: https://github.com/elastic/integrations/pull/2542 - - description: Make order of options consistent with other winlog based integrations. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 -- version: "0.2.0" - changes: - - description: Expose winlog input language option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2344 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2009 diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/agent/stream/winlog.yml.hbs b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/agent/stream/winlog.yml.hbs deleted file mode 100755 index ed053196d1..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -name: {{channel}} -condition: ${host.platform} == 'windows' -event_id: {{event_id}} -{{#if ignore_older}} -ignore_older: {{ignore_older}} -{{/if}} -{{#if language}} -language: {{language}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1c21df6a8a..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1280 +0,0 @@ ---- -description: Pipeline for processing SQL Server audit logs -processors: -- set: - field: ecs.version - value: 8.2.0 -- gsub: - description: Strip final dot from param1. - field: winlog.event_data.param1 - pattern: '(?m)^\.$' - replacement: '' - if: ctx?.winlog?.event_id == "33205" -- dissect: - description: Extract statement - pattern: "%{}statement:%{_temp.stmt}\nadditional_information:%{}" - field: winlog.event_data.param1 -- gsub: - field: winlog.event_data.param1 - pattern: 'statement:(.*\s)*(?=additional_information:)' - replacement: '' -- kv: - field: winlog.event_data.param1 - field_split: \n - value_split: ':' - target_field: sqlserver.audit - trim_key: \n - trim_value: \n -- set: - field: sqlserver.audit.statement - copy_from: _temp.stmt -- set: - field: log.level - copy_from: winlog.log.level - ignore_empty_value: true - if: ctx?.winlog?.log?.level != "" -- date: - field: sqlserver.audit.event_time - formats: - - "yyyy-MM-dd HH:mm:ss.SSSSSSS" -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: database -- trim: - field: sqlserver.audit.action_id - ignore_missing: true -- trim: - field: sqlserver.audit.class_type - ignore_missing: true -- uppercase: - field: sqlserver.audit.action_id - ignore_missing: true -- uppercase: - field: sqlserver.audit.class_type - ignore_missing: true -- script: - lang: painless - description: The script processor enables setting event type, action and category based on action_id and class_type fields. - params: - classtypes: - "DB": "DATABASE" - "OB": "OBJECT" - "TY": "TYPE" - "SC": "SCHEMA" - "SX": "XML SCHEMA COLLECTION" - "AS": "ASSEMBLY" - "US": "USER" - "RL": "ROLE" - "AR": "APPLICATION ROLE" - "MT": "MESSAGE TYPE" - "CT": "CONTRACT" - "SV": "SERVICE" - "BN": "REMOTE SERVICE BINDING" - "RT": "ROUTE" - "FC": "FULLTEXT CATALOG" - "FL": "FULLTEXT STOPLIST" - "FP": "SEARCH PROPERTY LIST" - "SK": "SYMMETRIC KEY" - "CR": "CERTIFICATE" - "AK": "ASYMMETRIC KEY" - "DC": "DATABASE SCOPED CREDENTIAL" - "EL": "EXTERNAL LIBRARY" - "LA": "EXTERNAL LANGUAGE" - "SR": "SERVER" - "EP": "ENDPOINT" - "SG": "SERVER ROLE" - "AG": "AVAILABILITY GROUP" - "LX": "LOGIN" - "CK": "COLUMN ENCRYPTION KEY" - "CM": "COLUMN MASTER KEY" - "DA": "DATABASE AUDIT SPECIFICATION" - "DU": "AUDIT" - "DS": "DATABASE SCOPED CONFIGURATION" - "DR": "DATABASE SCOPED RESOURCE GOVERNOR" - "DN": "EVENT NOTIFICATION DATABASE" - "DT": "TRIGGER DATABASE" - "MK": "MASTER KEY" - "DK": "DATABASE ENCRYPTION KEY" - "ON": "EVENT NOTIFICATION OBJECT" - "PF": "PARTITION FUNCTION" - "PR": "BROKER PRIORITY" - "PS": "PARTITION SCHEME" - "DE": "DATABASE EVENT SESSION" - "AQ": "ADHOC QUERY" - "AF": "AGGREGATE" - "AP": "Undocumented" - "C": "CHECK CONSTRAINT" - "D": "DEFAULT" - "EC": "EDGE CONSTRAINT" - "EN": "EVENT NOTIFICATION" - "F": "FOREIGN KEY CONSTRAINT" - "FS": "FUNCTION SCALAR ASSEMBLY" - "FT": "FUNCTION TABLE-VALUED ASSEMBLY" - "FN": "FUNCTION SCALAR SQL" - "IX": "INDEX" - "IF": "FUNCTION TABLE-VALUED INLINE SQL" - "IS": "FUNCTION SCALAR INLINE SQL" - "IT": "INTERNAL TABLE" - "PQ": "PREPARED ADHOC QUERY" - "PK": "PRIMARY KEY" - "P": "STORED PROCEDURE" - "PC": "STORED PROCEDURE ASSEMBLY" - "RF": "STORED PROCEDURE REPLICATION FILTER" - "R": "RULE" - "SP": "SECURITY POLICY" - "SO": "SEQUENCE OBJECT" - "ST": "STATISTICS" - "SQ": "QUEUE" - "SN": "SYNONYM" - "S": "TABLE SYSTEM" - "TF": "FUNCTION TABLE-VALUED SQL" - "TA": "TRIGGER ASSEMBLY" - "TR": "TRIGGER" - "UQ": "UNIQUE CONSTRAINT" - "U": "TABLE" - "V": "VIEW" - "X": "STORED PROCEDURE EXTENDED" - "XR": "XREL TREE" - "AU": "ASYMMETRIC KEY USER" - "CU": "CERTIFICATE USER" - "GU": "GROUP USER" - "SU": "SQL USER" - "WU": "WINDOWS USER" - "XU": "EXTERNAL USER" - "PU": "EXTERNAL GROUP USER" - "A": "SERVER AUDIT" - "CD": "CREDENTIAL" - "CP": "CRYPTOGRAPHIC PROVIDER" - "ED": "EXTERNAL DATA SOURCE" - "EF": "EXTERNAL FILE FORMAT" - "RG": "RESOURCE GOVERNOR" - "SA": "SERVER AUDIT SPECIFICATION" - "SD": "EVENT NOTIFICATION SERVER" - "T": "TRIGGER SERVER" - "SE": "EVENT SESSION" - "CO": "SERVER CONFIG" - "AL": "ASYMMETRIC KEY LOGIN" - "CL": "CERTIFICATE LOGIN" - "SL": "SQL LOGIN" - "WG": "WINDOWS GROUP" - "WL": "WINDOWS LOGIN" - "ER": "EXTERNAL RESOURCE POOL" - "EX": "EXTERNAL SCRIPT QUERY" - "PL": "EXTERNAL GROUP LOGIN" - "XL": "EXTERNAL LOGIN" - actions: - "ACDO": - value: "DATABASE_OBJECT_ACCESS_GROUP" - type: - - access - action: database-object-accessed - "ACO": - value: "SCHEMA_OBJECT_ACCESS_GROUP" - type: - - access - action: schema-object-permission-checked - "ADBO": - value: "BULK ADMIN" - type: - - change - action: bulk-admin-operation - "ADDP": - value: "DATABASE_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-database-role - "ADFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "ADD FEATURE RESTRICTION" - type: - - info - action: add-feature-restriction - "ADSC": - value: "ADD SENSITIVITY CLASSIFICATION" - type: - - change - action: add-sensitivity-classification-to-db-columns - "ADSP": - value: "SERVER_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-server-role - "AL": - value: "ALTER" - type: - - change - action: alter-object - "ALCN": - value: "ALTER CONNECTION" - type: - - change - - connection - category: - - network - action: alter-connection - "ALRS": - value: "ALTER RESOURCES" - type: - - change - action: alter-resources - "ALSS": - value: "ALTER SERVER STATE" - type: - - change - action: alter-server-state - "ALST": - value: "ALTER SETTINGS" - type: - - change - category: - - configuration - action: alter-settings - "ALTR": - value: "ALTER TRACE" - type: - - change - action: alter-trace - "APRL": - value: "ADD MEMBER" - type: - - change - action: add-member - "AS": - value: "ACCESS" - type: - - access - action: access-object - "AUSC": - # To troubleshoot what goes on after this event - # configure login auditing - # https://docs.microsoft.com/en-us/sql/ssms/configure-login-auditing-sql-server-management-studio - value: "AUDIT SESSION CHANGED" - type: - - change - action: audit-session-changed - "AUSF": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/create-server-audit-transact-sql - # See ON_FAILURE - value: "AUDIT SHUTDOWN ON FAILURE" - type: - - error - action: audit-write-failed-database-shutdown - "AUTH": - # Changing authentication mode for login - value: "AUTHENTICATE" - type: - - info - action: authenticate - "BA": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP" - type: - - info - action: database-backup-executed - "BAL": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP LOG" - type: - - info - action: transaction-log-backup-executed - "BCM": - value: "BATCH COMPLETED" - type: - - info - action: transact-sql-batch-completed - "BCMG": - value: "BATCH_COMPLETED_GROUP" - type: - - info - action: batch-text-stored-proc-or-txn-mgmt-op-ended - "BRDB": - value: "BACKUP_RESTORE_GROUP" - type: - - admin - action: backup-or-restore-command-issued - "BST": - value: "BATCH STARTED" - type: - - info - action: transact-sql-batch-started - "BSTG": - value: "BATCH_STARTED_GROUP" - type: - - info - action: batch-text-stored-proc-txn-mgmt-op-started - "C2OF": - # https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option - value: "TRACE AUDIT C2OFF" - type: - - change - action: c2-audit-mode-server-config-off - "C2ON": - value: "TRACE AUDIT C2ON" - type: - - info - action: c2-audit-mode-server-config-on - "CCLG": - value: "CHANGE LOGIN CREDENTIAL" - type: - - change - action: change-login-credential - "CMLG": - value: "CREDENTIAL MAP TO LOGIN" - type: - - change - action: credential-mapped-to-sql-server-login - "CNAU": - value: "AUDIT_CHANGE_GROUP" - type: - - change - action: audit-or-audit-spec-changed - "CO": - # nodoc or TSQL - value: "CONNECT" - type: - - info - action: connect - "CP": - value: "CHECKPOINT" - type: - - info - action: checkpoint-created - "CR": - value: "CREATE" - type: - - info - action: create - "DABO": - # bulk ops like bulk insert, copy, load - # and so on. - value: "DATABASE BULK ADMIN" - type: - - change - action: database-bulk-admin - "DAGF": - # principal login to contained database failed. - # https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable - value: "FAILED_DATABASE_AUTHENTICATION_GROUP" - type: - - error - action: principal-login-failed - "DAGL": - value: "DATABASE_LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: contained-database-user-logout - "DAGS": - value: "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP" - type: - - info - - start - category: - - session - action: principal-login-to-contained-database-successful - "DBAF": - # nodoc - value: "DATABASE AUTHENTICATION FAILED" - type: - - error - action: database-authentication-failed - "DBAS": - value: "DATABASE AUTHENTICATION SUCCEEDED" - type: - - access - - info - action: database-authentication-succeeded - "DBCC": - # https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-transact-sql - value: "DBCC" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBCG": - value: "DBCC_GROUP" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBL": - # nodoc - value: "DATABASE LOGOUT" - type: - - end - category: - - session - action: database-logout - "D": - # TSQL - value: "DENY" - type: - - info - action: permission-denied-to-principal - "DL": - # nodoc - # TSQL DELETE - value: "DELETE" - type: - - change - action: delete - "DPRL": - # ? https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-droprolemember-transact-sql - value: "DROP MEMBER" - type: - - info - action: drop-security-account-from-role - "DR": - value: "DROP" - type: - - change - action: drop-object - "DRFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "DROP FEATURE RESTRICTION" - type: - - change - action: drop-feature-restriction - "DRSC": - value: "DROP SENSITIVITY CLASSIFICATION" - type: - - change - action: drop-sensitivity-classification-from-db-columns - "DWC": - # TSQL - value: "DENY WITH CASCADE" - type: - - change - action: permission-denied-with-cascade - "EX": - value: "EXECUTE" - type: - - info - action: execute-stored-proc-or-function - "FRCG": - # nodoc - # 2019 feature see ADFR and DRFR - value: "FEATURE_RESTRICTION_CHANGE_GROUP" - type: - - change - action: feature-restriction-changed - "FT": - # nodoc - # using FTG - value: "FULLTEXT" - type: - - info - action: fulltext-event-occurred - "FTG": - value: "FULLTEXT_GROUP" - type: - - info - action: fulltext-event-occurred - "G": - # TSQL - value: "GRANT" - type: - - info - action: grant-permission-to-principal - "GRDB": - value: "DATABASE_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission - "GRDO": - value: "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-or-assemblies - "GRO": - # schema objects like database tables, views etc. - value: "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-objects - "GRSO": - value: "SERVER_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-server-objects - "GRSV": - value: "SERVER_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-issued-in-server-scope - "GWG": - # TSQL - value: "GRANT WITH GRANT" - type: - - info - action: grant-with-grant-issued-to-principal - "IMDP": - value: "DATABASE_PRINCIPAL_IMPERSONATION_GROUP" - type: - - info - action: database-user-impersonation-occurred - "IMP": - # nodoc - # using IMDP - value: "IMPERSONATE" - type: - - info - action: database-user-impersonation-occurred - "IMSP": - value: "SERVER_PRINCIPAL_IMPERSONATION_GROUP" - type: - - user - action: server-login-impersonation-occurred - "IN": - value: "INSERT" - type: - - info - action: insert - "LGB": - # nodoc - # using LGBG - value: "BROKER LOGIN" - type: - - info - action: service-broker-transport-security-event - "LGBG": - value: "BROKER_LOGIN_GROUP" - type: - - info - action: service-broker-transport-security-event - "LGDA": - # Can be disable trigger or indexes and constraints - value: "DISABLE" - type: - - change - action: disable - "LGDB": - value: "CHANGE DEFAULT DATABASE" - type: - - change - action: change-default-database - "LGEA": - value: "ENABLE" - type: - - info - action: enable - "LGFL": - value: "FAILED_LOGIN_GROUP" - type: - - error - category: - - authentication - action: principal-login-failed - "LGGG": - # nodoc - value: "GLOBAL_TRANSACTIONS_LOGIN_GROUP" - type: - - info - action: global-transactions-login - "LGG": - # nodoc - # https://www.manageengine.com/products/eventlog/sql-auditing/global-transaction-login-in-sql-server-24337.html - value: "GLOBAL TRANSACTIONS LOGIN" - type: - - info - action: global-transactions-login - "LGIF": - value: "LOGIN FAILED" - type: - - error - category: - - authentication - action: login-failed - "LGIS": - value: "LOGIN SUCCEEDED" - type: - - info - - start - category: - - session - action: login-succeeded - "LGLG": - value: "CHANGE DEFAULT LANGUAGE" - type: - - change - action: change-default-language - "LGM": - # using LGMG - value: "DATABASE MIRRORING LOGIN" - type: - - info - action: database-mirroring-transport-security-event - "LGMG": - value: "DATABASE_MIRRORING_LOGIN_GROUP" - type: - - info - action: database-mirroring-transport-security-event - "LGNM": - value: "NAME CHANGE" - type: - - change - action: name-change - "LGO": - value: "LOGOUT" - type: - - end - category: - - session - action: logout - "LGSD": - value: "SUCCESSFUL_LOGIN_GROUP" - type: - - info - - start - category: - - session - action: user-login-succeeded - "LGSG": - # nodoc - value: "STORAGE_LOGIN_GROUP" - type: - - info - action: storage-login - "LGS": - # nodoc - value: "STORAGE LOGIN" - type: - - info - action: storage-login - "LO": - value: "LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: user-logout-succeeded - "MNDB": - value: "DATABASE_CHANGE_GROUP" - type: - - change - action: database-created-altered-or-dropped - "MNDO": - value: "DATABASE_OBJECT_CHANGE_GROUP" - type: - - change - action: database-object-created-altered-or-dropped - "MNDP": - value: "DATABASE_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: principals-created-altered-or-dropped - "MNO": - value: "SCHEMA_OBJECT_CHANGE_GROUP" - type: - - change - action: schema-object-create-alter-or-dropped - "MNSO": - # server objects like databases or endpoints - value: "SERVER_OBJECT_CHANGE_GROUP" - type: - - change - action: server-object-create-alter-or-dropped - "MNSP": - value: "SERVER_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: server-principal-create-alter-or-dropped - "NMLG": - # no credential map to login probably unable to execute - # external operation - # https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-credential - value: "NO CREDENTIAL MAP TO LOGIN" - type: - - error - action: no-credential-map-to-login - "OPDB": - value: "DATABASE_OPERATION_GROUP" - type: - - info - action: db-checkpoint-or-subscribe-query-notification-executed - "OP": - # open cursor - value: "OPEN" - type: - - access - action: open - "OPSV": - value: "SERVER_OPERATION_GROUP" - type: - - change - action: alter-settings-resources-or-external-access - "PWAR": - value: "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-changed-for-application-role - "PWC": - # nodoc - # using PWAR - value: "CHANGE PASSWORD" - type: - - change - action: password-changed-for-application-role - "PWCG": - value: "LOGIN_CHANGE_PASSWORD_GROUP" - type: - - change - action: login-password-changed-via-alter-or-sp-password - "PWCS": - # nodoc - value: "CHANGE OWN PASSWORD" - type: - - change - action: change-own-password - "PWEX": - # nodoc - value: "PASSWORD EXPIRATION" - type: - - info - action: password-expired - "PWMC": - # nodoc - value: "MUST CHANGE PASSWORD" - type: - - info - action: must-change-password - "PWPL": - # nodoc - value: "PASSWORD POLICY" - type: - - info - action: password-policy - "PWR": - # nodoc - value: "RESET PASSWORD" - type: - - change - action: reset-password - "PWRS": - # nodoc - value: "RESET OWN PASSWORD" - type: - - change - action: reset-own-password - "PWU": - # TSQL ALTER LOGIN UNLOCK - value: "UNLOCK ACCOUNT" - type: - - change - action: unlock-sql-server-login-account - "RCM": - value: "RPC COMPLETED" - type: - - end - category: - - network - action: rpc-completed - "RC": - value: "RECEIVE" - type: - - access - action: retrieve-message-from-queue - "RF": - value: "REFERENCES" - type: - - info - action: references - "R": - value: "REVOKE" - type: - - change - action: remove-granted-or-denied-permission - "RS": - value: "RESTORE" - type: - - change - action: restore-database-backup - "RST": - value: "RPC STARTED" - type: - - start - category: - - network - action: rpc-started - "RWC": - value: "REVOKE WITH CASCADE" - type: - - change - action: revoke-granted-or-denied-permission-with-cascade - "RWG": - value: "REVOKE WITH GRANT" - type: - - change - action: revoke-with-grant - "SCCG": - # sensitivity classification for columns - # https://docs.microsoft.com/en-us/sql/t-sql/statements/add-sensitivity-classification-transact-sql - value: "SENSITIVITY_CLASSIFICATION_CHANGE_GROUP" - type: - - change - action: sensitivity-classification-changed - "SL": - value: "SELECT" - type: - - access - action: select - "SN": - value: "SEND" - type: - - access - action: send-message-to-queue - "SPLN": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/set-showplan-all-transact-sql - value: "SHOW PLAN" - type: - - info - action: show-plan - "STSV": - value: "SERVER_STATE_CHANGE_GROUP" - type: - - info - action: server-service-state-changed - "SUQN": - value: "SUBSCRIBE QUERY NOTIFICATION" - type: - - info - action: subscribe-query-notification - "SVCN": - value: "SERVER CONTINUE" - type: - - change - action: server-service-state-changed-to-continue - "SVPD": - value: "SERVER PAUSED" - type: - - change - action: server-service-state-changed-to-paused - "SVSD": - value: "SERVER SHUTDOWN" - type: - - change - action: server-service-state-changed-to-shutdown - "SVSR": - value: "SERVER STARTED" - type: - - change - action: server-service-state-changed-to-start - "TASA": - # nodoc - value: "TRACE AUDIT START" - type: - - info - action: trace-audit-start - "TASP": - # nodoc - value: "TRACE AUDIT STOP" - type: - - info - action: trace-audit-stop - "TODB": - value: "DATABASE_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: permission-check-performed-to-change-database-owner - "TODO": - value: "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: database-object-owner-changed - "TOO": - value: "SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - info - action: permission-check-performed-to-change-schema-object - "TOSO": - value: "SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: server-scoped-object-owner-changed - "TO": - # nodoc - value: "TAKE OWNERSHIP" - type: - - info - action: take-ownership - "TRBC": - value: "TRANSACTION BEGIN COMPLETED" - type: - - info - action: transaction-begin-completed - "TRBS": - value: "TRANSACTION BEGIN STARTING" - type: - - info - action: transaction-begin-starting - "TRCC": - value: "TRANSACTION COMMIT COMPLETED" - type: - - info - action: transaction-commit-completed - "TRCG": - value: "TRACE_CHANGE_GROUP" - type: - - info - action: permission-checked-for-alter-trace - "TRCS": - value: "TRANSACTION COMMIT STARTING" - type: - - info - action: transaction-commit-starting - "TRGC": - value: "TRANSACTION PROPAGATE COMPLETED" - type: - - info - action: transaction-propogation-completed - "TRGS": - value: "TRANSACTION PROPAGATE STARTING" - type: - - info - action: transaction-propogation-starting - "TRO": - value: "TRANSFER" - type: - - info - action: data-transfer - "TRPC": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE COMPLETED" - type: - - info - action: local-to-distributed-transaction-promote-completed - "TRPS": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE STARTING" - type: - - info - action: local-to-distributed-transaction-promote-starting - "TRRC": - value: "TRANSACTION ROLLBACK COMPLETED" - type: - - info - action: transaction-rollback-completed - "TRRS": - value: "TRANSACTION ROLLBACK STARTING" - type: - - info - action: transaction-rollback-starting - "TRSC": - value: "TRANSACTION SAVEPOINT COMPLETED" - type: - - info - action: transaction-savepoint-completed - "TRSS": - value: "TRANSACTION SAVEPOINT STARTING" - type: - - info - action: transaction-savepoint-starting - "TXBG": - value: "TRANSACTION BEGIN" - type: - - info - action: transaction-begin - "TXCG": - value: "TRANSACTION_COMMIT_GROUP" - type: - - info - action: transaction-commit-group-event - "TXCM": - value: "TRANSACTION COMMIT" - type: - - info - action: transaction-commit - "TXGG": - value: "TRANSACTION_BEGIN_GROUP" - type: - - info - action: transaction-begin-group-event - "TXRB": - value: "TRANSACTION ROLLBACK" - type: - - info - action: transaction-rollback - "TXRG": - value: "TRANSACTION_ROLLBACK_GROUP" - type: - - info - action: transaction-rollback-group - "TX": - value: "TRANSACTION_GROUP" - type: - - info - action: transaction-event-occurred - "UCGP": - value: "USER_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-of-contained-database-user-changed - "UDAG": - value: "USER_DEFINED_AUDIT_GROUP" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UDAU": - value: "USER DEFINED AUDIT" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UNDG": - value: "STATEMENT_ROLLBACK_GROUP" - type: - - info - action: statement-rollback-group - "UNDO": - value: "STATEMENT ROLLBACK" - type: - - info - action: statement-rollback - "UP": - value: "UPDATE" - type: - - change - action: update - "USAF": - value: "CHANGE USERS LOGIN AUTO" - type: - - change - action: change-users-login-auto - "USLG": - value: "CHANGE USERS LOGIN" - type: - - change - action: change-users-login - "USTC": - # https://docs.microsoft.com/en-us/troubleshoot/sql/security/transfer-logins-passwords-between-instances - value: "COPY PASSWORD" - type: - - info - action: password-copied - "VDST": - value: "VIEW DATABASE STATE" - type: - - info - action: view-database-state - "VSST": - value: "VIEW SERVER STATE" - type: - - info - action: view-server-state - "VWCT": - value: "VIEW CHANGETRACKING" - type: - - info - action: view-change-tracking - "VW": - value: "VIEW" - type: - - info - action: view - "XA": - # see EXTERNAL_ACCESS - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "EXTERNAL ACCESS ASSEMBLY" - type: - - access - category: - - network - - registry - action: external-access-assembly - "XU": - # see UNSAFE - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "UNSAFE ASSEMBLY" - type: - - access - action: unsafe-assembly - source: |- - def actionIdKey = ctx.sqlserver.audit.action_id; - def actions = params.get('actions'); - def classTypes = params.get('classtypes'); - // handle class type - // overwrite the abbreviated key with its value - def ct = classTypes.get(ctx.sqlserver.audit.class_type); - if (ct != null) { - ctx.sqlserver.audit.class_type = ct; - } - // error case - for unhandled action ids - def actionData = actions.get(actionIdKey); - if (actionData == null) { - ctx.event.action = 'unknown-' + actionIdKey.toLowerCase(); - ctx.event.type = ['info']; - return; - } - // overwrite the action id with its actual value - ctx.sqlserver.audit.action_id = actionData.get('value'); - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } -- convert: - field: sqlserver.audit.sequence_number - type: integer - ignore_missing: true -- convert: - field: sqlserver.audit.succeeded - type: boolean - ignore_missing: true -- convert: - field: sqlserver.audit.affected_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.response_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.is_column_permission - type: boolean - ignore_missing: true -- script: - lang: painless - description: Convert ms to ns and set it to event.duration - source: |- - def v = ctx?.sqlserver?.audit?.duration_milliseconds; - if (v != null) { - ctx.event.duration = Long.parseLong(v) * 1000000; - } -- rename: - field: winlog.process - target_field: process - ignore_missing: true -## -# Set user.name, user.domain and user.id values from -# SPN -## -- dissect: - description: Extract user domain and name - pattern: "%{_temp.domain}\\%{_temp.username}" - field: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' - ignore_missing: true -- set: - description: Set username as is if domain is not present - field: user.name - copy_from: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && !ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' -- set: - description: Set username if it was extracted from Domain\User format - field: user.name - copy_from: _temp.username - if: "ctx?._temp?.username != null" -- set: - description: Set domain if it was extracted from Domain\User format - field: user.domain - copy_from: _temp.domain - if: "ctx?._temp?.domain != null" -- set: - field: user.id - copy_from: sqlserver.audit.server_principal_sid -- set: - field: user.target.name - copy_from: sqlserver.audit.target_server_principal_name -- set: - field: user.target.id - copy_from: sqlserver.audit.target_server_principal_sid - -- convert: - field: winlog.record_id - type: string - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - winlog.event_data.param1 - - sqlserver.audit.event_time - - sqlserver.audit.additional_information - - sqlserver.audit.duration_milliseconds - - sqlserver.audit.server_principal_name - - sqlserver.audit.server_principal_sid - - sqlserver.audit.target_server_principal_name - - sqlserver.audit.target_server_principal_sid - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/base-fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/ecs.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 523f9134da..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Thread ID. - name: process.thread.id - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 7985824ba4..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,139 +0,0 @@ -- name: sqlserver - type: group - description: All fields specific to SQL Server events - fields: - - name: audit - type: group - description: All fields specific to SQL Server audit events. - fields: - - name: audit_schema_version - type: keyword - description: Audit event schema version. - - name: event_time - type: date - description: Date/time when the auditable action is fired. - - name: sequence_number - type: integer - description: > - Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. - - - name: action_id - type: keyword - description: ID of the action - - name: succeeded - type: boolean - description: > - Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. - - - name: permission_bitmask - type: keyword - description: > - When applicable shows the permissions that were granted, denied or revoked. - - - name: is_column_permission - type: boolean - description: Flag indicating a column level permission - - name: session_id - type: integer - description: ID of the session on which the event occurred. - - name: server_principal_id - type: keyword - description: ID of the login context that the action is performed in. - - name: database_principal_id - type: keyword - description: ID of the database user context that the action is performed in. - - name: object_id - type: keyword - description: > - "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." - - - name: target_server_principal_id - type: keyword - description: Server principal that the auditable action applies to. - - name: target_database_principal_id - type: keyword - description: Database principal that the auditable action applies to. - - name: class_type - type: keyword - description: Type of auditable entity that the audit occurs on. - - name: session_server_principal_name - type: keyword - description: Server principal for the session. - - name: server_principal_name - type: keyword - description: Current login. - - name: server_principal_sid - type: keyword - description: Current login SID. - - name: database_principal_name - type: keyword - description: Current user. - - name: target_server_principal_name - type: keyword - description: Target login of the action. - - name: target_server_principal_sid - type: keyword - description: SID of the target login. - - name: target_database_principal_name - type: keyword - description: Target user of the action. - - name: server_instance_name - type: keyword - description: > - "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." - - - name: database_name - type: keyword - description: The database context in which the action occurred. - - name: schema_name - type: keyword - description: The schema context in which the action occurred. - - name: object_name - type: keyword - description: > - "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." - - - name: statement - type: text - description: "TSQL statement (if any)" - - name: additional_information - type: text - description: Any additional information about the event stored as XML. - - name: affected_rows - type: long - description: Number of rows affected by the operation. - - name: application_name - type: keyword - description: Name of the application that caused the audit event. - - name: client_ip - type: keyword - description: > - "Name or IP address of the machine running the application that caused the audit event." - - - name: connection_id - type: keyword - description: Connection ID (unique UUID for the connection) - - name: data_sensitivity_information - type: keyword - description: Sensitivity information about the operation. - - name: duration_milliseconds - type: long - description: Duration of the operation in milliseconds. - - name: host_name - type: keyword - description: SQL Server host name. - - name: response_rows - type: long - description: Number of rows returned. - - name: sequence_group_id - type: keyword - description: Sequence group ID (unique UUID). - - name: transaction_id - type: keyword - description: Transaction ID - - name: user_defined_event_id - type: integer - description: User defined event ID. - - name: user_defined_information - type: text - description: User defined information diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/winlog.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/winlog.yml deleted file mode 100755 index 075d40345d..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/fields/winlog.yml +++ /dev/null @@ -1,155 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/manifest.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/audit/manifest.yml deleted file mode 100755 index da4c3838e1..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: "SQL Server audit events" -type: logs -streams: - - input: winlog - title: SQL Server audit events from Windows event logs - description: Collect SQL Server audit events from the Windows event logs - template_path: winlog.yml.hbs - vars: - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: >- - Preserves a raw copy of the original XML event, added to the field `event.original` - type: bool - multi: false - default: false - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - Defaults to 33205. Change the default only if SQL Server uses another documented event ID for audits. Setting a value other than an SQL Server audit event ID will cause the package to malfunction. A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 33205), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - default: 33205 - - name: channel - description: Channel name where audit events are configured to be sent. - type: text - title: Channel - multi: false - required: true - default: Security - show_user: true - - name: ignore_older - type: text - title: Ignore events older than - default: 72h - required: false - show_user: false - description: >- - If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - - name: language - type: text - title: Language ID - description: >- - The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US - required: false - show_user: false - default: 0 - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/agent/stream/stream.yml.hbs b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/agent/stream/stream.yml.hbs deleted file mode 100755 index d7007a3cc1..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -metricsets: ["query"] -# Specify hosts in the below format. TODO: hosts need to be updated to support multiple entries. -hosts: - - sqlserver://{{username}}:{{password}}@{{hosts}}:{{port}} -period: {{period}} -raw_data.enabled: true -# Below dynamic_counter_name handles the dynamic counter name passing it to SQL query -dynamic_counter_name: {{dynamic_counter_name}} -driver: "mssql" -sql_queries: - - query: "SELECT cntr_value As 'user_connections' FROM sys.dm_os_performance_counters WHERE counter_name= 'User Connections'" - response_format: table - - query: "SELECT cntr_value As 'active_temp_tables' FROM sys.dm_os_performance_counters WHERE counter_name = 'Active Temp Tables' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_cache_hit_ratio' FROM sys.dm_os_performance_counters WHERE counter_name = 'Buffer cache hit ratio' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'page_splits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page splits/sec'" - response_format: table - - query: "SELECT cntr_value As 'lock_waits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Lock Waits/sec' AND instance_name = '_Total'" - response_format: table - - query: "SELECT cntr_value As 'compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Compilations/sec'" - response_format: table - - query: "SELECT cntr_value As 'batch_requests_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Batch Requests/sec'" - response_format: table - - query: "SELECT cntr_value As 'buffer_checkpoint_pages_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Checkpoint pages/sec' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_database_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Database pages' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_page_life_expectancy' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page life expectancy' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'buffer_target_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Target pages' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'connection_reset_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Connection Reset/sec' AND object_name like '%Buffer Manager%'" - response_format: table - - query: "SELECT cntr_value As 'logins_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logins/sec' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'logouts_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logouts/sec' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 'transactions' FROM sys.dm_os_performance_counters WHERE counter_name = 'Transactions' AND object_name like '%General Statistics%'" - response_format: table - - query: "SELECT cntr_value As 're_compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Re-Compilations/sec'" - response_format: table - - query: "SELECT counter_name As 'dynamic_counter.name', cntr_value As 'dynamic_counter.value' FROM sys.dm_os_performance_counters WHERE counter_name= '{{dynamic_counter_name}}'" - response_format: table diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 05662deb30..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -description: Pipeline for processing mssql performance -processors: -- remove: - field: sql.driver - ignore_missing: true - ignore_failure: true -- remove: - field: sql.query - ignore_missing: true - ignore_failure: true -- rename: - field: sql - target_field: mssql - ignore_missing: true - ignore_failure: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/base-fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/base-fields.yml deleted file mode 100755 index d64174c19b..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/ecs.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/ecs.yml deleted file mode 100755 index b485c25d5a..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/fields.yml deleted file mode 100755 index 59bb3d10ea..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/fields/fields.yml +++ /dev/null @@ -1,70 +0,0 @@ -- name: mssql - type: group - release: beta - fields: - - name: metrics - type: group - fields: - - name: page_splits_per_sec - type: float - metric_type: gauge - description: Number of page splits per second that occur as the result of overflowing index pages. - - name: lock_waits_per_sec - type: float - metric_type: gauge - description: Number of lock requests per second that required the caller to wait. - - name: user_connections - type: long - description: Total number of user connections. - - name: active_temp_tables - type: long - description: Number of temporary tables/table variables in use. - - name: transactions - type: long - description: Total number of transactions - - name: connection_reset_per_sec - type: float - metric_type: gauge - description: Total number of logins started per second from the connection pool. - - name: logins_per_sec - type: float - metric_type: gauge - description: Total number of logins started per second. This does not include pooled connections. - - name: logouts_per_sec - type: float - metric_type: gauge - description: Total number of logout operations started per second. - - name: re_compilations_per_sec - type: float - metric_type: gauge - description: Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low. - - name: compilations_per_sec - type: float - metric_type: gauge - description: Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state. - - name: batch_requests_per_sec - type: float - metric_type: gauge - description: Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput. - - name: buffer_cache_hit_ratio - type: double - description: The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high. - - name: buffer_page_life_expectancy - type: long - description: Indicates the number of seconds a page will stay in the buffer pool without references (in seconds). - - name: buffer_checkpoint_pages_per_sec - type: float - metric_type: gauge - description: Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed. - - name: buffer_database_pages - type: long - description: Indicates the number of pages in the buffer pool with database content. - - name: buffer_target_pages - type: long - description: Ideal number of pages in the buffer pool. - - name: dynamic_counter.value - type: long - description: Dynamic counter value is fetched from performance table for the dynamic counter name which is provided by user. - - name: dynamic_counter.name - type: keyword - description: Dynamic counter name is given by user. diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/manifest.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/manifest.yml deleted file mode 100755 index 2d0a3a93b0..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/manifest.yml +++ /dev/null @@ -1,24 +0,0 @@ -type: metrics -title: Microsoft SQL Server performance metrics -release: beta -streams: - - input: sql/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - - name: dynamic_counter_name - type: text - title: Dynamic Counter Name - multi: false - required: false - show_user: true - default: Memory Grants Pending - description: Collect the dynamic counter value for the provided counter name from the performance table. - title: Microsoft SQL Server performance metrics - description: Collect Microsoft SQL Server performance metrics diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/sample_event.json b/packages/microsoft_sqlserver/1.1.1/data_stream/performance/sample_event.json deleted file mode 100755 index f967ddb103..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/performance/sample_event.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "@timestamp": "2022-06-08T13:35:05.558Z", - "agent": { - "ephemeral_id": "16ad2de8-8ba3-496f-98d1-cbe19441c168", - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "name": "docker-fleet-agent", - "type": "metricbeat", - "version": "8.3.0" - }, - "cloud": { - "account": {}, - "instance": { - "id": "b30e45e6-7900-4900-8d67-e37cb13374bc", - "name": "obs-int-windows-dev" - }, - "machine": { - "type": "Standard_D16ds_v5" - }, - "provider": "azure", - "region": "CentralIndia", - "service": { - "name": "Virtual Machines" - } - }, - "data_stream": { - "dataset": "microsoft_sqlserver.performance", - "namespace": "ep", - "type": "metrics" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "microsoft_sqlserver.performance", - "duration": 7151724, - "ingested": "2022-06-08T13:35:06Z", - "module": "sql" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "mssql": { - "metrics": { - "user_connections": 1 - } - }, - "service": { - "address": "elastic-package-service-microsoft_sqlserver-1:1433", - "type": "sql" - } -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/agent/stream/stream.yml.hbs b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/agent/stream/stream.yml.hbs deleted file mode 100755 index 4b8036ddd2..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,33 +0,0 @@ -metricsets: ["query"] -# Specify hosts in the below format. TODO:hosts need to be updated to support multiple entries. -hosts: - - sqlserver://{{username}}:{{password}}@{{hosts}}:{{port}} -period: {{period}} -driver: mssql -raw_data.enabled: true -# Collect the transaction logs from the system database -sql_queries: - - query: "SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=1;" - response_format: table - - query: "SELECT 'master' As database_name, database_id,total_log_size_mb,active_log_size_mb,log_backup_time,log_since_last_log_backup_mb,log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(1) master" - response_format: table - - query: "SELECT 'master' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage master" - response_format: table - - query: "SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=2;" - response_format: table - - query: "SELECT 'tempdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(2) tempdb" - response_format: table - - query: "SELECT 'tempdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage tempdb" - response_format: table - - query: "SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=3;" - response_format: table - - query: "SELECT 'model' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(3) model" - response_format: table - - query: "SELECT 'model' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage model" - response_format: table - - query: "SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=4;" - response_format: table - - query: "SELECT 'msdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(4) msdb" - response_format: table - - query: "SELECT 'msdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage msdb" - response_format: table diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7c8708dfa5..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- -description: Pipeline for processing mssql transaction_log -processors: -- remove: - field: sql.driver - ignore_failure: true - ignore_missing: true -- remove: - field: sql.query - ignore_failure: true - ignore_missing: true -- rename: - field: sql - target_field: mssql - ignore_missing: true - ignore_failure: true -- rename: - field: mssql.metrics.log_since_last_checkpoint_mb - target_field: mssql.metrics.log_since_last_checkpoint - ignore_missing: true - ignore_failure: true -- rename: - field: mssql.metrics.log_recovery_size_mb - target_field: mssql.metrics.log_recovery_size - ignore_missing: true - ignore_failure: true -- rename: - field: mssql.metrics.total_log_size_mb - target_field: mssql.metrics.total_log_size - ignore_missing: true - ignore_failure: true -- rename: - field: mssql.metrics.active_log_size_mb - target_field: mssql.metrics.active_log_size - ignore_missing: true - ignore_failure: true -- rename: - field: mssql.metrics.log_since_last_log_backup_mb - target_field: mssql.metrics.log_since_last_log_backup - ignore_missing: true - ignore_failure: true -- script: - lang: painless - source: ctx.mssql.metrics.log_since_last_checkpoint = Math.round(ctx.mssql.metrics.log_since_last_checkpoint * params.scale) - params: - scale: 1048576 - if: ctx.mssql.metrics.log_since_last_checkpoint != null -- script: - lang: painless - source: ctx.mssql.metrics.log_recovery_size = Math.round(ctx.mssql.metrics.log_recovery_size * params.scale) - params: - scale: 1048576 - if: ctx.mssql.metrics.log_recovery_size != null -- script: - lang: painless - source: ctx.mssql.metrics.total_log_size = Math.round(ctx.mssql.metrics.total_log_size * params.scale) - params: - scale: 1048576 - if: ctx.mssql.metrics.total_log_size != null -- script: - lang: painless - source: ctx.mssql.metrics.active_log_size = Math.round(ctx.mssql.metrics.active_log_size * params.scale) - params: - scale: 1048576 - if: ctx.mssql.metrics.active_log_size != null -- script: - lang: painless - source: ctx.mssql.metrics.log_since_last_log_backup = Math.round(ctx.mssql.metrics.log_since_last_log_backup * params.scale) - params: - scale: 1048576 - if: ctx.mssql.metrics.log_since_last_log_backup != null -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/base-fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/base-fields.yml deleted file mode 100755 index d64174c19b..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- description: |- - An overarching type for the data stream. - Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. - name: data_stream.type - type: constant_keyword -- description: |- - The field can contain anything that makes sense to signify the source of the data. - Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. - Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.dataset - type: constant_keyword -- description: |- - A user defined namespace. Namespaces are useful to allow grouping of data. - Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. - Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: - * Must not contain `-` - * No longer than 100 characters - name: data_stream.namespace - type: constant_keyword -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/ecs.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/ecs.yml deleted file mode 100755 index b485c25d5a..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/ecs.yml +++ /dev/null @@ -1,16 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Address where data about this service was collected from. - This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). - name: service.address - type: keyword -- description: |- - The type of the service data is collected from. - The type can be used to group and correlate logs and metrics from one service type. - Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. - name: service.type - type: keyword diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/fields.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/fields.yml deleted file mode 100755 index 1b66b39643..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: mssql - type: group - release: beta - fields: - - name: metrics - type: group - fields: - - name: database_id - type: long - dimension: true - description: Unique ID of the database inside MSSQL. - - name: database_name - type: keyword - description: Name of the database. - - name: log_since_last_checkpoint - type: long - unit: byte - metric_type: gauge - description: Log size in bytes since last checkpoint log sequence number (LSN). - - name: log_recovery_size - type: long - unit: byte - metric_type: gauge - description: Log size in bytes since log recovery log sequence number (LSN). - - name: total_log_size - type: long - unit: byte - metric_type: counter - description: Total log size. - - name: log_backup_time - type: date - description: Last transaction log backup time. - - name: active_log_size - type: long - unit: byte - metric_type: counter - description: Total active transaction log size in bytes. - - name: log_since_last_log_backup - type: long - unit: byte - metric_type: gauge - description: Log file size since last backup in bytes. - - name: used_log_space_pct - type: float - unit: percent - metric_type: gauge - description: A percentage of the occupied size of the log as a percent of the total log size. - - name: used_log_space_bytes - type: long - unit: byte - metric_type: gauge - description: The occupied size of the log in bytes. - - name: log_space_in_bytes_since_last_backup - type: long - unit: byte - metric_type: gauge - description: The amount of space used since the last log backup in bytes. - - name: total_log_size_bytes - type: long - unit: byte - metric_type: counter - description: Total transaction log size in bytes. diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/manifest.yml b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/manifest.yml deleted file mode 100755 index 3f3b27e23b..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/manifest.yml +++ /dev/null @@ -1,16 +0,0 @@ -type: metrics -title: Microsoft SQL Server transaction_log metrics -release: beta -streams: - - input: sql/metrics - enabled: false - vars: - - name: period - type: text - title: Period - multi: false - required: true - show_user: true - default: 60s - title: Microsoft SQL Server transaction_log metrics - description: Collect Microsoft SQL Server transaction_log metrics diff --git a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/sample_event.json b/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/sample_event.json deleted file mode 100755 index 908ca32949..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/data_stream/transaction_log/sample_event.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "@timestamp": "2022-06-08T10:20:14.787809Z", - "mssql": { - "metrics": { - "database_name": "msdb", - "database_id": 1, - "used_log_space_bytes": 41.17647171020508, - "log_space_in_bytes_since_last_backup": 397312, - "total_log_size_bytes": 2088960, - "used_log_space_pct": 860160 - } - }, - "metricset": { - "period": 10000, - "name": "query" - }, - "agent": { - "id": "e7b17c22-4223-46c3-b982-ff0d570b5fa6", - "ephemeral_id": "d1a76cf4-2463-478a-a474-36e771218467", - "type": "metricbeat", - "version": "8.3.0" - }, - "service": { - "address": "54.90.251.237:1433", - "type": "sql" - }, - "elastic_agent": { - "id": "e7b17c22-4223-46c3-b982-ff0d570b5fa6", - "version": "8.3.0", - "snapshot": true - }, - "event": { - "duration": 5595352584, - "agent_id_status": "verified", - "ingested": "2022-05-23T10:20:21Z", - "module": "sql", - "dataset": "microsoft_sqlserver.transaction_log" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "microsoft_sqlserver.transaction_log" - }, - "ecs": { - "version": "8.0.0" - } -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/docs/README.md b/packages/microsoft_sqlserver/1.1.1/docs/README.md deleted file mode 100755 index d1a96da2f6..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/docs/README.md +++ /dev/null @@ -1,381 +0,0 @@ -# Microsoft SQL Server Integration - -The Microsoft SQL Server integration package allows you to search, observe and visualize the SQL Server audit logs and metrics through Elasticsearch. - -Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. -SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. -See: [SQL Server Audit page](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15) for more information on SQL Server auditing. - -`performance` metrics gathers the list of performance objects available on that server. Each server will have a different list of performance objects depending on the installed software. -`transaction_log` metrics collects all usage stats and the total space usage. - -## Named Instance - -Microsoft SQL Server has a feature that allows running multiple databases on the same host (or clustered hosts) with separate settings. Edit the instance port and provide the named instance port to connect to the named instance and collect metrics. -See: [Instruction on how to configure server to listen Named Instance port](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port?view=sql-server-ver15) - -## Compatibility - -The package collects `performance` and `transaction_log` metrics, and `audit` events from the event log. Other log sources such as file are not supported. - -## Configuration - -### audit - -There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. - -See: [SQL Server Audit Action Groups and Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15) for more information on the different audit levels. - -See: [Instructions on how to enable auditing for SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?view=sql-server-ver15). - ->Note: For the integration package to be able to read and send audit events the event target must be configured to be Windows event log. - -### audit events - -Enable to collect SQL Server audit events from the specified windows event log channel. - -### performance metrics - -Collects the `performance` counter metrics. Dynamic counter feature provides flexibility to collect metrics by providing the counter name as an input. - -See: [Instructions about each performance counter metrics](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-os-performance-counters-transact-sql?view=sql-server-ver15 -) - -### transaction_log metrics - -Collects system level `transaction_log` metrics information for SQL Server instance. - -See: [Instructions and the operations supported by transaction log](https://docs.microsoft.com/en-us/sql/relational-databases/logs/the-transaction-log-sql-server?view=sql-server-ver15) - -## Logs - -### audit - -The SQL Server audit dataset provides events from the configured Windows event log channel. All SQL Server audit specific fields are available in the `sqlserver.audit` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sqlserver.audit.action_id | ID of the action | keyword | -| sqlserver.audit.additional_information | Any additional information about the event stored as XML. | text | -| sqlserver.audit.affected_rows | Number of rows affected by the operation. | long | -| sqlserver.audit.application_name | Name of the application that caused the audit event. | keyword | -| sqlserver.audit.audit_schema_version | Audit event schema version. | keyword | -| sqlserver.audit.class_type | Type of auditable entity that the audit occurs on. | keyword | -| sqlserver.audit.client_ip | "Name or IP address of the machine running the application that caused the audit event." | keyword | -| sqlserver.audit.connection_id | Connection ID (unique UUID for the connection) | keyword | -| sqlserver.audit.data_sensitivity_information | Sensitivity information about the operation. | keyword | -| sqlserver.audit.database_name | The database context in which the action occurred. | keyword | -| sqlserver.audit.database_principal_id | ID of the database user context that the action is performed in. | keyword | -| sqlserver.audit.database_principal_name | Current user. | keyword | -| sqlserver.audit.duration_milliseconds | Duration of the operation in milliseconds. | long | -| sqlserver.audit.event_time | Date/time when the auditable action is fired. | date | -| sqlserver.audit.host_name | SQL Server host name. | keyword | -| sqlserver.audit.is_column_permission | Flag indicating a column level permission | boolean | -| sqlserver.audit.object_id | "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." | keyword | -| sqlserver.audit.object_name | "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." | keyword | -| sqlserver.audit.permission_bitmask | When applicable shows the permissions that were granted, denied or revoked. | keyword | -| sqlserver.audit.response_rows | Number of rows returned. | long | -| sqlserver.audit.schema_name | The schema context in which the action occurred. | keyword | -| sqlserver.audit.sequence_group_id | Sequence group ID (unique UUID). | keyword | -| sqlserver.audit.sequence_number | Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. | integer | -| sqlserver.audit.server_instance_name | "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." | keyword | -| sqlserver.audit.server_principal_id | ID of the login context that the action is performed in. | keyword | -| sqlserver.audit.server_principal_name | Current login. | keyword | -| sqlserver.audit.server_principal_sid | Current login SID. | keyword | -| sqlserver.audit.session_id | ID of the session on which the event occurred. | integer | -| sqlserver.audit.session_server_principal_name | Server principal for the session. | keyword | -| sqlserver.audit.statement | TSQL statement (if any) | text | -| sqlserver.audit.succeeded | Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. | boolean | -| sqlserver.audit.target_database_principal_id | Database principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_database_principal_name | Target user of the action. | keyword | -| sqlserver.audit.target_server_principal_id | Server principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_server_principal_name | Target login of the action. | keyword | -| sqlserver.audit.target_server_principal_sid | SID of the target login. | keyword | -| sqlserver.audit.transaction_id | Transaction ID | keyword | -| sqlserver.audit.user_defined_event_id | User defined event ID. | integer | -| sqlserver.audit.user_defined_information | User defined information | text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - - -## Metrics - -### performance - -The Microsoft SQL Server `performance` dataset provides metrics from the performance counter table. All `performance` metrics will be available in `sqlserver.metrics` field group. - -An example event for `performance` looks as following: - -```json -{ - "@timestamp": "2022-06-08T13:35:05.558Z", - "agent": { - "ephemeral_id": "16ad2de8-8ba3-496f-98d1-cbe19441c168", - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "name": "docker-fleet-agent", - "type": "metricbeat", - "version": "8.3.0" - }, - "cloud": { - "account": {}, - "instance": { - "id": "b30e45e6-7900-4900-8d67-e37cb13374bc", - "name": "obs-int-windows-dev" - }, - "machine": { - "type": "Standard_D16ds_v5" - }, - "provider": "azure", - "region": "CentralIndia", - "service": { - "name": "Virtual Machines" - } - }, - "data_stream": { - "dataset": "microsoft_sqlserver.performance", - "namespace": "ep", - "type": "metrics" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "848cea0e-c052-49b3-983d-64e13d3b9a6f", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "microsoft_sqlserver.performance", - "duration": 7151724, - "ingested": "2022-06-08T13:35:06Z", - "module": "sql" - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.16.3-microsoft-standard-WSL2", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "metricset": { - "name": "query", - "period": 60000 - }, - "mssql": { - "metrics": { - "user_connections": 1 - } - }, - "service": { - "address": "elastic-package-service-microsoft_sqlserver-1:1433", - "type": "sql" - } -} -``` - -**Exported fields** - -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| mssql.metrics.active_temp_tables | Number of temporary tables/table variables in use. | long | | -| mssql.metrics.batch_requests_per_sec | Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput. | float | gauge | -| mssql.metrics.buffer_cache_hit_ratio | The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high. | double | | -| mssql.metrics.buffer_checkpoint_pages_per_sec | Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed. | float | gauge | -| mssql.metrics.buffer_database_pages | Indicates the number of pages in the buffer pool with database content. | long | | -| mssql.metrics.buffer_page_life_expectancy | Indicates the number of seconds a page will stay in the buffer pool without references (in seconds). | long | | -| mssql.metrics.buffer_target_pages | Ideal number of pages in the buffer pool. | long | | -| mssql.metrics.compilations_per_sec | Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state. | float | gauge | -| mssql.metrics.connection_reset_per_sec | Total number of logins started per second from the connection pool. | float | gauge | -| mssql.metrics.dynamic_counter.name | Dynamic counter name is given by user. | keyword | | -| mssql.metrics.dynamic_counter.value | Dynamic counter value is fetched from performance table for the dynamic counter name which is provided by user. | long | | -| mssql.metrics.lock_waits_per_sec | Number of lock requests per second that required the caller to wait. | float | gauge | -| mssql.metrics.logins_per_sec | Total number of logins started per second. This does not include pooled connections. | float | gauge | -| mssql.metrics.logouts_per_sec | Total number of logout operations started per second. | float | gauge | -| mssql.metrics.page_splits_per_sec | Number of page splits per second that occur as the result of overflowing index pages. | float | gauge | -| mssql.metrics.re_compilations_per_sec | Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low. | float | gauge | -| mssql.metrics.transactions | Total number of transactions | long | | -| mssql.metrics.user_connections | Total number of user connections. | long | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | - - -### transaction_log - -The Microsoft SQL Server `transaction_log` dataset provides metrics from the log space usage and log stats tables of the system databases. All `transaction_log` metrics will be available in `sqlserver.metrics` field group. - -An example event for `transaction_log` looks as following: - -```json -{ - "@timestamp": "2022-06-08T10:20:14.787809Z", - "mssql": { - "metrics": { - "database_name": "msdb", - "database_id": 1, - "used_log_space_bytes": 41.17647171020508, - "log_space_in_bytes_since_last_backup": 397312, - "total_log_size_bytes": 2088960, - "used_log_space_pct": 860160 - } - }, - "metricset": { - "period": 10000, - "name": "query" - }, - "agent": { - "id": "e7b17c22-4223-46c3-b982-ff0d570b5fa6", - "ephemeral_id": "d1a76cf4-2463-478a-a474-36e771218467", - "type": "metricbeat", - "version": "8.3.0" - }, - "service": { - "address": "54.90.251.237:1433", - "type": "sql" - }, - "elastic_agent": { - "id": "e7b17c22-4223-46c3-b982-ff0d570b5fa6", - "version": "8.3.0", - "snapshot": true - }, - "event": { - "duration": 5595352584, - "agent_id_status": "verified", - "ingested": "2022-05-23T10:20:21Z", - "module": "sql", - "dataset": "microsoft_sqlserver.transaction_log" - }, - "data_stream": { - "namespace": "default", - "type": "metrics", - "dataset": "microsoft_sqlserver.transaction_log" - }, - "ecs": { - "version": "8.0.0" - } -} -``` - -**Exported fields** - -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | -| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | | | -| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| mssql.metrics.active_log_size | Total active transaction log size in bytes. | long | byte | counter | -| mssql.metrics.database_id | Unique ID of the database inside MSSQL. | long | | | -| mssql.metrics.database_name | Name of the database. | keyword | | | -| mssql.metrics.log_backup_time | Last transaction log backup time. | date | | | -| mssql.metrics.log_recovery_size | Log size in bytes since log recovery log sequence number (LSN). | long | byte | gauge | -| mssql.metrics.log_since_last_checkpoint | Log size in bytes since last checkpoint log sequence number (LSN). | long | byte | gauge | -| mssql.metrics.log_since_last_log_backup | Log file size since last backup in bytes. | long | byte | gauge | -| mssql.metrics.log_space_in_bytes_since_last_backup | The amount of space used since the last log backup in bytes. | long | byte | gauge | -| mssql.metrics.total_log_size | Total log size. | long | byte | counter | -| mssql.metrics.total_log_size_bytes | Total transaction log size in bytes. | long | byte | counter | -| mssql.metrics.used_log_space_bytes | The occupied size of the log in bytes. | long | byte | gauge | -| mssql.metrics.used_log_space_pct | A percentage of the occupied size of the log as a percent of the total log size. | float | percent | gauge | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | diff --git a/packages/microsoft_sqlserver/1.1.1/img/microsoft-sql-server-logo.svg b/packages/microsoft_sqlserver/1.1.1/img/microsoft-sql-server-logo.svg deleted file mode 100755 index 30758ba323..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/img/microsoft-sql-server-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-dashboard.png b/packages/microsoft_sqlserver/1.1.1/img/sqlserver-dashboard.png deleted file mode 100755 index 8929f7c2a9..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-perf-dashboard.png b/packages/microsoft_sqlserver/1.1.1/img/sqlserver-perf-dashboard.png deleted file mode 100755 index fa26d165a7..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-perf-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-transaction-dashboard.png b/packages/microsoft_sqlserver/1.1.1/img/sqlserver-transaction-dashboard.png deleted file mode 100755 index 41b51ea3b9..0000000000 Binary files a/packages/microsoft_sqlserver/1.1.1/img/sqlserver-transaction-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json b/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json deleted file mode 100755 index 1c8b4fad30..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "An overview of the transaction log of each database in a Microsoft SQL Server instance", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"mssql.metrics.database_name\",\"id\":\"1654252440058\",\"indexPatternRefName\":\"control_54848bf4-7be8-47d5-9456-745b7e7e41ce_0_index_pattern\",\"label\":\"Database Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"54848bf4-7be8-47d5-9456-745b7e7e41ce\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"54848bf4-7be8-47d5-9456-745b7e7e41ce\",\"title\":\"Database Selector [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_033d2eb9-9d99-4c61-9d87-5410f2fa6607_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Total Log Space Usage [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.total_log_size_bytes\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"01\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"033d2eb9-9d99-4c61-9d87-5410f2fa6607\",\"w\":18,\"x\":12,\"y\":0},\"panelIndex\":\"033d2eb9-9d99-4c61-9d87-5410f2fa6607\",\"title\":\"Total Log Space Usage [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"efb35b3a-5ea1-4c58-ad29-357a5d53afb9\",\"index_pattern_ref_name\":\"metrics_ecca4f7b-5846-4659-a8a3-844276779869_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"percent\",\"id\":\"fcc0ab77-f30c-417b-b91a-dc0eecc0d4e0\",\"label\":\"Percentage of Used Space [Metrics Microsoft SqlServer]\",\"line_width\":\"1\",\"metrics\":[{\"field\":\"mssql.metrics.used_log_space_pct\",\"id\":\"0b1a9a76-45ed-4968-910a-d4c05d169c47\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"01\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"terms_field\":\"mssql.metrics.database_name\",\"terms_order_by\":\"_count\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":12,\"i\":\"ecca4f7b-5846-4659-a8a3-844276779869\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"ecca4f7b-5846-4659-a8a3-844276779869\",\"title\":\"Percentage of Used Space [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_41b881a5-df21-4ef0-90c6-9906a0107f5e_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Used log space [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.used_log_space_bytes\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"01\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"41b881a5-df21-4ef0-90c6-9906a0107f5e\",\"w\":23,\"x\":0,\"y\":12},\"panelIndex\":\"41b881a5-df21-4ef0-90c6-9906a0107f5e\",\"title\":\"Used Space [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_d065062d-1b53-4cd1-80db-462b58e97632_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Log space size since last backup [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.log_space_in_bytes_since_last_backup\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"1\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"stacked\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"d065062d-1b53-4cd1-80db-462b58e97632\",\"w\":25,\"x\":23,\"y\":12},\"panelIndex\":\"d065062d-1b53-4cd1-80db-462b58e97632\",\"title\":\"Log Space Since Last Backup [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_ed535f03-9d86-4021-9d47-c315a012aceb_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Recovery size [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.log_recovery_size\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"1\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"ed535f03-9d86-4021-9d47-c315a012aceb\",\"w\":23,\"x\":0,\"y\":28},\"panelIndex\":\"ed535f03-9d86-4021-9d47-c315a012aceb\",\"title\":\"Recovery Size [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Transaction log size since last checkpoint [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.log_since_last_checkpoint\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"1\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c\",\"w\":25,\"x\":23,\"y\":28},\"panelIndex\":\"1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c\",\"title\":\"Log Size Since Last Checkpoint [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1569a491-ab74-45b7-bb0f-f25736d8fff2\",\"index_pattern_ref_name\":\"metrics_af6dc077-868f-460c-bc8a-11019b087898_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d77d5f8f-c5ba-49f7-94cf-1317312584be\",\"label\":\"Active size [Metrics Microsoft SqlServer]\",\"line_width\":1,\"metrics\":[{\"field\":\"mssql.metrics.active_log_size\",\"id\":\"db45fa88-df7c-46ed-8a45-ef9e8f11a2c2\",\"type\":\"avg\"}],\"offset_time\":\"\",\"override_index_pattern\":0,\"palette\":{\"name\":\"gradient\",\"params\":{\"colors\":[\"#68BC00\",\"rgb(0, 0, 0)\"],\"gradient\":true},\"type\":\"palette\"},\"point_size\":\"1\",\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":null,\"split_mode\":\"terms\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"mssql.metrics.database_name\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":true},\"title\":\"\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"af6dc077-868f-460c-bc8a-11019b087898\",\"w\":23,\"x\":0,\"y\":44},\"panelIndex\":\"af6dc077-868f-460c-bc8a-11019b087898\",\"title\":\"Active Log Size [Metrics Microsoft SqlServer]\",\"type\":\"visualization\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Microsoft SQL Server] Transaction log", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "54848bf4-7be8-47d5-9456-745b7e7e41ce:control_54848bf4-7be8-47d5-9456-745b7e7e41ce_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "033d2eb9-9d99-4c61-9d87-5410f2fa6607:metrics_033d2eb9-9d99-4c61-9d87-5410f2fa6607_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ecca4f7b-5846-4659-a8a3-844276779869:metrics_ecca4f7b-5846-4659-a8a3-844276779869_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "41b881a5-df21-4ef0-90c6-9906a0107f5e:metrics_41b881a5-df21-4ef0-90c6-9906a0107f5e_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d065062d-1b53-4cd1-80db-462b58e97632:metrics_d065062d-1b53-4cd1-80db-462b58e97632_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ed535f03-9d86-4021-9d47-c315a012aceb:metrics_ed535f03-9d86-4021-9d47-c315a012aceb_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c:metrics_1c270f8b-8e64-410d-a5e4-a4cc45c4fa2c_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "af6dc077-868f-460c-bc8a-11019b087898:metrics_af6dc077-868f-460c-bc8a-11019b087898_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json deleted file mode 100755 index 3ab14432ae..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "attributes": { - "description": "Microsoft SQL Server Audit Events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\":{\"columnOrder\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\",\"a6937f39-2999-4be2-8371-619b5bf2fb67\"],\"columns\":{\"70000b7b-124a-439e-8ef2-6a8dad15c166\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"a6937f39-2999-4be2-8371-619b5bf2fb67\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\"],\"layerId\":\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false,\"timeRange\":{\"from\":\"now-2d\",\"to\":\"now\"}},\"gridData\":{\"h\":13,\"i\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"w\":18,\"x\":0,\"y\":0},\"panelIndex\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"title\":\"Microsoft SQL Server Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"w\":17,\"x\":18,\"y\":0},\"panelIndex\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action: \\\"login-failed\\\" \"},\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"041831df-5315-4457-98a4-2be03a47fc31\",\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"columns\":{\"041831df-5315-4457-98a4-2be03a47fc31\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"5m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Principal Changes\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"SQL LOGIN\",\"SQL USER\",\"WINDOWS LOGIN\",\"LOGIN\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL USER\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"WINDOWS LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"LOGIN\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"041831df-5315-4457-98a4-2be03a47fc31\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"w\":13,\"x\":0,\"y\":13},\"panelIndex\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"title\":\"Database Principal Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Role Member Changes\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"ROLE\",\"SERVER ROLE\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"ROLE\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER ROLE\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"w\":13,\"x\":13,\"y\":13},\"panelIndex\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"title\":\"Role Member Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count()\",\"operationType\":\"formula\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}},\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"scale\":\"ratio\"},\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of count()\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"15m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"DATABASE AUDIT SPECIFICATION\",\"SERVER AUDIT SPECIFICATION\",\"AUDIT\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"DATABASE AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"AUDIT\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":-90,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Number of Audit Changes\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"w\":13,\"x\":26,\"y\":13},\"panelIndex\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"title\":\"Audit Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03553b27-f941-4b4b-bcb6-8e1943c154f3\":{\"columnOrder\":[\"d4a0fc9f-f361-4113-b529-f55dd6faab93\"],\"columns\":{\"d4a0fc9f-f361-4113-b529-f55dd6faab93\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"login-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"login-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d4a0fc9f-f361-4113-b529-f55dd6faab93\",\"layerId\":\"03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"w\":9,\"x\":39,\"y\":13},\"panelIndex\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"title\":\"Number of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "[Logs Microsoft SQL Server Audit Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-1", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json b/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json deleted file mode 100755 index b338e5ff8f..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "A dashboard with key metrics about a Microsoft SQL Server instance performance", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-c298fa42-a98b-441a-8fc4-7e829887f213\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c298fa42-a98b-441a-8fc4-7e829887f213\":{\"columnOrder\":[\"76d13381-0680-4440-93f3-0a0311532eed\",\"6f0873fb-8f74-42dd-9428-0337640b84e6\"],\"columns\":{\"6f0873fb-8f74-42dd-9428-0337640b84e6\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.user_connections\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.user_connections\"},\"76d13381-0680-4440-93f3-0a0311532eed\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"6f0873fb-8f74-42dd-9428-0337640b84e6\"],\"layerId\":\"c298fa42-a98b-441a-8fc4-7e829887f213\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"76d13381-0680-4440-93f3-0a0311532eed\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"733a1dbb-abdd-45d9-a908-026db7545a29\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"733a1dbb-abdd-45d9-a908-026db7545a29\",\"title\":\"User Connections [Metrics Microsoft SqlServer]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-1ef8ef96-34a6-4ed3-915c-44e3f187e683\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1ef8ef96-34a6-4ed3-915c-44e3f187e683\":{\"columnOrder\":[\"dac33725-ae01-4473-a253-75f68ac4e304\",\"b16cccae-de67-46b3-8ecf-767bd9a35d39\"],\"columns\":{\"b16cccae-de67-46b3-8ecf-767bd9a35d39\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.batch_requests_per_sec\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.batch_requests_per_sec\"},\"dac33725-ae01-4473-a253-75f68ac4e304\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"b16cccae-de67-46b3-8ecf-767bd9a35d39\"],\"layerId\":\"1ef8ef96-34a6-4ed3-915c-44e3f187e683\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"dac33725-ae01-4473-a253-75f68ac4e304\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"eeb38cf1-3e35-4a16-b910-21ef1aca2142\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"eeb38cf1-3e35-4a16-b910-21ef1aca2142\",\"title\":\"Batch Requests/sec [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-f37f21be-12f6-4e30-b8e4-de8e37889cc6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f37f21be-12f6-4e30-b8e4-de8e37889cc6\":{\"columnOrder\":[\"4f11499b-34b7-4a54-b152-a9d6fe287532\",\"fb17b987-a0f4-44a9-98ab-72c2be506774\"],\"columns\":{\"4f11499b-34b7-4a54-b152-a9d6fe287532\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"fb17b987-a0f4-44a9-98ab-72c2be506774\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.lock_waits_per_sec\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.lock_waits_per_sec\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"fb17b987-a0f4-44a9-98ab-72c2be506774\"],\"layerId\":\"f37f21be-12f6-4e30-b8e4-de8e37889cc6\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4f11499b-34b7-4a54-b152-a9d6fe287532\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9537c5f9-fdeb-4101-a50c-419834b6bdc3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"9537c5f9-fdeb-4101-a50c-419834b6bdc3\",\"title\":\"Lock Waits/sec [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-c804f10c-9dee-4bc5-b3ca-2a4b900f925d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c804f10c-9dee-4bc5-b3ca-2a4b900f925d\":{\"columnOrder\":[\"e74730e8-4677-4f80-ae0f-c074149942d6\",\"83388502-1a33-44fd-b43a-b70eb88ff1f2\"],\"columns\":{\"83388502-1a33-44fd-b43a-b70eb88ff1f2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of mssql.metrics.buffer_cache_hit_ratio\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.buffer_cache_hit_ratio\"},\"e74730e8-4677-4f80-ae0f-c074149942d6\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"83388502-1a33-44fd-b43a-b70eb88ff1f2\"],\"layerId\":\"c804f10c-9dee-4bc5-b3ca-2a4b900f925d\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e74730e8-4677-4f80-ae0f-c074149942d6\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ceec42f-23d1-4ca2-8d59-c14ad798850f\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3ceec42f-23d1-4ca2-8d59-c14ad798850f\",\"title\":\"Buffer Cache Hit Ratio [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-3619ed84-0368-47cc-aa48-6edc35465d9c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3619ed84-0368-47cc-aa48-6edc35465d9c\":{\"columnOrder\":[\"3f74497d-d9f1-48fe-9c8a-327170bfacea\",\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\"],\"columns\":{\"3f74497d-d9f1-48fe-9c8a-327170bfacea\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Average of mssql.metrics.transactions\",\"operationType\":\"average\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"mssql.metrics.transactions\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"4c131199-b3af-4404-bb2c-79a7b6ac1ed7\"],\"layerId\":\"3619ed84-0368-47cc-aa48-6edc35465d9c\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"3f74497d-d9f1-48fe-9c8a-327170bfacea\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1b64a2ab-638e-483a-826d-c2a8563b7fcf\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"1b64a2ab-638e-483a-826d-c2a8563b7fcf\",\"title\":\"Transactions [Microsoft SQL Server]\",\"type\":\"lens\",\"version\":\"8.3.0\"}]", - "timeRestore": false, - "title": "[Metrics Microsoft SQL Server] Performance", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "733a1dbb-abdd-45d9-a908-026db7545a29:indexpattern-datasource-layer-c298fa42-a98b-441a-8fc4-7e829887f213", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eeb38cf1-3e35-4a16-b910-21ef1aca2142:indexpattern-datasource-layer-1ef8ef96-34a6-4ed3-915c-44e3f187e683", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9537c5f9-fdeb-4101-a50c-419834b6bdc3:indexpattern-datasource-layer-f37f21be-12f6-4e30-b8e4-de8e37889cc6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3ceec42f-23d1-4ca2-8d59-c14ad798850f:indexpattern-datasource-layer-c804f10c-9dee-4bc5-b3ca-2a4b900f925d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1b64a2ab-638e-483a-826d-c2a8563b7fcf:indexpattern-datasource-layer-3619ed84-0368-47cc-aa48-6edc35465d9c", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.1.1/manifest.yml b/packages/microsoft_sqlserver/1.1.1/manifest.yml deleted file mode 100755 index e42fcbb2d6..0000000000 --- a/packages/microsoft_sqlserver/1.1.1/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -format_version: 1.0.0 -name: microsoft_sqlserver -title: "Microsoft SQL Server" -version: 1.1.1 -license: basic -description: Collect events from Microsoft SQL Server with Elastic Agent -type: integration -categories: - - datastore - - security -release: ga -conditions: - kibana.version: "^8.3.0" -screenshots: - - src: /img/sqlserver-dashboard.png - title: Microsoft SQL Server Dashboard - size: 600x600 - type: image/png - - src: /img/sqlserver-perf-dashboard.png - title: Microsoft SQL Server Performance Dashboard - size: 600x600 - type: image/png - - src: /img/sqlserver-transaction-dashboard.png - title: Microsoft SQL Server transaction log Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/microsoft-sql-server-logo.svg - title: Microsof SQL Server - size: 32x32 - type: image/svg+xml -policy_templates: - - name: audit_logs - title: Microsoft SQL Server logs and metrics - description: Collect logs and metrics from Microsoft SQL Server - inputs: - - type: winlog - title: Collect audit events from Windows event logs - description: Collecting audit events from Windows event logs - - type: sql/metrics - vars: - - name: hosts - type: text - title: Hosts - multi: true - required: true - show_user: true - default: - - localhost - - name: password - type: password - title: Password - multi: false - required: true - show_user: true - default: verysecurepassword - - name: username - type: text - title: Username - multi: false - required: true - show_user: true - default: domain\username - - name: port - type: integer - title: Instance Port - multi: false - required: true - show_user: true - default: 1433 - title: Collect Microsoft SQL Server performance and transaction_log metrics - description: Collecting performance and transaction_log metrics from Microsoft SQL Server instances -owner: - github: elastic/security-external-integrations diff --git a/packages/netskope/1.0.1/changelog.yml b/packages/netskope/1.0.1/changelog.yml deleted file mode 100755 index ceaeb731fa..0000000000 --- a/packages/netskope/1.0.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Added linnk to vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3220 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.3" - changes: - - description: removed Italic text in hyperlinks in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3110 -- version: "0.1.2" - changes: - - description: Fix boolean conversion logic to accept "true", "false", "yes", and "no" as strings. Correct the type of `is_alert` and `is_web_universal_connector` to boolean. - type: bugfix - link: https://github.com/elastic/integrations/pull/3110 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2638 diff --git a/packages/netskope/1.0.1/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/netskope/1.0.1/data_stream/alerts/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netskope/1.0.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/1.0.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b9e9af61d8..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,296 +0,0 @@ ---- -description: Pipeline for Netskope alerts -processors: - - set: - field: ecs.version - value: '8.0.0' - - json: - field: message - add_to_root: true - add_to_root_conflict_strategy: replace - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: netskope.alerts.policy.actions - ignore_failure: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{netskope.alerts.user.ip}}}" - if: ctx?.netskope?.alerts?.user?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.destination?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.netskope?.alerts?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.hostname}}}" - if: ctx?.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - user_agent: - field: user_agent.original - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: netskope.alerts.user.ip - target_field: netskope.alerts.user.geo - ignore_missing: true - - uri_parts: - field: netskope.alerts.url - target_field: netskope.alerts.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.web.url - target_field: netskope.alerts.web.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - remove: - field: netskope.alerts.page.url - if: ctx?.netskope?.alerts?.page?.url == ' ' - - uri_parts: - field: netskope.alerts.page.url - target_field: netskope.alerts.page.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.login.url - target_field: netskope.alerts.login.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.referer - target_field: netskope.alerts.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - set: - field: netskope.alerts.managed.app - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.managed.app - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_alert - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_alert - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_malicious - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_malicious - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.aggregated.user - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.aggregated.user - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.bypass.traffic - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.bypass.traffic - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_user_generated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_user_generated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.dlp.is_unique_count - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.dlp.is_unique_count - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_file_passwd_protected - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_file_passwd_protected - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_web_universal_connector - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_web_universal_connector - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.acked - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.acked - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.obfuscate - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.obfuscate - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.ml_detection - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.ml_detection - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.shared.is_shared - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.shared.is_shared - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - lowercase: - ignore_failure: true - field: network.protocol - - script: - if: ctx?.file?.mime_type != null - lang: painless - source: >- - def parts = ctx.file.mime_type; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.file.mime_type = setList; - } - - script: - if: ctx?.user?.email != null - lang: painless - source: >- - def parts = ctx.user.email; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.user.email = setList; - } - - script: - if: ctx?.netskope?.alerts?.quarantine?.app != null - lang: painless - source: >- - def parts = ctx.netskope.alerts.quarantine.app; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.netskope.alerts.quarantine.app = setList; - } - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "" || object == "null") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/netskope/1.0.1/data_stream/alerts/fields/agent.yml b/packages/netskope/1.0.1/data_stream/alerts/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/netskope/1.0.1/data_stream/alerts/fields/base-fields.yml b/packages/netskope/1.0.1/data_stream/alerts/fields/base-fields.yml deleted file mode 100755 index df7e82b799..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: netskope -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netskope.alerts diff --git a/packages/netskope/1.0.1/data_stream/alerts/fields/ecs.yml b/packages/netskope/1.0.1/data_stream/alerts/fields/ecs.yml deleted file mode 100755 index e5cddd8524..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,213 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: |- - The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. - Examples: app engine, app service, cloud run, fargate, lambda. - name: cloud.service.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: destination.geo.postal_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: destination.geo.timezone - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: source.geo.postal_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: source.geo.timezone - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netskope/1.0.1/data_stream/alerts/fields/fields.yml b/packages/netskope/1.0.1/data_stream/alerts/fields/fields.yml deleted file mode 100755 index 33542d9154..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/fields/fields.yml +++ /dev/null @@ -1,1856 +0,0 @@ -- name: netskope.alerts - type: group - fields: - - name: access_method - type: keyword - description: | - Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. - - name: account - type: group - fields: - - name: id - type: keyword - description: | - Account ID (usually is account number as provided by the cloud provider). - - name: name - type: keyword - description: | - Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. - - name: acked - type: boolean - description: | - Whether user acknowledged the alert or not. - - name: acting - type: group - fields: - - name: role - type: keyword - description: | - N/A - - name: action - type: keyword - description: | - Action taken on the event for the policy. - - name: activities - type: array - description: | - N/A - - name: activity - type: group - fields: - - name: name - type: keyword - description: | - Description of the user performed activity. - - name: status - type: keyword - description: | - Displayed when the user is denied access while performing some activity. - - name: type - type: keyword - description: | - Displayed when only admins can perform the activity in question. - - name: agg - type: group - fields: - - name: window - type: long - description: | - N/A - - name: aggregated - type: group - fields: - - name: user - type: boolean - description: | - N/A - - name: alert - type: group - fields: - - name: affected.entities - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: description - type: keyword - description: | - N/A - - name: detection.stage - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Hash of alert generated from code. - - name: name - type: keyword - description: | - Name of the alert. - - name: notes - type: keyword - description: | - N/A - - name: query - type: keyword - description: | - N/A - - name: score - type: long - description: | - N/A - - name: source - type: keyword - description: | - N/A - - name: status - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. - - name: window - type: long - description: | - N/A - - name: algorithm - type: keyword - description: | - N/A - - name: anomaly - type: group - fields: - - name: efficacy - type: keyword - description: | - Full anomaly details for debugging. - - name: fields - type: keyword - description: | - Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. - - name: id - type: keyword - description: | - N/A - - name: magnitude - type: double - description: | - N/A - - name: type - type: keyword - description: | - Type of UBA alert. - - name: app - type: group - fields: - - name: suite - type: keyword - description: | - N/A - - name: app_name - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - Specific cloud application used by the user (e.g. app = Dropbox). - - name: activity - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: region - type: keyword - description: | - N/A - - name: session.id - type: keyword - description: | - Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. - - name: asn - type: long - description: | - N/A - - name: asset - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: object.id - type: keyword - description: | - N/A - - name: attachment - type: keyword - description: | - File name. - - name: audit - type: group - fields: - - name: category - type: keyword - description: | - The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. - - name: type - type: keyword - description: | - The sub category in audit according to SaaS / IaaS apps. - - name: bin - type: group - fields: - - name: timestamp - type: long - description: | - Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). - - name: breach - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: date - type: double - description: | - Breach date for compromised credentials. - - name: id - type: keyword - description: | - Breach ID for compromised credentials. - - name: media_references - type: keyword - description: | - Media references of breach. - - name: score - type: long - description: | - Breach score for compromised credentials. - - name: target_references - type: keyword - description: | - Breach target references for compromised credentials. - - name: browser - type: group - fields: - - name: session.id - type: keyword - description: | - Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. - - name: bucket - type: keyword - description: | - N/A - - name: bypass - type: group - fields: - - name: traffic - type: boolean - description: | - Tells if traffic is bypassed by Netskope. - - name: category - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Matching category ID according to policy. Populated for both cloud and web traffic. - - name: cci - type: keyword - description: | - N/A - - name: ccl - type: keyword - description: | - Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. - - name: channel - type: keyword - description: | - Channel of the user for slack and slack enterprise apps. - - name: cloud - type: group - fields: - - name: provider - type: keyword - description: | - N/A - - name: compliance - type: group - fields: - - name: standards - type: keyword - description: | - N/A - - name: compute - type: group - fields: - - name: instance - type: keyword - description: | - N/A - - name: connection - type: group - fields: - - name: duration - type: long - description: | - Duration of the connection in milliseconds. Useful for querying long-lived sessions. - - name: endtime - type: long - description: | - Connection end time. - - name: id - type: keyword - description: | - Each connection has a unique ID. Shows the ID for the connection event. - - name: starttime - type: long - description: | - Connection start time. - - name: created_at - type: keyword - description: | - N/A - - name: count - type: long - description: | - Number of raw log lines/events sessionized or suppressed during the suppressed interval. - - name: data - type: group - fields: - - name: type - type: keyword - description: | - Content type of upload/download. - - name: version - type: long - description: | - N/A - - name: description - type: keyword - description: | - N/A - - name: destination - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Destination IP was derived. - - name: detected-file-type - type: keyword - description: | - N/A - - name: detection - type: group - fields: - - name: engine - type: keyword - description: | - Customer exposed detection engine name. - - name: type - type: keyword - description: | - Same as malware type. Duplicate. - - name: device - type: group - fields: - - name: classification - type: keyword - description: | - Designation of device as determined by the Netskope Client as to whether the device is managed or not. - - name: name - type: keyword - description: | - Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. - - name: dlp - type: group - fields: - - name: file - type: keyword - description: | - File/Object name extracted from the file/object. - - name: fingerprint.classification - type: keyword - description: | - Fingerprint classification. - - name: fingerprint.match - type: keyword - description: | - Fingerprint classification match file name. - - name: fingerprint.score - type: long - description: | - Fingerprint classification score. - - name: fv - type: long - description: | - N/A - - name: incident.id - type: keyword - description: | - Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. - - name: is_unique_count - type: boolean - description: | - True or false depending upon if rule is unique counted per rule data. - - name: mail.parent.id - type: keyword - description: | - N/A - - name: parent.id - type: keyword - description: | - Incident ID associated with main container (or non-container) file that was scanned. - - name: profile - type: keyword - description: | - DLP profile name. - - name: rule.count - type: long - description: | - Count of rule hits. - - name: rule.score - type: long - description: | - DLP rule score for weighted dictionaries. - - name: rule.severity - type: keyword - description: | - Severity of rule. - - name: unique_count - type: long - description: | - Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. - - name: rule.name - type: keyword - description: | - DLP rule that triggered. - - name: doc - type: group - fields: - - name: count - type: long - description: | - N/A - - name: domain - type: keyword - description: | - Domain value. This will hold the host header value or SNI or extracted from absolute URI. - - name: domain_shared_with - type: keyword - description: | - N/A - - name: download - type: group - fields: - - name: app - type: keyword - description: | - Applicable to only data exfiltration. Download App (App in the download event). - - name: drive - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: dynamic - type: group - fields: - - name: classification - type: keyword - description: | - URLs were categorized by NSURLC machine or not. - - name: elastic_key - type: keyword - description: | - N/A - - name: email - type: group - fields: - - name: source - type: keyword - description: | - N/A - - name: encrypt - type: group - fields: - - name: failure - type: keyword - description: | - Reason of failure while encrypting. - - name: encryption - type: group - fields: - - name: service.key - type: keyword - description: | - N/A - - name: enterprise - type: group - fields: - - name: id - type: keyword - description: | - EnterpriseID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Enterprise name in case of Slack for Enterprise. - - name: entity - type: group - fields: - - name: list - type: array - description: | - N/A - - name: type - type: keyword - description: | - N/A - - name: value - type: keyword - description: | - N/A - - name: event_source_channel - type: keyword - description: | - N/A - - name: event - type: group - fields: - - name: detail - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Anomaly type. - - name: exposure - type: keyword - description: | - Exposure of a document. - - name: external - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of external collaborators on a file/folder. Supported for some apps. - - name: email - type: long - description: | - N/A - - name: feature - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - N/A - - name: file - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Unique identifier of the file. - - name: lang - type: keyword - description: | - Language of the file. - - name: password.protected - type: keyword - description: | - N/A - - name: path.orignal - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: size - type: long - description: | - Size of the file in bytes. - - name: type - type: keyword - description: | - File type. - - name: flow_status - type: keyword - description: | - N/A - - name: from - type: group - fields: - - name: logs - type: keyword - description: | - Shows if the event was generated from the Risk Insights log. - - name: object - type: keyword - description: | - Initial name of an object that has been renamed, copied or moved. - - name: storage - type: keyword - description: | - N/A - - name: user_category - type: keyword - description: | - Type of from_user. - - name: gateway - type: keyword - description: | - N/A - - name: graph - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: http_status - type: keyword - description: | - N/A - - name: http_transaction_count - type: long - description: | - HTTP transaction count. - - name: iaas - type: group - fields: - - name: asset.tags - type: keyword - description: | - List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. - - name: remediated - type: keyword - description: | - N/A - - name: iam - type: group - fields: - - name: session - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: insertion_epoch_timestamp - type: long - description: | - Insertion timestamp. - - name: instance_name - type: keyword - description: | - Instance associated with an organization application instance. - - name: instance - type: group - fields: - - name: id - type: keyword - description: | - Unique ID associated with an organization application instance. - - name: name - type: keyword - description: | - Instance name associated with an organization application instance. - - name: type - type: keyword - description: | - Instance type. - - name: internal - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of internal collaborators on a file/folder. Supported for some apps. - - name: ip - type: group - fields: - - name: protocol - type: keyword - description: | - N/A - - name: ipblock - type: keyword - description: | - IPblock that caused the alert. - - name: is_alert - type: boolean - description: | - Indicates whether alert is generated or not. Populated as yes for all alerts. - - name: is_file_passwd_protected - type: boolean - description: | - Tells if the file is password protected. - - name: is_malicious - type: boolean - description: | - Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. - - name: is_two_factor_auth - type: keyword - description: | - N/A - - name: is_universal_connector - type: keyword - description: | - N/A - - name: is_user_generated - type: boolean - description: | - Tells whether it is user generated page event. - - name: is_web_universal_connector - type: boolean - description: | - N/A - - name: isp - type: keyword - description: | - N/A - - name: item - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: justification - type: group - fields: - - name: reason - type: keyword - description: | - Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. - - name: type - type: keyword - description: | - Type of justification provided by user when user bypasses the policy block. - - name: last - type: group - fields: - - name: app - type: keyword - description: | - Last application (app in the first/older event). Applies to only proximity anomaly alert. - - name: coordinates - type: keyword - description: | - Last location coordinates(latitude, longitude). Applies to only proximity alert. - - name: country - type: keyword - description: | - Last location (Country). Applies to only proximity anomaly alert. - - name: device - type: keyword - description: | - Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. - - name: location - type: keyword - description: | - Last location (City). Applies to only proximity anomaly alert. - - name: modified_timestamp - type: long - description: | - Timestamp when alert is acknowledged. - - name: region - type: keyword - description: | - Applies to only proximity anomaly alert. - - name: timestamp - type: long - description: | - Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. - - name: latency - type: group - fields: - - name: max - type: long - description: | - Max latency for a connection in milliseconds. - - name: min - type: long - description: | - Min latency for a connection in milliseconds. - - name: total - type: long - description: | - Total latency from proxy to app in milliseconds. - - name: legal_hold - type: group - fields: - - name: custodian_name - type: keyword - description: | - Custodian name of legal hold profile. - - name: destination.app - type: keyword - description: | - Destination appname of legalhold action. - - name: destination.instance - type: keyword - description: | - Destination instance of legal hold action. - - name: file.id - type: keyword - description: | - File ID of legal hold file. - - name: file.name - type: keyword - description: | - File name of legal hold file. - - name: file.name_original - type: keyword - description: | - Original filename of legal hold file. - - name: file.path - type: keyword - description: | - File path of legal hold file. - - name: profile_name - type: keyword - description: | - Legal hold profile name. - - name: shared - type: keyword - description: | - Shared type of legal hold file. - - name: shared_with - type: keyword - description: | - User shared with the legal hold file. - - name: version - type: keyword - description: | - File version of original file. - - name: list - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: local - type: group - fields: - - name: md5 - type: keyword - description: | - md5 hash of file generated by Malware engine. - - name: sha1 - type: keyword - description: | - sha1 hash of file generated by Malware engine. - - name: sha256 - type: keyword - description: | - sha256 hash of file generated by Malware engine. - - name: log - type: group - fields: - - name: file.name - type: keyword - description: | - Log file name for Risk Insights. - - name: login - type: group - fields: - - name: type - type: keyword - description: | - Salesforce login type. - - name: url - type: flattened - description: | - Salesforce login URL. - - name: malsite - type: group - fields: - - name: active - type: long - description: | - Since how many days malsite is Active. - - name: as.number - type: keyword - description: | - Malsite ASN Number. - - name: category - type: keyword - description: | - Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. - - name: city - type: keyword - description: | - Malsite city. - - name: confidence - type: long - description: | - Malsite confidence score. - - name: consecutive - type: long - description: | - How many times that malsite is seen. - - name: country - type: keyword - description: | - Malsite country. - - name: dns.server - type: keyword - description: | - DNS server of the malsite URL/Domain/IP. - - name: first_seen - type: long - description: | - Malsite first seen timestamp. - - name: hostility - type: long - description: | - Malsite hostility score. - - name: id - type: keyword - description: | - Malicious Site ID - Hash of threat match value. - - name: ip_host - type: keyword - description: | - Malsite IP. - - name: isp - type: keyword - description: | - Malsite ISP info. - - name: last.seen - type: long - description: | - Malsite last seen timestamp. - - name: latitude - type: double - description: | - Latitude plot of the Malsite URL/IP/Domain. - - name: longitude - type: double - description: | - Longitude plot of the Malsite URL/IP/Domain. - - name: region - type: keyword - description: | - Region of the malsite URL/IP/Domain. - - name: reputation - type: double - description: | - Reputation score of Malsite IP/Domain/URL. - - name: malware - type: group - fields: - - name: id - type: keyword - description: | - md5 hash of the malware name as provided by the scan engine. - - name: name - type: keyword - description: | - Netskope detection name. - - name: profile - type: keyword - description: | - tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. - - name: severity - type: keyword - description: | - Malware severity. - - name: type - type: keyword - description: | - Malware Type. - - name: managed - type: group - fields: - - name: app - type: boolean - description: | - Whether or not the app in question is managed. - - name: management - type: group - fields: - - name: id - type: keyword - description: | - Management ID. - - name: matched - type: group - fields: - - name: username - type: keyword - description: | - N/A - - name: matrix - type: group - fields: - - name: columns - type: keyword - description: | - N/A - - name: rows - type: keyword - description: | - N/A - - name: md5 - type: keyword - description: | - md5 of the file. - - name: md5_list - type: keyword - description: | - List of md5 hashes specific to the files that are part of custom sequence policy alert. - - name: mime - type: group - fields: - - name: type - type: keyword - description: | - MIME type of the file. - - name: ml_detection - type: boolean - description: | - N/A - - name: modified - type: group - fields: - - name: timestamp - type: long - description: | - Timestamp corresponding to the modification time of the entity (file, etc.). - - name: date - type: long - description: | - N/A - - name: netskope_pop - type: keyword - description: | - N/A - - name: network - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: security.group - type: array - description: | - N/A - - name: new - type: group - fields: - - name: value - type: keyword - description: | - New value for a given file for salesforce.com. - - name: nonzero - type: group - fields: - - name: entries - type: long - description: | - N/A - - name: percentage - type: double - description: | - N/A - - name: notify - type: group - fields: - - name: template - type: keyword - description: | - N/A - - name: ns_activity - type: keyword - description: | - Maps app activity to Netskope standard activity. - - name: ns_device_uid - type: keyword - description: | - Device identifiers on macOS and Windows. - - name: numbytes - type: long - description: | - Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. - - name: obfuscate - type: boolean - description: | - N/A - - name: object - type: group - fields: - - name: count - type: long - description: | - Displayed when the activity is Delete. Shows the number of objects being deleted. - - name: id - type: keyword - description: | - Unique ID associated with an object. - - name: name - type: keyword - description: | - Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. - - name: type - type: keyword - description: | - Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. - - name: old - type: group - fields: - - name: value - type: keyword - description: | - Old value for a given file for salesforce.com. - - name: org - type: keyword - description: | - Search for events from a specific organization. Organization name is derived from the user ID. - - name: organization - type: group - fields: - - name: unit - type: keyword - description: | - Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. - - name: orig_ty - type: keyword - description: | - Event Type of original event. - - name: original - type: group - fields: - - name: file_path - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: os_version_hostname - type: keyword - description: | - Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). - - name: other - type: group - fields: - - name: categories - type: keyword - description: | - N/A - - name: owner - type: keyword - description: | - Owner of the file. - - name: page - type: group - fields: - - name: url - type: flattened - description: | - The URL of the originating page. - - name: site - type: keyword - description: | - N/A - - name: parameters - type: keyword - description: | - N/A - - name: parent - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: path - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: policy - type: group - fields: - - name: actions - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - The Netskope internal ID for the policy created by an admin. - - name: name - type: keyword - description: | - Predefined or Custom policy name. - - name: pretty - type: group - fields: - - name: sourcetype - type: keyword - description: | - N/A - - name: processing - type: group - fields: - - name: time - type: long - description: | - N/A - - name: profile - type: group - fields: - - name: emails - type: keyword - description: | - List of profile emails per policy. - - name: id - type: keyword - description: | - Anomaly profile ID. - - name: quarantine - type: group - fields: - - name: action.reason - type: keyword - description: | - Reason for the action taken for quarantine. - - name: admin - type: keyword - description: | - Quarantine profile custodian email/name. - - name: app - type: keyword - description: | - Quarantine app name. - - name: failure - type: keyword - description: | - Reason of failure. - - name: file.id - type: keyword - description: | - File ID of the quarantined file. - - name: file.name - type: keyword - description: | - File name of the quarantine file. - - name: instance - type: keyword - description: | - Quarantine instance name. - - name: original.file.name - type: keyword - description: | - Original file name which got quarantined. - - name: original.file.path - type: keyword - description: | - Original file path which got quarantined. - - name: original.shared - type: keyword - description: | - Original file shared user details. - - name: original.version - type: keyword - description: | - Original version of file which got quarantined. - - name: profile - type: group - fields: - - name: name - type: keyword - description: | - Quarantine profile name of policy for quarantine action. - - name: id - type: keyword - description: | - Quarantine profile ID. - - name: shared.with - type: keyword - description: | - N/A - - name: referer - type: keyword - description: | - Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. - - name: region - type: group - fields: - - name: id - type: keyword - description: | - Region ID (as provided by the cloud provider). - - name: name - type: keyword - description: | - N/A - - name: reladb - type: keyword - description: | - N/A - - name: repo - type: keyword - description: | - N/A - - name: request - type: group - fields: - - name: cnt - type: long - description: | - Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. - - name: id - type: keyword - description: | - Unique request ID for the event. - - name: resource - type: group - fields: - - name: category - type: keyword - description: | - Category of resource as defined in DOM. - - name: group - type: keyword - description: | - N/A - - name: resources - type: keyword - description: | - N/A - - name: response - type: group - fields: - - name: cnt - type: long - description: | - Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. - - name: content.length - type: long - description: | - N/A - - name: content.type - type: keyword - description: | - N/A - - name: retro - type: group - fields: - - name: scan.name - type: keyword - description: | - Retro scan name. - - name: risk_level - type: group - fields: - - name: id - type: keyword - description: | - This field is set by both role-based access (RBA) and MLAD. - - name: tag - type: keyword - description: | - Corresponding field to risk_level_id. Name. - - name: role - type: keyword - description: | - Roles for Box. - - name: rule - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: sa - type: group - fields: - - name: rule.id - type: keyword - description: | - CSA rule ID. - - name: rule.name - type: keyword - description: | - CSA rule name. - - name: profile.id - type: keyword - description: | - CSA profile ID. - - name: profile.name - type: keyword - description: | - CSA profile name. - - name: rule.remediation - type: keyword - description: | - N/A - - name: rule.severity - type: keyword - description: | - Rule severity. - - name: scan - type: group - fields: - - name: time - type: long - description: | - Time when the scan is done. - - name: type - type: keyword - description: | - Generated during retroactive scan or new ongoing activity. - - name: scopes - type: keyword - description: | - List of permissions for google apps. - - name: serial - type: keyword - description: | - N/A - - name: server - type: group - fields: - - name: bytes - type: long - description: | - Total number of downloaded from server to client. - - name: session - type: group - fields: - - name: id - type: keyword - description: | - Populated by Risk Insights. - - name: severity - type: group - fields: - - name: level - type: keyword - description: | - Severity used by watchlist and malware alerts. - - name: id - type: keyword - description: | - Severity ID used by watchlist and malware alerts. - - name: malsite - type: group - fields: - - name: severity.level - type: keyword - description: | - Severity level of the Malsite ( High / Med / Low). - - name: severity - type: group - fields: - - name: level_id - type: long - description: | - If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. - - name: sfwder - type: keyword - description: | - N/A - - name: shared_type - type: keyword - description: | - N/A - - name: shared - type: group - fields: - - name: credential.user - type: keyword - description: | - Applicable to only shared credentials. User with whom the credentials are shared with. - - name: domains - type: keyword - description: | - List of domains of users the document is shared with. - - name: is_shared - type: boolean - description: | - If the file is shared or not. - - name: type - type: keyword - description: | - Shared Type. - - name: with - type: keyword - description: | - Array of emails with whom a document is shared with. - - name: site - type: keyword - description: | - For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". - - name: source - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Source IP was derived. - - name: srcip2 - type: keyword - description: | - N/A - - name: ssl - type: group - fields: - - name: decrypt.policy - type: keyword - description: | - Applicable to only bypass events. There are 2 ways to create rules for bypass: - Bypass due to Exception Configuration - Bypass due to SSL Decrypt Policy - The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. - - name: start_time - type: long - description: | - Start time for alert time period. - - name: statistics - type: long - description: | - This field & summary field go together. This field will either tell count or size of files. File size is in bytes. - - name: storage_service_bucket - type: keyword - description: | - N/A - - name: sub - type: group - fields: - - name: type - type: keyword - description: | - Workplace by Facebook post sub category (files, comments, status etc). - - name: summary - type: keyword - description: | - Tells whether anomaly was measured from count or size of files. - - name: suppression - type: group - fields: - - name: end.time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: key - type: keyword - description: | - To limit the number of events. Example: Suppress block event for browse. - - name: start.time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: target - type: group - fields: - - name: entity.key - type: keyword - description: | - N/A - - name: entity.type - type: keyword - description: | - N/A - - name: entity.value - type: keyword - description: | - N/A - - name: team - type: keyword - description: | - Slack team name. - - name: telemetry - type: group - fields: - - name: app - type: keyword - description: | - Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. - - name: temp - type: group - fields: - - name: user - type: keyword - description: | - N/A - - name: tenant - type: group - fields: - - name: id - type: keyword - description: | - Tenant id. - - name: threat - type: group - fields: - - name: match.value - type: keyword - description: | - N/A - - name: match.field - type: keyword - description: | - Threat match field, either from domain or URL or IP. - - name: source.id - type: keyword - description: | - Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. - - name: threshold - type: group - fields: - - name: time - type: long - description: | - Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. - - name: value - type: long - description: | - Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. - - name: title - type: keyword - description: | - Title of the file. - - name: to - type: group - fields: - - name: object - type: keyword - description: | - Changed name of an object that has been renamed, copied, or moved. - - name: storage - type: keyword - description: | - N/A - - name: user - type: keyword - description: | - Used when a file is moved from user A to user B. Shows the email address of user B. - - name: user_category - type: keyword - description: | - Type of user to which move is done. - - name: total - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of collaborators on a file/folder. Supported for some apps. - - name: traffic - type: group - fields: - - name: type - type: keyword - description: | - Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. - - name: transaction - type: group - fields: - - name: id - type: keyword - description: | - Unique ID for a given request/response. - - name: transformation - type: keyword - description: | - N/A - - name: tss - type: group - fields: - - name: mode - type: keyword - description: | - Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. - - name: version - type: long - description: | - N/A - - name: tunnel - type: group - fields: - - name: id - type: keyword - description: | - Shows the Client installation ID. Only available for the Client steering configuration. - - name: type - type: keyword - description: | - Type of the alert. - - name: updated - type: long - description: | - N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - - name: Url2Activity - type: keyword - description: | - Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. - - name: user - type: group - fields: - - name: category - type: keyword - description: | - Type of user in an enterprise - external / internal. - - name: group - type: keyword - description: | - N/A - - name: ip - type: keyword - description: | - IP address of User. - - name: geo - type: group - fields: - - name: city_name - type: keyword - description: | - City name. - - name: continent_name - type: keyword - description: | - Name of the continent. - - name: country_iso_code - type: keyword - description: | - Country ISO code. - - name: country_name - type: keyword - description: | - Country name. - - name: location - type: geo_point - description: | - Longitude and latitude. - - name: region_iso_code - type: keyword - description: | - Region ISO code. - - name: region_name - type: keyword - description: | - Region name. - - name: value - type: double - description: | - N/A - - name: violating_user - type: group - fields: - - name: name - type: keyword - description: | - User who caused a violation. Populated for Workplace by Facebook. - - name: type - type: keyword - description: | - Category of the user who caused a violation. Populated for Workplace by Facebook. - - name: web - type: group - fields: - - name: url - type: flattened - description: | - File preview URL. - - name: workspace - type: group - fields: - - name: id - type: keyword - description: | - Workspace ID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Workspace name in case of Slack for Enterprise. - - name: zip - type: group - fields: - - name: password - type: keyword - description: | - Zip the malicious file and put pwd to it and send it back to caller. - - name: scanner_result - type: keyword - description: | - N/A - - name: slc_latitude - type: keyword - description: | - N/A - - name: slc_longitude - type: keyword - description: | - N/A - - name: source - type: group - fields: - - name: time - type: keyword - description: | - N/A - - name: uba_ap1 - type: keyword - description: | - N/A - - name: uba_ap2 - type: keyword - description: | - N/A - - name: uba_inst1 - type: keyword - description: | - N/A - - name: uba_inst2 - type: keyword - description: |- - N/A -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/netskope/1.0.1/data_stream/alerts/manifest.yml b/packages/netskope/1.0.1/data_stream/alerts/manifest.yml deleted file mode 100755 index 73acd6e99c..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Alerts -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Netskope Alerts - description: Collect Netskope Alerts using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9020 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - netskope-alerts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netskope/1.0.1/data_stream/alerts/sample_event.json b/packages/netskope/1.0.1/data_stream/alerts/sample_event.json deleted file mode 100755 index e287ed230b..0000000000 --- a/packages/netskope/1.0.1/data_stream/alerts/sample_event.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "@timestamp": "2021-12-23T16:27:09.000Z", - "agent": { - "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "id": "f621f259f5fbde850ad5593a", - "ingested": "2022-04-14T11:24:23Z", - "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}" - }, - "file": { - "hash": { - "md5": "4bb5d9501bf7685ecaed55e3eda9ca01" - }, - "mime_type": [ - "application\\\\/vnd.apps.document" - ], - "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs", - "size": 196869 - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:57542" - } - }, - "netskope": { - "alerts": { - "access_method": "API Connector", - "acked": false, - "action": "block", - "activity": { - "name": "Login Successful" - }, - "alert": { - "name": "policy-alert", - "type": "nspolicy" - }, - "app": { - "category": "Cloud Storage", - "name": "SomeApp" - }, - "category": { - "name": "Cloud Storage" - }, - "cci": "81", - "ccl": "high", - "count": 1, - "destination": { - "geoip_src": 2 - }, - "device": { - "name": "Other" - }, - "exposure": "organization_wide_link", - "file": { - "lang": "ENGLISH" - }, - "insertion_epoch_timestamp": 1640277131, - "instance": { - "id": "example.com", - "name": "example.com" - }, - "is_alert": true, - "modified": { - "timestamp": 1613760236 - }, - "object": { - "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg", - "name": "HjBuUvDLWgpudzQr", - "type": "File" - }, - "organization": { - "unit": "example.local\\\\/example\\\\/Active Users" - }, - "owner": "foobar", - "policy": { - "name": "Some Policy" - }, - "request": { - "id": "9262245914980288500" - }, - "scan": { - "type": "Ongoing" - }, - "shared": { - "with": "none" - }, - "site": "Example", - "source": { - "geoip_src": 2 - }, - "suppression": { - "key": "Tenant Migration across MPs" - }, - "traffic": { - "type": "CloudApp" - }, - "type": "policy", - "url": { - "extension": "com\\\\/open", - "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "path": "\\\\/\\\\/www.example.com\\\\/open", - "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "scheme": "http" - } - } - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.143" - ] - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "netskope-alerts" - ], - "user": { - "email": [ - "test@example.com" - ] - }, - "user_agent": { - "name": "unknown", - "os": { - "name": "unknown" - } - } -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/data_stream/events/agent/stream/tcp.yml.hbs b/packages/netskope/1.0.1/data_stream/events/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netskope/1.0.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/1.0.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 989c462df9..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,253 +0,0 @@ ---- -description: Pipeline for Netskope events -processors: - - set: - field: ecs.version - value: '8.0.0' - - json: - field: message - add_to_root: true - add_to_root_conflict_strategy: replace - - rename: - field: message - target_field: event.original - ignore_missing: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{netskope.events.user.ip}}}" - if: ctx?.netskope?.events?.user?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.destination?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.hostname}}}" - if: ctx?.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - user_agent: - field: user_agent.original - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: netskope.events.user.ip - target_field: netskope.events.user.geo - ignore_missing: true - - uri_parts: - field: netskope.events.url - target_field: netskope.events.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.web.url - target_field: netskope.events.web.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.login.url - target_field: netskope.events.login.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.url - target_field: netskope.events.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - json: - field: netskope.events.site - ignore_failure: true - - json: - field: netskope.events.app.name - ignore_failure: true - - lowercase: - ignore_failure: true - field: network.protocol - - uri_parts: - field: netskope.events.referer - target_field: netskope.events.referer - keep_original: true - remove_if_successful: false - ignore_failure: true - - set: - field: netskope.events.managed_app - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.managed_app - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_bypass_traffic - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_bypass_traffic - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_unique_count - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_unique_count - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.is_aggregated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.is_aggregated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.alert.is_present - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.alert.is_present - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.generated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.generated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.ack - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.ack - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_malicious - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_malicious - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.obfuscate - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.obfuscate - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.shared.is_shared - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.shared.is_shared - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - date: - field: netskope.events.modified_at - target_field: netskope.events.modified_at - ignore_failure: true - formats: - - UNIX - - script: - if: ctx?.file?.mime_type != null - lang: painless - source: >- - def parts = ctx.file.mime_type; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.file.mime_type = setList; - } - - script: - if: ctx?.user?.email != null - lang: painless - source: >- - def parts = ctx.user.email; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.user.email = setList; - } - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "" || object == "null") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/netskope/1.0.1/data_stream/events/fields/agent.yml b/packages/netskope/1.0.1/data_stream/events/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/netskope/1.0.1/data_stream/events/fields/base-fields.yml b/packages/netskope/1.0.1/data_stream/events/fields/base-fields.yml deleted file mode 100755 index b6306aceaf..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: netskope -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netskope.events diff --git a/packages/netskope/1.0.1/data_stream/events/fields/ecs.yml b/packages/netskope/1.0.1/data_stream/events/fields/ecs.yml deleted file mode 100755 index 674f6f18d6..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,257 +0,0 @@ -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. - Examples: app engine, app service, cloud run, fargate, lambda. - name: cloud.service.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: destination.geo.postal_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: destination.geo.timezone - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: source.geo.postal_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: source.geo.timezone - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netskope/1.0.1/data_stream/events/fields/fields.yml b/packages/netskope/1.0.1/data_stream/events/fields/fields.yml deleted file mode 100755 index e5521ff3c5..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,1240 +0,0 @@ -- name: netskope.events - type: group - fields: - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic - - name: cci - type: keyword - description: | - N/A - - name: access_method - type: keyword - description: | - Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. - For log uploads this shows the actual log type such as PAN, Websense, etc. - - name: ack - type: boolean - description: | - Whether user acknowledged the alert or not. - - name: activity - type: group - fields: - - name: name - type: keyword - description: | - Description of the user performed activity. - - name: status - type: keyword - description: | - Displayed when the user is denied access while performing some activity. - - name: type - type: keyword - description: | - Displayed when only admins can perform the activity in question. - - name: alarm - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - N/A - - name: alert - type: group - fields: - - name: is_present - type: boolean - description: | - Indicates whether alert is generated or not. - Populated as yes for all alerts. - - name: name - type: keyword - description: | - Name of the alert. - - name: type - type: keyword - description: | - Type of the alert. - - name: app - type: group - fields: - - name: activity - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - Specific cloud application used by the user (e.g. app = Dropbox). - - name: region - type: keyword - description: | - N/A - - name: session.id - type: keyword - description: | - Unique App/Site Session ID for traffic_type = CloudApp and Web. - An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. - - name: attachment - type: keyword - description: | - File name. - - name: audit - type: group - fields: - - name: category - type: keyword - description: | - The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. - - name: log.event - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - The sub category in audit according to SaaS / IaaS apps. - - name: browser - type: group - fields: - - name: session.id - type: keyword - description: | - Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. - - name: bucket - type: keyword - description: | - N/A - - name: category - type: group - fields: - - name: id - type: keyword - description: | - Matching category ID according to policy. Populated for both cloud and web traffic. - - name: name - type: keyword - description: | - N/A - - name: ccl - type: keyword - description: | - Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. - Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. - - name: channel - type: keyword - description: | - Channel of the user for slack and slack enterprise apps. - - name: client - type: group - fields: - - name: bytes - type: long - description: | - Total number of bytes uploaded from client to server. - - name: packets - type: long - description: | - N/A - - name: connection - type: group - fields: - - name: duration - type: long - description: | - Duration of the connection in milliseconds. Useful for querying long-lived sessions. - - name: end_time - type: long - description: | - Connection end time. - - name: id - type: keyword - description: | - Each connection has a unique ID. Shows the ID for the connection event. - - name: start_time - type: long - description: | - Connection start time. - - name: count - type: long - description: | - Number of raw log lines/events sessionized or suppressed during the suppressed interval. - - name: description - type: keyword - description: | - N/A - - name: destination - type: group - fields: - - name: geoip.source - type: long - description: | - Source from where the location of Destination IP was derived. - - name: detail - type: keyword - description: | - N/A - - name: detection - type: group - fields: - - name: engine - type: keyword - description: | - Customer exposed detection engine name. - - name: type - type: keyword - description: | - Same as malware type. Duplicate. - - name: device - type: group - fields: - - name: classification - type: keyword - description: | - Designation of device as determined by the Netskope Client as to whether the device is managed or not. - - name: name - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. - - name: dlp - type: group - fields: - - name: count - type: long - description: | - Count of rule hits. - - name: file - type: keyword - description: | - File/Object name extracted from the file/object. - - name: fingerprint.classificaiton - type: keyword - description: | - Fingerprint classification. - - name: fingerprint.match - type: keyword - description: | - Fingerprint classification match file name. - - name: fingerprint.score - type: long - description: | - Fingerprint classification score. - - name: fv - type: long - description: | - N/A - - name: incident.id - type: keyword - description: | - Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. - - name: is_unique_count - type: boolean - description: | - True or false depending upon if rule is unique counted per rule data. - - name: mail.parent_id - type: keyword - description: | - N/A - - name: parent.id - type: keyword - description: | - Incident ID associated with main container (or non-container) file that was scanned. - - name: profile - type: keyword - description: | - DLP profile name. - - name: score - type: long - description: | - DLP rule score for weighted dictionaries. - - name: severity - type: keyword - description: | - Severity of rule. - - name: unique_count - type: long - description: | - Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. - - name: domain - type: keyword - description: | - Domain value. This will hold the host header value or SNI or extracted from absolute URI. - - name: domain_shared_with - type: long - description: | - N/A - - name: drive - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: encrypt - type: group - fields: - - name: failure - type: keyword - description: | - Reason of failure while encrypting. - - name: end_time - type: keyword - description: | - N/A - - name: enterprise - type: group - fields: - - name: id - type: keyword - description: | - EnterpriseID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Enterprise name in case of Slack for Enterprise. - - name: event - type: group - fields: - - name: type - type: keyword - description: | - Anomaly type. - - name: exposure - type: keyword - description: | - Exposure of a document. - - name: external_collaborator_count - type: long - description: | - Count of external collaborators on a file/folder. Supported for some apps. - - name: file - type: group - fields: - - name: id - type: keyword - description: | - Unique identifier of the file. - - name: is_password_protected - type: keyword - description: | - N/A - - name: lang - type: keyword - description: | - Language of the file. - - name: from - type: group - fields: - - name: object - type: keyword - description: | - Initial name of an object that has been renamed, copied or moved. - - name: user_category - type: keyword - description: | - Type of from_user. - - name: storage - type: keyword - description: | - N/A - - name: logs - type: keyword - description: | - Shows if the event was generated from the Risk Insights log. - - name: gateway - type: keyword - description: | - N/A - - name: graph - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: http_status - type: keyword - description: | - N/A - - name: http_transaction_count - type: long - description: | - HTTP transaction count. - - name: iaas_asset_tags - type: keyword - description: | - List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. - - name: id - type: keyword - description: | - N/A - - name: insertion - type: group - fields: - - name: timestamp - type: long - description: | - Insertion timestamp. - - name: instance_name - type: keyword - description: | - Instance associated with an organization application instance. - - name: instance - type: group - fields: - - name: id - type: keyword - description: | - Unique ID associated with an organization application instance. - - name: name - type: keyword - description: | - Instance name associated with an organization application instance. - - name: type - type: keyword - description: | - Instance type. - - name: internal_collaborator_count - type: long - description: | - Count of internal collaborators on a file/folder. Supported for some apps. - - name: ip - type: group - fields: - - name: protocol - type: keyword - description: | - N/A - - name: is_bypass_traffic - type: boolean - description: | - Tells if traffic is bypassed by Netskope. - - name: is_malicious - type: boolean - description: | - Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. - - name: item - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: justification - type: group - fields: - - name: reason - type: keyword - description: | - Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. - - name: type - type: keyword - description: | - Type of justification provided by user when user bypasses the policy block. - - name: last - type: group - fields: - - name: app - type: keyword - description: | - Last application (app in the first/older event). Applies to only proximity anomaly alert. - - name: country - type: keyword - description: | - Last location (Country). Applies to only proximity anomaly alert. - - name: device - type: keyword - description: | - Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. - - name: location - type: keyword - description: | - Last location (City). Applies to only proximity anomaly alert. - - name: region - type: keyword - description: | - Applies to only proximity anomaly alert. - - name: timestamp - type: long - description: | - Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. - - name: latency - type: group - fields: - - name: max - type: long - description: | - Max latency for a connection in milliseconds. - - name: min - type: long - description: | - Min latency for a connection in milliseconds. - - name: total - type: long - description: | - Total latency from proxy to app in milliseconds. - - name: legal_hold_profile_name - type: keyword - description: | - Legal hold profile name. - - name: lh - type: group - fields: - - name: custodian.name - type: keyword - description: | - Custodian name of legal hold profile. - - name: destination.app - type: keyword - description: | - Destination appname of legalhold action. - - name: destination.instance - type: keyword - description: | - Destination instance of legal hold action. - - name: file_id - type: keyword - description: | - File ID of legal hold file. - - name: filename - type: keyword - description: | - File name of legal hold file. - - name: filename_original - type: keyword - description: | - Original filename of legal hold file. - - name: filepath - type: keyword - description: | - File path of legal hold file. - - name: shared - type: keyword - description: | - Shared type of legal hold file. - - name: shared_with - type: keyword - description: | - User shared with the legal hold file. - - name: version - type: keyword - description: | - File version of original file. - - name: list - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: log_file - type: group - fields: - - name: name - type: keyword - description: | - Log file name for Risk Insights. - - name: login - type: group - fields: - - name: type - type: keyword - description: | - Salesforce login type. - - name: url - type: flattened - description: | - Salesforce login URL. - - name: malsite_category - type: keyword - description: | - Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. - - name: malware - type: group - fields: - - name: id - type: keyword - description: | - md5 hash of the malware name as provided by the scan engine. - - name: name - type: keyword - description: | - Netskope detection name. - - name: profile - type: keyword - description: | - tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. - - name: severity - type: keyword - description: | - Malware severity. - - name: type - type: keyword - description: | - Malware Type. - - name: managed_app - type: boolean - description: | - Whether or not the app in question is managed. - - name: management - type: group - fields: - - name: id - type: keyword - description: | - Management ID. - - name: metric_value - type: long - description: | - N/A - - name: modified_at - type: date - description: | - Timestamp corresponding to the modification time of the entity (file, etc.). - - name: netskope_pop - type: keyword - description: | - N/A - - name: network - type: keyword - description: | - N/A - - name: new_value - type: keyword - description: | - New value for a given file for salesforce.com. - - name: notify_template - type: keyword - description: | - N/A - - name: ns - type: group - fields: - - name: activity - type: keyword - description: | - Maps app activity to Netskope standard activity. - - name: device_uid - type: keyword - description: | - Device identifiers on macOS and Windows. - - name: num_sessions - type: long - description: | - N/A - - name: numbytes - type: long - description: | - Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. - - name: obfuscate - type: boolean - description: | - N/A - - name: object - type: group - fields: - - name: count - type: long - description: | - Displayed when the activity is Delete. Shows the number of objects being deleted. - - name: id - type: keyword - description: | - Unique ID associated with an object. - - name: name - type: keyword - description: | - Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. - - name: type - type: keyword - description: | - Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. - - name: old_value - type: keyword - description: | - Old value for a given file for salesforce.com. - - name: org - type: keyword - description: | - Search for events from a specific organization. Organization name is derived from the user ID. - - name: organization_unit - type: keyword - description: | - Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. - - name: orig_ty - type: keyword - description: | - Event Type of original event. - - name: original_file_path - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: other - type: group - fields: - - name: categories - type: keyword - description: | - N/A - - name: owner - type: keyword - description: | - Owner of the file. - - name: page - type: keyword - description: | - The URL of the originating page. - - name: page_site - type: keyword - description: | - N/A - - name: parent - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: path_id - type: long - description: | - Path ID of the file in the application. - - name: policy - type: group - fields: - - name: id - type: keyword - description: | - The Netskope internal ID for the policy created by an admin. - - name: name - type: keyword - description: | - Name of the policy configured by an admin. - - name: profile - type: group - fields: - - name: emails - type: keyword - description: | - List of profile emails per policy. - - name: id - type: keyword - description: | - Anomaly profile ID. - - name: publisher_cn - type: keyword - description: | - N/A - - name: quarantine - type: group - fields: - - name: action.reason - type: keyword - description: | - Reason for the action taken for quarantine. - - name: admin - type: keyword - description: | - Quarantine profile custodian email/name. - - name: app - type: keyword - description: | - Quarantine app name. - - name: app_name - type: keyword - description: | - N/A - - name: failure - type: keyword - description: | - Reason of failure. - - name: file.id - type: keyword - description: | - File ID of the quarantined file. - - name: file.name - type: keyword - description: | - File name of the quarantine file. - - name: instance - type: keyword - description: | - Quarantine instance name. - - name: original.file.name - type: keyword - description: | - Original file name which got quarantined. - - name: original.file.path - type: keyword - description: | - Original file path which got quarantined. - - name: original.version - type: keyword - description: | - Original version of file which got quarantined. - - name: shared_with - type: keyword - description: | - N/A - - name: profile.id - type: keyword - description: | - Quarantine profile ID. - - name: profile.name - type: keyword - description: | - Quarantine profile name of policy for quarantine action. - - name: original.shared - type: keyword - description: | - Original file shared user details. - - name: qar - type: keyword - description: | - N/A - - name: referer - type: flattened - description: | - Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. - - name: region - type: keyword - description: | - N/A - - name: region - type: group - fields: - - name: id - type: keyword - description: | - Region ID (as provided by the cloud provider). - - name: repo - type: keyword - description: | - N/A - - name: request - type: group - fields: - - name: count - type: long - description: | - Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. - - name: id - type: keyword - description: | - Unique request ID for the event. - - name: response - type: group - fields: - - name: content.length - type: long - description: | - N/A - - name: content.type - type: keyword - description: | - N/A - - name: count - type: long - description: | - Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. - - name: retro_scan_name - type: keyword - description: | - Retro scan name. - - name: risk_level - type: keyword - description: | - Corresponding field to risk_level_id. Name. - - name: risk_level_id - type: keyword - description: | - This field is set by both role-based access (RBA) and MLAD. - - name: role - type: keyword - description: | - Roles for Box. - - name: run_id - type: long - description: | - Run ID. - - name: sa - type: group - fields: - - name: profile.id - type: keyword - description: | - CSA profile ID. - - name: profile.name - type: keyword - description: | - CSA profile name. - - name: rule.severity - type: keyword - description: | - Rule severity. - - name: scan - type: group - fields: - - name: time - type: long - description: | - Time when the scan is done. - - name: type - type: keyword - description: | - Generated during retroactive scan or new ongoing activity. - - name: scopes - type: keyword - description: | - List of permissions for google apps. - - name: serial - type: keyword - description: | - N/A - - name: server - type: group - fields: - - name: bytes - type: long - description: | - Total number of downloaded from server to client. - - name: packets - type: long - description: | - N/A - - name: session - type: group - fields: - - name: id - type: keyword - description: | - Session ID for Dropbox application. - - name: packets - type: long - description: | - N/A - - name: duration - type: long - description: | - N/A - - name: severity - type: group - fields: - - name: id - type: keyword - description: | - Severity ID used by watchlist and malware alerts. - - name: level - type: keyword - description: | - Severity used by watchlist and malware alerts. - - name: type - type: keyword - description: | - Severity type used by watchlist and malware alerts - - name: sfwder - type: keyword - description: | - N/A - - name: shared - type: group - fields: - - name: domains - type: keyword - description: | - List of domains of users the document is shared with. - - name: is_shared - type: boolean - description: | - If the file is shared or not. - - name: type - type: keyword - description: | - Shared Type. - - name: with - type: keyword - description: | - Array of emails with whom a document is shared with. - - name: site - type: keyword - description: | - For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". - - name: slc - type: group - fields: - - name: geo.location - type: geo_point - description: | - Longitude and latitude. - - name: source - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Source IP was derived. - - name: ssl_decrypt_policy - type: keyword - description: | - Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. - - name: start_time - type: keyword - description: | - N/A - - name: sub_type - type: keyword - description: | - Workplace by Facebook post sub category (files, comments, status etc). - - name: supporting_data - type: keyword - description: | - N/A - - name: suppression - type: group - fields: - - name: end_time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: key - type: keyword - description: | - To limit the number of events. Example: Suppress block event for browse. - - name: start_time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: team - type: keyword - description: | - Slack team name. - - name: telemetry_app - type: keyword - description: | - Typically SaaS app web sites use web analytics code within the pages to gather analytic data. - When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the - Telemetry App field. - - name: temp_user - type: keyword - description: | - N/A - - name: tenant - type: group - fields: - - name: id - type: keyword - description: | - Tenant id. - - name: threat - type: group - fields: - - name: match_field - type: keyword - description: | - Threat match field, either from domain or URL or IP. - - name: source.id - type: keyword - description: | - Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. - - name: threshold - type: long - description: | - Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. - - name: tnetwork_session_id - type: keyword - description: | - N/A - - name: to - type: group - fields: - - name: object - type: keyword - description: | - Changed name of an object that has been renamed, copied, or moved. - - name: storage - type: keyword - description: | - N/A - - name: user - type: keyword - description: | - Used when a file is moved from user A to user B. Shows the email address of user B. - - name: user_category - type: keyword - description: | - Type of user to which move is done. - - name: total_packets - type: long - description: | - N/A - - name: total - type: group - fields: - - name: collaborator_count - type: long - description: | - Count of collaborators on a file/folder. Supported for some apps. - - name: traffic - type: group - fields: - - name: type - type: keyword - description: | - Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. - - name: transaction - type: group - fields: - - name: id - type: keyword - description: | - Unique ID for a given request/response. - - name: tss_mode - type: keyword - description: | - Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. - - name: tunnel - type: group - fields: - - name: id - type: keyword - description: | - Shows the Client installation ID. Only available for the Client steering configuration. - - name: type - type: keyword - description: | - N/A - - name: up_time - type: long - description: | - N/A - - name: two_factor_auth - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. - - name: universal_connector - type: keyword - description: | - N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - - name: url_to_activity - type: keyword - description: | - Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. - - name: user - type: group - fields: - - name: category - type: keyword - description: | - Type of user in an enterprise - external / internal. - - name: group - type: keyword - description: | - N/A - - name: generated - type: boolean - description: | - Tells whether it is user generated page event. - - name: ip - type: keyword - description: | - IP address of User. - - name: is_aggregated - type: boolean - description: | - N/A - - name: violating - type: group - fields: - - name: user.name - type: keyword - description: | - User who caused a vioaltion. Populated for Workplace by Facebook. - - name: user.type - type: keyword - description: | - Category of the user who caused a violation. Populated for Workplace by Facebook. - - name: web_universal_connector - type: keyword - description: | - N/A - - name: web - type: group - fields: - - name: url - type: flattened - description: | - File preview URL. - - name: workspace - type: group - fields: - - name: id - type: keyword - description: | - Workspace ID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Workspace name in case of Slack for Enterprise. - - name: event_type - type: keyword - description: | - N/A - - name: zip_password - type: keyword - description: | - Zip the malacious file and put pwd to it and send it back to caller. - - name: user - type: group - fields: - - name: geo.city_name - type: keyword - description: | - N/A - - name: geo.continent_name - type: keyword - description: | - N/A - - name: geo.country_iso_code - type: keyword - description: | - N/A - - name: geo.country_name - type: keyword - description: | - N/A - - name: geo.location - type: geo_point - description: | - Longitude and latitude. - - name: geo.region_iso_code - type: keyword - description: | - N/A - - name: geo.region_name - type: keyword - description: | - N/A -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/netskope/1.0.1/data_stream/events/manifest.yml b/packages/netskope/1.0.1/data_stream/events/manifest.yml deleted file mode 100755 index c5186b4df7..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Events -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Netskope Events - description: Collect Netskope Events using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9021 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - netskope-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netskope/1.0.1/data_stream/events/sample_event.json b/packages/netskope/1.0.1/data_stream/events/sample_event.json deleted file mode 100755 index 23098b922f..0000000000 --- a/packages/netskope/1.0.1/data_stream/events/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2021-12-24T00:29:56.000Z", - "agent": { - "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "netskope.events", - "ingested": "2022-04-14T09:24:43Z", - "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}" - }, - "event.id": "613ee55ec9d868fc47654a73", - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:46522" - } - }, - "netskope": { - "events": { - "alarm": { - "description": "Events from device not received in the last 24 hours", - "name": "No_events_from_device" - }, - "device": { - "name": "device-1" - }, - "event_type": "infrastructure", - "metric_value": 43831789, - "serial": "FFFFFFFFFFFFFFFF", - "severity": { - "level": "high" - }, - "supporting_data": "abc" - } - }, - "tags": [ - "forwarded", - "netskope-events" - ] -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/docs/README.md b/packages/netskope/1.0.1/docs/README.md deleted file mode 100755 index b5708c562f..0000000000 --- a/packages/netskope/1.0.1/docs/README.md +++ /dev/null @@ -1,2920 +0,0 @@ -# Netskope - -This integration is for Netskope. It can be used to receive logs sent by [Netskope Cloud Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785) on respective TCP ports. - -The log message is expected to be in JSON format. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`netskope..*`. - -## Setup steps - -1. Configure this integration with the TCP input in Kibana. -2. For all Netskope Cloud Exchange configurations refer to the [Log Shipper](https://docs.netskope.com/en/cloud-exchange-feature-lists.html#UUID-e7c43f4b-8aad-679e-eea0-59ce19f16e29_section-idm4547044691454432680066508785). -3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant. -4. Configure input connectors: - 1. First with all Event types, and - 2. Second with all Alerts type. - For detailed steps refer to [Configure the Netskope Plugin for Log Shipper](https://docs.netskope.com/en/configure-the-netskope-plugin-for-log-shipper.html). -5. Creating mappings: - 1. Navigate to Settings -> Log Shipper -> Mapping. - 2. Click on Add mapping and paste mappings of Alerts mentioned below in Netskope Elastic Integration's Overview Page. - 3. Click on Add mapping and paste mappings of Events mentioned below in Netskope Elastic Integration's Overview Page. -6. Configure output connectors: - 1. Navigate to Settings -> Plugins. - 2. Adding output connector **Elastic CLS**, select mapping created for Alerts and click **Next**, then paste the Events-validation in the **Valid Extensions** section for Alerts mentioned below in Netskope Elastic Integration's Overview Page. - For detailed steps refer to [Elastic Plugin for Log Shipper](https://docs.netskope.com/en/elastic-plugin-for-log-shipper.html). -7. Create business rules: - 1. Navigate to Home Page > Log Shipper > Business rules. - 2. Create business rules with Netskope Alerts. - 3. Create business rules with Netskope Events. - For detailed steps refer to [Manage Log Shipper Business Rules](https://docs.netskope.com/en/manage-log-shipper-business-rules.html). -8. Adding SIEM mappings: - 1. Navigate to Home Page > Log Shipper > SIEM Mappings - 2. Add SIEM mapping for events: - * Add **Rule** put rule created in step 7. - * Add **Source Configuration** put input created for Events in step 4. - * Add **Destination Configuration**, put output created for Events in step 6. - -> Note: For detailed steps refer to [Configure Log Shipper SIEM Mappings](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html). -Please make sure to use the given response formats. - -## Compatibility - -This package has been tested against `Netskope version 91.1.0.605` and `Netskope Cloud Exchange version 3.1.5`. - -## Documentation and configuration - -### Alerts - -Default port: _9020_ - -Netskope Alert Mapping: -```json -{ - "elastic_map_version": "2.0.0", - "ecs_version": "0", - "taxonomy": { - "alerts": { - "policy": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "netskope.alerts.encrypt.failure": { "mapping_field": "encrypt_failure" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" } - } - }, - "dlp": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.dlp.file": { "mapping_field": "dlp_file" }, - "netskope.alerts.dlp.incident.id": { "mapping_field": "dlp_incident_id" }, - "netskope.alerts.dlp.is_unique_count": { "mapping_field": "dlp_is_unique_count" }, - "netskope.alerts.dlp.parent.id": { "mapping_field": "dlp_parent_id" }, - "netskope.alerts.dlp.profile": { "mapping_field": "dlp_profile" }, - "netskope.alerts.dlp.rule.name": { "mapping_field": "dlp_rule" }, - "netskope.alerts.dlp.rule.count": { "mapping_field": "dlp_rule_count" }, - "netskope.alerts.dlp.rule.severity": { "mapping_field": "dlp_rule_severity" }, - "netskope.alerts.dlp.unique_count": { "mapping_field": "dlp_unique_count" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" } - } - }, - "quarantine": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.quarantine.admin": { "mapping_field": "q_admin" }, - "netskope.alerts.quarantine.app.1": { "mapping_field": "q_app" }, - "netskope.alerts.quarantine.instance": { "mapping_field": "q_instance" }, - "netskope.alerts.quarantine.original.file.name": { "mapping_field": "q_original_filename" }, - "netskope.alerts.quarantine.original.file.path": { "mapping_field": "q_original_filepath" }, - "netskope.alerts.quarantine.original.shared": { "mapping_field": "q_original_shared" }, - "netskope.alerts.quarantine.original.version": { "mapping_field": "q_original_version" }, - "netskope.alerts.quarantine.shared.with": { "mapping_field": "q_shared_with" }, - "netskope.alerts.quarantine.action.reason": { "mapping_field": "quarantine_action_reason" }, - "netskope.alerts.quarantine.app.2": { "mapping_field": "quarantine_app" }, - "netskope.alerts.quarantine.failure": { "mapping_field": "quarantine_failure" }, - "netskope.alerts.quarantine.file.id": { "mapping_field": "quarantine_file_id" }, - "netskope.alerts.quarantine.file.name": { "mapping_field": "quarantine_file_name" }, - "netskope.alerts.quarantine.profile.name": { "mapping_field": "quarantine_profile" }, - "netskope.alerts.quarantine.profile.id": { "mapping_field": "quarantine_profile_id" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey"} - } - }, - "Security Assessment": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.sa.profile.id": { "mapping_field": "sa_profile_id" }, - "netskope.alerts.sa.profile.name": { "mapping_field": "sa_profile_name" }, - "netskope.alerts.sa.rule.id": { "mapping_field": "sa_rule_id" }, - "netskope.alerts.sa.rule.name": { "mapping_field": "sa_rule_name" }, - "netskope.alerts.sa.rule.severity": { "mapping_field": "sa_rule_severity" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.compliance.standards": { "mapping_field": "compliance_standards" }, - "netskope.alerts.iaas.asset.tags": { "mapping_field": "iaas_asset_tags" }, - "netskope.alerts.iaas.remediated": { "mapping_field": "iaas_remediated" }, - "netskope.alerts.sa.rule.remediation": { "mapping_field": "sa_rule_remediation" }, - "cloud.account.id": { "mapping_field": "account_id" }, - "cloud.account.name": { "mapping_field": "account_name" }, - "netskope.alerts.asset.id": { "mapping_field": "asset_id" }, - "netskope.alerts.asset.object.id": { "mapping_field": "asset_object_id" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.policy.id": { "mapping_field": "policy_id" }, - "netskope.alerts.region.id": { "mapping_field": "region_id" }, - "netskope.alerts.region.name": { "mapping_field": "region_name" }, - "netskope.alerts.resource.category": { "mapping_field": "resource_category" }, - "netskope.alerts.resource.group": { "mapping_field": "resource_group" } - } - }, - "uba": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.id": { "mapping_field": "alert_id" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.event.type": { "mapping_field": "event_type" }, - "netskope.alerts.event_source_channel": { "mapping_field": "evt_src_chnl" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.from.storage": { "mapping_field": "from_storage" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.management.id": { "mapping_field": "managementID" }, - "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.orig_ty": { "mapping_field": "orig_ty" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.policy.actions": { "mapping_field": "policy_actions" }, - "netskope.alerts.profile.id": { "mapping_field": "profile_id" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" }, - "netskope.alerts.threshold.value": { "mapping_field": "threshold" }, - "netskope.alerts.threshold.time": { "mapping_field": "threshold_time" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "netskope.alerts.last.app": { "mapping_field": "last_app" }, - "netskope.alerts.last.country": { "mapping_field": "last_country" }, - "netskope.alerts.last.device": { "mapping_field": "last_device" }, - "netskope.alerts.last.location": { "mapping_field": "last_location" }, - "netskope.alerts.last.region": { "mapping_field": "last_region" }, - "netskope.alerts.last.timestamp": { "mapping_field": "last_timestamp" }, - "netskope.alerts.slc_longitude": { "mapping_field": "slc_longitude" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" }, - "netskope.alerts.uba_ap1": { "mapping_field": "uba_ap1" }, - "netskope.alerts.uba_ap2": { "mapping_field": "uba_ap2" }, - "netskope.alerts.uba_inst1": { "mapping_field": "uba_inst1" }, - "netskope.alerts.uba_inst2": { "mapping_field": "uba_inst2" }, - "netskope.alerts.activity.status": { "mapping_field": "activity_status" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "netskope.alerts.parent.id": { "mapping_field": "parent_id" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.slc_latitude": { "mapping_field": "slc_latitude" }, - "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" } - } - }, - "Compromised Credential": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.breach.date": { "mapping_field": "breach_date" }, - "netskope.alerts.breach.description": { "mapping_field": "breach_description" }, - "netskope.alerts.breach.id": { "mapping_field": "breach_id" }, - "netskope.alerts.breach.media_references": { "mapping_field": "breach_media_references" }, - "netskope.alerts.breach.score": { "mapping_field": "breach_score" }, - "netskope.alerts.breach.target_references": { "mapping_field": "breach_target_references" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.email.source": { "mapping_field": "email_source" }, - "netskope.alerts.external.email": { "mapping_field": "external_email" }, - "netskope.alerts.matched.username": { "mapping_field": "matched_username" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" } - } - }, - "Malsite": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.app.suite": { "mapping_field": "appsuite" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.address": { "mapping_field": "dstip" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.is_malicious": { "mapping_field": "malicious" }, - "netskope.alerts.malsite.active": { "mapping_field": "malsite_active" }, - "netskope.alerts.malsite.as.number": { "mapping_field": "malsite_as_number" }, - "netskope.alerts.malsite.category": { "mapping_field": "malsite_category" }, - "netskope.alerts.malsite.city": { "mapping_field": "malsite_city" }, - "netskope.alerts.malsite.confidence": { "mapping_field": "malsite_confidence" }, - "netskope.alerts.malsite.consecutive": { "mapping_field": "malsite_consecutive" }, - "netskope.alerts.malsite.country": { "mapping_field": "malsite_country" }, - "netskope.alerts.malsite.dns.server": { "mapping_field": "malsite_dns_server" }, - "netskope.alerts.malsite.first_seen": { "mapping_field": "malsite_first_seen" }, - "netskope.alerts.malsite.hostility": { "mapping_field": "malsite_hostility" }, - "netskope.alerts.malsite.id": { "mapping_field": "malsite_id" }, - "netskope.alerts.malsite.ip_host": { "mapping_field": "malsite_ip_host" }, - "netskope.alerts.malsite.isp": { "mapping_field": "malsite_isp" }, - "netskope.alerts.malsite.last.seen": { "mapping_field": "malsite_last_seen" }, - "netskope.alerts.malsite.latitude": { "mapping_field": "malsite_latitude" }, - "netskope.alerts.malsite.longitude": { "mapping_field": "malsite_longitude" }, - "netskope.alerts.malsite.region": { "mapping_field": "malsite_region" }, - "netskope.alerts.malsite.reputation": { "mapping_field": "malsite_reputation" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.malsite.severity.level": { "mapping_field": "severity_level" }, - "netskope.alerts.severity.level_id": { "mapping_field": "severity_level_id" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "netskope.alerts.source.time": { "mapping_field": "src_time" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.ip": { "mapping_field": "srcip" }, - "source.address": { "mapping_field": "srcip" }, - "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" }, - "netskope.alerts.threat.match.field": { "mapping_field": "threat_match_field" }, - "netskope.alerts.threat.match.value": { "mapping_field": "threat_match_value" }, - "netskope.alerts.threat.source.id": { "mapping_field": "threat_source_id" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.notify.template": { "mapping_field": "notify_template" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" } - } - }, - "malware": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.app_name": { "mapping_field": "app_name" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.created_at": { "mapping_field": "created_date" }, - "netskope.alerts.detection.engine": { "mapping_field": "detection_engine" }, - "netskope.alerts.file.id": { "mapping_field": "file_id" }, - "file.name": { "mapping_field": "file_name" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "threat.indicator.file.hash.md5": { "mapping_field": "local_md5" }, - "threat.indicator.file.hash.sha256": { "mapping_field": "local_sha256" }, - "netskope.alerts.malware.id": { "mapping_field": "malware_id" }, - "netskope.alerts.malware.name": { "mapping_field": "malware_name" }, - "netskope.alerts.malware.profile": { "mapping_field": "malware_profile" }, - "netskope.alerts.malware.severity": { "mapping_field": "malware_severity" }, - "netskope.alerts.malware.type": { "mapping_field": "malware_type" }, - "netskope.alerts.mime.type": { "mapping_field": "mime_type" }, - "netskope.alerts.ml_detection": { "mapping_field": "ml_detection" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.modified.date": { "mapping_field": "modified_date" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.path.id": { "mapping_field": "path_id" }, - "netskope.alerts.scanner_result": { "mapping_field": "scanner_result" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.severity.id": { "mapping_field": "severity_id" }, - "netskope.alerts.shared.type": { "mapping_field": "shared_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.title": { "mapping_field": "title" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.tss.mode": { "mapping_field": "tss_mode" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "user.email.3": { "mapping_field": "user_id" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "user.email.4": { "mapping_field": "userkey" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "user_agent.name": { "mapping_field": "browser" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.address": { "mapping_field": "dstip" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "netskope.alerts.source.time": { "mapping_field": "src_time" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.ip": { "mapping_field": "srcip" }, - "source.address": { "mapping_field": "srcip" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.management.id": { "mapping_field": "managementID" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" } - } - } - } - } -} -``` -Netskope Alert Validation Extensions: -``` -ECS Key Name,Length,Data Type -@timestamp,,DateTime -cloud.account.id,,String -cloud.account.name,,String -cloud.service.name,,String -client.bytes,,Integer -client.packets,,Integer -destination.address,,String -destination.domain,,String -destination.geo.country_iso_code,,String -destination.geo.city_name,,String -destination.geo.location.lat,,Floating Point -destination.geo.location.lon,,Floating Point -destination.geo.postal_code,,String -destination.geo.region_name,,String -destination.geo.timezone,,String -destination.ip,,String -destination.port,,Integer -event.id,,String -file.hash.md5,,String -file.mime_type,,String -file.name,,String -file.path,,String -file.size,,Integer -host.hostname,,String -netskope.alerts.access_method,,String -netskope.alerts.acked,,String -netskope.alerts.acting.role,,String -netskope.alerts.action,,String -netskope.alerts.activities,,String -netskope.alerts.activity.name,,String -netskope.alerts.activity.status,,String -netskope.alerts.activity.type,,String -netskope.alerts.agg.window,,String -netskope.alerts.aggregated.user,,String -netskope.alerts.alert.affected.entities,,String -netskope.alerts.alert.category,,String -netskope.alerts.alert.description,,String -netskope.alerts.alert.detection.stage,,String -netskope.alerts.alert.id,,String -netskope.alerts.alert.name,,String -netskope.alerts.alert.notes,,String -netskope.alerts.alert.query,,String -netskope.alerts.alert.score,,Integer -netskope.alerts.alert.source,,String -netskope.alerts.alert.status,,String -netskope.alerts.alert.type,,String -netskope.alerts.alert.window,,String -netskope.alerts.algorithm,,String -netskope.alerts.anomaly.efficacy,,String -netskope.alerts.anomaly.fields,,String -netskope.alerts.anomaly.id,,String -netskope.alerts.anomaly.magnitude,,Floating Point -netskope.alerts.anomaly.type,,String -netskope.alerts.app.app_name,,String -netskope.alerts.app.activity,,String -netskope.alerts.app.category,,String -netskope.alerts.app.suite,,String -netskope.alerts.app.name,,String -netskope.alerts.app.region,,String -netskope.alerts.app.session.id,,String -netskope.alerts.asn,,Integer -netskope.alerts.asset.id,,String -netskope.alerts.asset.object.id,,String -netskope.alerts.attachment,,String -netskope.alerts.audit.category,,String -netskope.alerts.audit.type,,String -netskope.alerts.bin.timestamp,,Integer -netskope.alerts.breach.date,,Integer -netskope.alerts.breach.id,,String -netskope.alerts.breach.description,,String -netskope.alerts.breach.media_references,,String -netskope.alerts.breach.name,,String -netskope.alerts.breach.score,,Integer -netskope.alerts.breach.target_references,,String -netskope.alerts.browser.session.id,,String -netskope.alerts.bucket,,String -netskope.alerts.bypass.traffic,,String -netskope.alerts.category,,String -netskope.alerts.category.id,,String -netskope.alerts.category.name,,String -netskope.alerts.cci,,String -netskope.alerts.ccl,,String -netskope.alerts.channel,,String -netskope.alerts.cloud.provider,,String -netskope.alerts.compliance.standards,,String -netskope.alerts.compute.instance,,String -netskope.alerts.connection.duration,,Integer -netskope.alerts.connection.endtime,,Floating Point -netskope.alerts.connection.id,,String -netskope.alerts.connection.starttime,,Floating Point -netskope.alerts.count,,Integer -netskope.alerts.created_at,,String -netskope.alerts.data.version,,String -netskope.alerts.description,,String -netskope.alerts.destination.geoip_src,,Integer -netskope.alerts.detected-file-type,,String -netskope.alerts.detection.engine,,String -netskope.alerts.detection.type,,String -netskope.alerts.device.name,,String -netskope.alerts.device.classification,,String -netskope.alerts.dlp.file,,String -netskope.alerts.dlp.fingerprint.classification,,String -netskope.alerts.dlp.fingerprint.match,,String -netskope.alerts.dlp.fingerprint.score,,Integer -netskope.alerts.dlp.fv,,Integer -netskope.alerts.dlp.incident.id,,String -netskope.alerts.dlp.is_unique_count,,String -netskope.alerts.dlp.mail.parent.id,,String -netskope.alerts.dlp.parent.id,,String -netskope.alerts.dlp.profile,,String -netskope.alerts.dlp.rule.count,,Integer -netskope.alerts.dlp.rule.name,,String -netskope.alerts.dlp.rule.score,,Integer -netskope.alerts.dlp.rule.severity,,String -netskope.alerts.dlp.unique_count,,Integer -netskope.alerts.doc.count,,Integer -netskope.alerts.domain,,String -netskope.alerts.domain.shared.with,,String -netskope.alerts.download.app,,String -netskope.alerts.drive.id,,String -netskope.alerts.dynamic.classification,,String -netskope.alerts.elastic_key,,String -netskope.alerts.email.source,,String -netskope.alerts.encrypt.failure,,String -netskope.alerts.encryption.service.key,,String -netskope.alerts.end_time,,Integer -netskope.alerts.enterprise.id,,String -netskope.alerts.enterprise.name,,String -netskope.alerts.entity.list,,String -netskope.alerts.entity.type,,String -netskope.alerts.entity.value,,String -netskope.alerts.event_source_channel,,String -netskope.alerts.event.detail,,String -netskope.alerts.event.id,,String -netskope.alerts.event.type,,String -netskope.alerts.exposure,,String -netskope.alerts.external.collaborator.count,,Integer -netskope.alerts.external.email,,Integer -netskope.alerts.false_positive,,String -netskope.alerts.feature.description,,String -netskope.alerts.feature.id,,String -netskope.alerts.feature.name,,String -netskope.alerts.file.id,,String -netskope.alerts.file.lang,,String -netskope.alerts.file.name,,String -netskope.alerts.file.password.protected,,String -netskope.alerts.file.path,,String -netskope.alerts.file.path.original,,String -netskope.alerts.file.size,,Floating Point -netskope.alerts.file.type,,String -netskope.alerts.forward_to_proxy_profile,,String -netskope.alerts.from.logs,,String -netskope.alerts.from.object,,String -netskope.alerts.from.storage,,String -netskope.alerts.from.user_category,,String -netskope.alerts.gateway,,String -netskope.alerts.graph.id,,String -netskope.alerts.http_status,,String -netskope.alerts.http_transaction_count,,Integer -netskope.alerts.iaas.asset.tags,,String -netskope.alerts.iaas.remediated,,String -netskope.alerts.iam.session,,String -netskope.alerts.id,,String -netskope.alerts.insertion_epoch_timestamp,,Integer -netskope.alerts.instance_name,,String -netskope.alerts.instance.id,,String -netskope.alerts.instance.name,,String -netskope.alerts.instance.type,,String -netskope.alerts.internal.collaborator.count,,Integer -netskope.alerts.ip_protocol,,String -netskope.alerts.ipblock,,String -netskope.alerts.is_alert,,String -netskope.alerts.is_file_passwd_protected,,String -netskope.alerts.is_malicious,,String -netskope.alerts.is_two_factor_auth,,Integer -netskope.alerts.is_universal_connector,,String -netskope.alerts.is_user_generated,,String -netskope.alerts.is_web_universal_connector,,String -netskope.alerts.isp,,String -netskope.alerts.item.id,,String -netskope.alerts.justification.reason,,String -netskope.alerts.justification.type,,String -netskope.alerts.last.app,,String -netskope.alerts.last.coordinates,,Floating Point -netskope.alerts.last.country,,String -netskope.alerts.last.device,,String -netskope.alerts.last.location,,String -netskope.alerts.last.modified_timestamp,,Integer -netskope.alerts.last.region,,String -netskope.alerts.last.timestamp,,Integer -netskope.alerts.latency.max,,Integer -netskope.alerts.latency.min,,Integer -netskope.alerts.latency.total,,Integer -netskope.alerts.legal_hold.custodian_name,,String -netskope.alerts.legal_hold.destination.app,,String -netskope.alerts.legal_hold.destination.instance,,String -netskope.alerts.legal_hold.file.id,,String -netskope.alerts.legal_hold.file.name,,String -netskope.alerts.legal_hold.file.name_original,,String -netskope.alerts.legal_hold.file.path,,String -netskope.alerts.legal_hold.profile_name,,String -netskope.alerts.legal_hold.shared,,String -netskope.alerts.legal_hold.shared_with,,String -netskope.alerts.legal_hold.version,,String -netskope.alerts.list.id,,String -netskope.alerts.log.file.name,,String -netskope.alerts.login.type,,String -netskope.alerts.login.url,,String -netskope.alerts.malsite.active,,Integer -netskope.alerts.malsite.as.number,,String -netskope.alerts.malsite.category,,String -netskope.alerts.malsite.city,,String -netskope.alerts.malsite.confidence,,Integer -netskope.alerts.malsite.consecutive,,Integer -netskope.alerts.malsite.country,,String -netskope.alerts.malsite.dns.server,,String -netskope.alerts.malsite.first_seen,,Integer -netskope.alerts.malsite.hostility,,String -netskope.alerts.malsite.id,,String -netskope.alerts.malsite.ip_host,,String -netskope.alerts.malsite.isp,,String -netskope.alerts.malsite.last.seen,,Integer -netskope.alerts.malsite.latitude,,Floating Point -netskope.alerts.malsite.longitude,,Floating Point -netskope.alerts.malsite.region,,String -netskope.alerts.malsite.reputation,,Floating Point -netskope.alerts.malsite.severity.level,,String -netskope.alerts.malware.id,,String -netskope.alerts.malware.name,,String -netskope.alerts.malware.profile,,String -netskope.alerts.malware.severity,,String -netskope.alerts.malware.type,,String -netskope.alerts.managed.app,,String -netskope.alerts.management.id,,String -netskope.alerts.matched.username,,String -netskope.alerts.matrix.columns,,String -netskope.alerts.matrix.rows,,String -netskope.alerts.md5_list,,String -netskope.alerts.mime.type,,String -netskope.alerts.modified.timestamp,,Integer -netskope.alerts.modified.date,,Integer -netskope.alerts.netskope_pop,,String -netskope.alerts.network.name,,String -netskope.alerts.network.security.group,,String -netskope.alerts.network.session_id,,String -netskope.alerts.new.value,,String -netskope.alerts.nonzero.entries,,Integer -netskope.alerts.nonzero.percentage,,Floating Point -netskope.alerts.notify.template,,String -netskope.alerts.ns_activity,,String -netskope.alerts.ns_device_uid,,String -netskope.alerts.numbytes,,Integer -netskope.alerts.obfuscate,,String -netskope.alerts.object.count,,Integer -netskope.alerts.object.id,,String -netskope.alerts.object.name,,String -netskope.alerts.object.type,,String -netskope.alerts.old.value,,String -netskope.alerts.org,,String -netskope.alerts.organization.unit,,String -netskope.alerts.orig_ty,,String -netskope.alerts.os_version_hostname,,String -netskope.alerts.other.categories,,String -netskope.alerts.owner,,String -netskope.alerts.page,,String -netskope.alerts.page.site,,String -netskope.alerts.parameters,,String -netskope.alerts.parent.id,,String -netskope.alerts.path.id,,String -netskope.alerts.policy.actions,,String -netskope.alerts.policy.id,,String -netskope.alerts.policy.name,,String -netskope.alerts.pretty.sourcetype,,String -netskope.alerts.processing.time,,Integer -netskope.alerts.profile.emails,,String -netskope.alerts.profile.id,,String -netskope.alerts.quarantine.action.reason,,String -netskope.alerts.quarantine.admin,,String -netskope.alerts.quarantine.app,,String -netskope.alerts.quarantine.failure,,String -netskope.alerts.quarantine.file.id,,String -netskope.alerts.quarantine.file.name,,String -netskope.alerts.quarantine.instance,,String -netskope.alerts.quarantine.original.file.name,,String -netskope.alerts.quarantine.original.file.path,,String -netskope.alerts.quarantine.original.shared,,String -netskope.alerts.quarantine.original.version,,String -netskope.alerts.quarantine.profile.name,,String -netskope.alerts.quarantine.profile.id,,String -netskope.alerts.quarantine.shared.with,,String -netskope.alerts.referer,,String -http.request.referrer,,String -netskope.alerts.region.id,,String -netskope.alerts.region.name,,String -netskope.alerts.reladb,,String -netskope.alerts.repo,,String -netskope.alerts.request.cnt,,String -netskope.alerts.request.id,,String -netskope.alerts.resource.group,,String -netskope.alerts.resources,,String -netskope.alerts.response.cnt,,Integer -netskope.alerts.response.content.length,,Integer -netskope.alerts.response.content.type,,String -netskope.alerts.retro.scan.name,,String -netskope.alerts.risk_level.id,,String -netskope.alerts.risk_level.tag,,String -netskope.alerts.role,,String -netskope.alerts.rule.id,,String -netskope.alerts.sa.profile.id,,String -netskope.alerts.sa.profile.name,,String -netskope.alerts.sa.rule.remediation,,String -netskope.alerts.sa.rule.severity,,String -netskope.alerts.scan.time,,String -netskope.alerts.scan.type,,String -netskope.alerts.scanner_result,,String -netskope.alerts.scopes,,String -netskope.alerts.serial,,String -netskope.alerts.session.duration,,Integer -netskope.alerts.session.id,,String -netskope.alerts.severity,,String -netskope.alerts.severity.id,,String -netskope.alerts.severity.level,,String -netskope.alerts.severity.level_id,,Integer -netskope.alerts.sfwder,,String -netskope.alerts.shared_type,,String -netskope.alerts.shared.credential.user,,String -netskope.alerts.shared.domains,,String -netskope.alerts.shared.is_shared,,String -netskope.alerts.shared.type,,String -netskope.alerts.shared.with,,String -netskope.alerts.site,,String -netskope.alerts.source.geoip_src,,Integer -netskope.alerts.source.time,,String -netskope.alerts.srcip2,,String -netskope.alerts.ssl.decrypt.policy,,String -netskope.alerts.start_time,,Integer -netskope.alerts.start_time,,String -netskope.alerts.statistics,,String -netskope.alerts.storage_service_bucket,,String -netskope.alerts.sub.type,,String -netskope.alerts.summary,,String -netskope.alerts.suppression.end.time,,String -netskope.alerts.suppression.key,,String -netskope.alerts.suppression.start.time,,String -netskope.alerts.target.entity.key,,String -netskope.alerts.target.entity.type,,String -netskope.alerts.target.entity.value,,String -netskope.alerts.team,,String -netskope.alerts.telemetry.app,,String -netskope.alerts.temp.user,,String -netskope.alerts.tenant.id,,String -netskope.alerts.tenant.id,,String -netskope.alerts.threat.match.field,,String -netskope.alerts.threat.match.value,,String -netskope.alerts.threat.source.id,,String -netskope.alerts.threshold.time,,Integer -netskope.alerts.threshold.value,,Integer -netskope.alerts.timestamp,,Integer -netskope.alerts.to.object,,String -netskope.alerts.to.storage,,String -netskope.alerts.to.user,,String -netskope.alerts.to.user_category,,String -netskope.alerts.total.collaborator.count,,String -netskope.alerts.total.packets,,Integer -netskope.alerts.traffic.type,,String -netskope.alerts.transaction.id,,String -netskope.alerts.transformation,,String -netskope.alerts.tss.mode,,String -netskope.alerts.tss.version,,String -netskope.alerts.tunnel.id,,String -netskope.alerts.tunnel.type,,String -netskope.alerts.tunnel.up_time,,String -netskope.alerts.type,,String -netskope.alerts.updated,,String -netskope.alerts.url,,String -netskope.alerts.Url2Activity,,String -netskope.alerts.user.category,,String -netskope.alerts.user.ip,,String -netskope.alerts.value,,String -netskope.alerts.violating_user.name,,Floating Point -netskope.alerts.violating_user.type,,String -netskope.alerts.web.url,,String -netskope.alerts.workspace.id,,String -netskope.alerts.workspace.name,,String -netskope.alerts.zip.password,,String -network.protocol,,String -server.bytes,,Integer -server.packets,,Integer -source.address,,String -source.geo.city_name,,String -source.geo.country_iso_code,,String -source.geo.location.lat,,Floating Point -source.geo.location.lon,,Floating Point -source.geo.postal_code,,String -source.geo.region_name,,String -source.geo.timezone,,String -source.ip,,String -source.port,,Integer -threat.indicator.file.hash.md5,,String -threat.indicator.file.hash.sha1,,String -threat.indicator.file.hash.sha256,,String -user_agent.name,,String -user_agent.original,,String -user_agent.os.name,,String -user_agent.os.version,,String -user_agent.version,,String -user.email,,String -user.group.name,,String -user.id,,String -user.name,,String -user.roles,,String -netskope.alerts.user.group,,String -netskope.alerts.page.url,,String -netskope.alerts.page_site,,String -netskope.alerts.sa.rule.name,,String -netskope.alerts.sa.rule.id,,String -netskope.alerts.resource.category,,String -netskope.alerts.ip.protocol,,String -netskope.alerts.slc_longitude,,String -netskope.alerts.flow_status,,String -netskope.alerts.uba_inst2,,String -netskope.alerts.uba_inst1,,String -netskope.alerts.uba_ap2,,String -netskope.alerts.uba_ap1,,String -netskope.alerts.slc_latitude,,String -netskope.alerts.ml_detection,,String -netskope.alerts.title,,String -file.mime_type.1,,String -file.mime_type.2,,String -user.email.1,,String -user.email.2,,String -user.email.3,,String -user.email.4,,String -netskope.alerts.quarantine.app.1,,String -netskope.alerts.quarantine.app.2,,String -``` - -### Events - -Default port: _9021_ - -Netskope Event Mapping: -```json -{ - "elastic_map_version": "2.0.0", - "ecs_version": "0", - "taxonomy": { - "events": { - "application": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "application" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "netskope.events.ack": { "mapping_field": "ack" }, - "user.email.1": { "mapping_field": "act_user" }, - "netskope.events.activity.name": { "mapping_field": "activity" }, - "netskope.events.alert.is_present": { "mapping_field": "alert" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.activity": { "mapping_field": "app_activity" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.cci": { "mapping_field": "cci" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "netskope.events.instance.id": { "mapping_field": "instance_id" }, - "netskope.events.object.name": { "mapping_field": "object" }, - "netskope.events.object.id": { "mapping_field": "object_id" }, - "netskope.events.object.type": { "mapping_field": "object_type" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.events.other.categories": { "mapping_field": "other_categories" }, - "netskope.events.request.id": { "mapping_field": "request_id" }, - "netskope.events.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.2": { "mapping_field": "ur_normalized" }, - "user.email.3": { "mapping_field": "user" }, - "netskope.events.user.category": { "mapping_field": "user_category" }, - "user.email.4": { "mapping_field": "user_id" }, - "user.name": { "mapping_field": "user_name" }, - "user.roles": { "mapping_field": "user_role" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.5": { "mapping_field": "userkey" }, - "cloud.account.name": { "mapping_field": "ack"}, - "event.action": { "mapping_field": "action"}, - "netskope.events.alert.name": { "mapping_field": "alert_name"}, - "netskope.events.alert.type": { "mapping_field": "alert_type"}, - "destination.geo.country_iso_code": { "mapping_field": "dst_country"}, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src"}, - "destination.geo.location.lat": { "mapping_field": "dst_latitude"}, - "destination.geo.city_name": { "mapping_field": "dst_location"}, - "destination.geo.location.lon": { "mapping_field": "dst_longitude"}, - "destination.geo.region_name": { "mapping_field": "dst_region"}, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode"}, - "destination.address": { "mapping_field": "dstip"}, - "destination.ip": { "mapping_field": "dstip"}, - "netskope.events.exposure": { "mapping_field": "exposure"}, - "netskope.events.file.lang": { "mapping_field": "file_lang"}, - "file.path": { "mapping_field": "file_path"}, - "file.size": { "mapping_field": "file_size"}, - "file.mime_type.1": { "mapping_field": "file_type"}, - "netskope.events.instance_name": { "mapping_field": "instance"}, - "file.hash.md5": { "mapping_field": "md5"}, - "file.mime_type.2": { "mapping_field": "mime_type"}, - "netskope.events.modified_at": { "mapping_field": "modified"}, - "netskope.events.owner": { "mapping_field": "owner"}, - "netskope.events.policy.name": { "mapping_field": "policy"}, - "netskope.events.quarantine.admin": { "mapping_field": "q_admin"}, - "netskope.events.quarantine.app": { "mapping_field": "q_app"}, - "netskope.events.quarantine.instance": { "mapping_field": "q_instance"}, - "netskope.events.quarantine.original.file.name": { "mapping_field": "q_original_filename"}, - "netskope.events.quarantine.original.file.path": { "mapping_field": "q_original_filepath"}, - "netskope.events.quarantine.original.shared": { "mapping_field": "q_original_shared"}, - "netskope.events.quarantine.original.version": { "mapping_field": "q_original_version"}, - "netskope.events.quarantine.shared_with": { "mapping_field": "q_shared_with"}, - "netskope.events.qar": { "mapping_field": "qar"}, - "netskope.events.quarantine.app_name": { "mapping_field": "quarantine_app"}, - "netskope.events.quarantine.action.reason": { "mapping_field": "quarantine_action_reason"}, - "netskope.events.quarantine.failure": { "mapping_field": "quarantine_failure"}, - "netskope.events.quarantine.file.id": { "mapping_field": "quarantine_file_id"}, - "netskope.events.quarantine.file.name": { "mapping_field": "quarantine_file_name"}, - "netskope.events.quarantine.profile.name": { "mapping_field": "quarantine_profile"}, - "netskope.events.quarantine.profile.id": { "mapping_field": "quarantine_profile_id"}, - "netskope.events.scan.type": { "mapping_field": "scan_type"}, - "netskope.events.shared.with": { "mapping_field": "shared_with"}, - "netskope.events.suppression.key": { "mapping_field": "suppression_key"}, - "netskope.events.url": { "mapping_field": "url"}, - "netskope.events.device.classification": { "mapping_field": "device_classification"}, - "netskope.events.from.storage": { "mapping_field": "from_storage"}, - "netskope.events.managed_app": { "mapping_field": "managed_app"}, - "netskope.events.management.id": { "mapping_field": "managementID"}, - "netskope.events.page": { "mapping_field": "page"}, - "netskope.events.page_site": { "mapping_field": "page_site"}, - "netskope.events.telemetry_app": { "mapping_field": "telemetry_app"}, - "netskope.events.transaction.id": { "mapping_field": "transaction_id"}, - "user_agent.os.version": { "mapping_field": "os_version"}, - "netskope.events.legal_hold_profile_name": { "mapping_field": "legal_hold_profile_name"}, - "user.email.6": { "mapping_field": "lh_custodian_email"}, - "netskope.events.lh.custodian.name": { "mapping_field": "lh_custodian_name"}, - "netskope.events.lh.destination.app": { "mapping_field": "lh_dest_app"}, - "netskope.events.lh.destination.instance": { "mapping_field": "lh_dest_instance"}, - "netskope.events.lh.file_id": { "mapping_field": "lh_fileid"}, - "netskope.events.lh.filename": { "mapping_field": "lh_filename"}, - "netskope.events.lh.filepath": { "mapping_field": "lh_filepath"}, - "netskope.events.lh.filename_original": { "mapping_field": "lh_original_filename"}, - "netskope.events.lh.shared": { "mapping_field": "lh_shared"}, - "netskope.events.lh.shared_with": { "mapping_field": "lh_shared_with"}, - "netskope.events.lh.version": { "mapping_field": "lh_version"}, - "host.hostname": { "mapping_field": "hostname"}, - "netskope.events.ns.device_uid": { "mapping_field": "nsdeviceuid"}, - "netskope.events.severity.level": { "mapping_field": "severity"} - } - }, - "audit": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "audit" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "netskope.events.audit.log.event": { "mapping_field": "audit_log_event" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "netskope.events.severity.level": { "mapping_field": "severity_level" }, - "netskope.events.supporting_data": { "mapping_field": "supporting_data" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" } - } - }, - "infrastructure": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "infrastructure" }, - "@timestamp": { "mapping_field": "timestamp" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.alarm.name": { "mapping_field": "alarm_name" }, - "netskope.events.alarm.description": { "mapping_field": "alarm_description" }, - "netskope.events.device.name": { "mapping_field": "device_name" }, - "netskope.events.metric_value": { "mapping_field": "metric_value" }, - "netskope.events.serial": { "mapping_field": "serial" }, - "netskope.events.severity.level": { "mapping_field": "severity" }, - "netskope.events.supporting_data": { "mapping_field": "supporting_data" } - } - }, - "network": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "network" }, - "event.id": { "mapping_field": "_id" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "event.action": { "mapping_field": "action" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "client.bytes": { "mapping_field": "client_bytes" }, - "client.packets": { "mapping_field": "client_packets" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "destination.domain": { "mapping_field": "dsthost" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.port": { "mapping_field": "dstport" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "netskope.events.end_time": { "mapping_field": "end_time" }, - "netskope.events.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.events.netskope_pop": { "mapping_field": "netskope_pop" }, - "netskope.events.num_sessions": { "mapping_field": "num_sessions" }, - "netskope.events.numbytes": { "mapping_field": "numbytes" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.events.policy.name": { "mapping_field": "policy" }, - "netskope.events.publisher_cn": { "mapping_field": "publisher_cn" }, - "netskope.events.session.packets": { "mapping_field": "session_duration" }, - "netskope.events.site": { "mapping_field": "site" }, - "network.protocol": { "mapping_field": "protocol" }, - "server.bytes": { "mapping_field": "server_bytes" }, - "server.packets": { "mapping_field": "server_packets" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "source.port": { "mapping_field": "srcport" }, - "netskope.events.start_time": { "mapping_field": "start_time" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.tnetwork_session_id": { "mapping_field": "tnetwork_session_id" }, - "netskope.events.total_packets": { "mapping_field": "total_packets" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.tunnel.id": { "mapping_field": "tunnel_id" }, - "netskope.events.tunnel.type": { "mapping_field": "tunnel_type" }, - "netskope.events.tunnel.up_time": { "mapping_field": "tunnel_up_time" }, - "netskope.events.type": { "mapping_field": "type" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" } - } - }, - "page": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "page" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.events.browser.session.id": { "mapping_field": "browser_session_id" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.cci": { "mapping_field": "cci" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "client.bytes": { "mapping_field": "client_bytes" }, - "netskope.events.connection.duration": { "mapping_field": "conn_duration" }, - "netskope.events.connection.end_time": { "mapping_field": "conn_endtime" }, - "netskope.events.connection.start_time": { "mapping_field": "conn_starttime" }, - "netskope.events.connection.id": { "mapping_field": "connection_id" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "netskope.events.domain": { "mapping_field": "domain" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.port": { "mapping_field": "dstport" }, - "netskope.events.numbytes": { "mapping_field": "numbytes" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.events.page": { "mapping_field": "page" }, - "netskope.events.request.count": { "mapping_field": "req_cnt" }, - "netskope.events.response.count": { "mapping_field": "resp_cnt" }, - "server.bytes": { "mapping_field": "server_bytes" }, - "netskope.events.severity.level": { "mapping_field": "severity" }, - "netskope.events.site": { "mapping_field": "site" }, - "netskope.events.slc.geo.location.lat": { "mapping_field": "slc_latitude" }, - "netskope.events.slc.geo.location.lon": { "mapping_field": "slc_longitude" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.events.user.generated": { "mapping_field": "user_generated" }, - "user_agent.original": { "mapping_field": "useragent" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.events.url": { "mapping_field" : "url" }, - "netskope.events.is_bypass_traffic": { "mapping_field" : "bypass_traffic" }, - "host.hostname": { "mapping_field" : "hostname" }, - "netskope.events.http_transaction_count": { "mapping_field" : "http_transaction_count" }, - "netskope.events.response.content.length": { "mapping_field" : "resp_content_len" }, - "netskope.events.response.content.type": { "mapping_field" : "resp_content_type" }, - "netskope.events.suppression.end_time": { "mapping_field" : "suppression_end_time" }, - "netskope.events.suppression.start_time": { "mapping_field" : "suppression_start_time" }, - "netskope.events.transaction.id": { "mapping_field" : "transaction_id" } - } - } - } - } -} -``` - -Netskope Event Validation Extensions: -``` -ECS Key Name,Length,Data Type -@timestamp,,DateTime -client.bytes,,Integer -client.packets,,Integer -cloud.account.id,,String -cloud.account.name,,String -cloud.region,,String -cloud.service.name,,String -destination.address,,String -destination.domain,,String -destination.geo.city_name,,String -destination.geo.country_iso_code,,String -destination.geo.location.lat,,Floating Point -destination.geo.location.lon,,Floating Point -destination.geo.postal_code,,String -destination.geo.region_name,,String -destination.geo.timezone,,String -destination.ip,,String -destination.port,,Integer -event.action,,String -event.id,,String -file.hash.md5,,String -file.mime_type,,String -file.name,,String -file.path,,String -file.size,,Integer -host.hostname,,String -netskope.events.access_method,,String -netskope.events.ack,,String -netskope.events.acked,,String -netskope.events.activity.name,,String -netskope.events.activity.status,,String -netskope.events.activity.type,,String -netskope.events.alarm.description,,String -netskope.events.alarm.name,,String -netskope.events.alert.is_present,,String -netskope.events.alert.name,,String -netskope.events.alert.type,,String -netskope.events.app.activity,,String -netskope.events.app.category,,String -netskope.events.app.name,,String -netskope.events.app.region,,String -netskope.events.app.session.id,,String -netskope.events.attachment,,String -netskope.events.audit.category,,String -netskope.events.audit.log.event,,String -netskope.events.audit.type,,String -netskope.events.breach_name,,String -netskope.events.browser.session.id,,String -netskope.events.bucket,,String -netskope.events.category.id,,String -netskope.events.category.name,,String -netskope.events.cci,,String -netskope.events.ccl,,String -netskope.events.channel,,String -netskope.events.connection.duration,,Integer -netskope.events.connection.end_time,,Floating Point -netskope.events.connection.id,,String -netskope.events.connection.start_time,,Floating Point -netskope.events.count,,Integer -netskope.events.description,,String -netskope.events.destination.geoip.source,,Integer -netskope.events.detail,,String -netskope.events.detection.engine,,String -netskope.events.detection.type,,String -netskope.events.device.classification,,String -netskope.events.device.name,,String -netskope.events.device.type,,String -netskope.events.dlp.count,,Integer -netskope.events.dlp.file,,String -netskope.events.dlp.fingerprint.classification,,String -netskope.events.dlp.fingerprint.match,,String -netskope.events.dlp.fingerprint.score,,Integer -netskope.events.dlp.fv,,Integer -netskope.events.dlp.incident.id,,String -netskope.events.dlp.is_unique_count,,String -netskope.events.dlp.mail.parent_id,,String -netskope.events.dlp.parent.id,,String -netskope.events.dlp.profile,,String -netskope.events.dlp.score,,Integer -netskope.events.dlp.severity,,String -netskope.events.dlp.unique_count,,Integer -netskope.events.domain,,String -netskope.events.domain_shared_with,,String -netskope.events.drive.id,,String -netskope.events.encrypt.failure,,String -netskope.events.end_time,,Integer -netskope.events.enterprise.id,,String -netskope.events.enterprise.name,,String -netskope.events.event_type,,String -netskope.events.event.type,,String -netskope.events.exposure,,String -netskope.events.external_collaborator_count,,Integer -netskope.events.false_positive,,String -netskope.events.file.id,,String -netskope.events.file.is_password_protected,,String -netskope.events.file.lang,,String -netskope.events.forward_to_proxy_profile,,String -netskope.events.from.logs,,String -netskope.events.from.object,,String -netskope.events.from.storage,,String -netskope.events.from.user_category,,String -netskope.events.gateway,,String -netskope.events.graph.id,,Integer -netskope.events.http_status,,String -netskope.events.http_transaction_count,,Integer -netskope.events.iaas_asset_tags,,String -netskope.events.id,,String -netskope.events.insertion.timestamp,,Integer -netskope.events.instance_name,,String -netskope.events.instance.id,,String -netskope.events.instance.name,,String -netskope.events.instance.type,,String -netskope.events.internal_collaborator_count,,Integer -netskope.events.ip.protocol,,String -netskope.events.is_bypass_traffic,,String -netskope.events.is_malicious,,String -netskope.events.item.id,,String -netskope.events.justification.type,,String -netskope.events.last.app,,String -netskope.events.last.country,,String -netskope.events.last.device,,String -netskope.events.last.location,,String -netskope.events.last.region,,String -netskope.events.last.timestamp,,Integer -netskope.events.latency.max,,Integer -netskope.events.latency.min,,Integer -netskope.events.latency.total,,Integer -netskope.events.legal_hold_profile_name,,String -netskope.events.lh.custodian.name,,String -netskope.events.lh.destination.app,,String -netskope.events.lh.destination.instance,,String -netskope.events.lh.file_id,,String -netskope.events.lh.filename,,String -netskope.events.lh.filename_original,,String -netskope.events.lh.filepath,,String -netskope.events.lh.shared,,String -netskope.events.lh.shared_with,,String -netskope.events.lh.version,,String -netskope.events.list.id,,String -netskope.events.log_file.name,,String -netskope.events.login.type,,String -netskope.events.login.url,,String -netskope.events.malsite_category,,String -netskope.events.malware.id,,String -netskope.events.malware.name,,String -netskope.events.malware.profile,,String -netskope.events.malware.severity,,String -netskope.events.malware.type,,String -netskope.events.managed_app,,String -netskope.events.management.id,,String -netskope.events.metric_value,,Integer -netskope.events.modified_at,,Integer -netskope.events.quarantine.original.shared,,String -netskope.events.network.name,,String -netskope.events.network.session_id,,String -netskope.events.new_value,,String -netskope.events.notify_template,,String -netskope.events.ns.activity,,String -netskope.events.ns.device_uid,,String -netskope.events.numbytes,,Integer -netskope.events.obfuscate,,String -netskope.events.object.count,,String -netskope.events.object.id,,String -netskope.events.object.name,,String -netskope.events.object.type,,String -netskope.events.old_value,,String -netskope.events.org,,String -netskope.events.organization_unit,,String -netskope.events.orig_ty,,String -netskope.events.original_file_path,,String -netskope.events.other.categories,,String -netskope.events.owner,,String -netskope.events.page,,String -netskope.events.page_site,,String -netskope.events.parent.id,,String -netskope.events.path_id,,String -netskope.events.policy.id,,String -netskope.events.policy.name,,String -netskope.events.profile.emails,,String -netskope.events.profile.id,,String -netskope.events.protocol,,String -netskope.events.publisher_cn,,String -netskope.events.qar,,String -netskope.events.quarantine.action.reason,,String -netskope.events.quarantine.admin,,String -netskope.events.quarantine.app,,String -netskope.events.quarantine.app_name,,String -netskope.events.quarantine.failure,,String -netskope.events.quarantine.file.id,,String -netskope.events.quarantine.file.name,,String -netskope.events.quarantine.instance,,String -netskope.events.quarantine.original.file.name,,String -netskope.events.quarantine.original.file.path,,String -netskope.events.quarantine.original.shared,,String -netskope.events.quarantine.original.version,,String -netskope.events.quarantine.profile.id,,String -netskope.events.quarantine.profile.name,,String -netskope.events.quarantine.shared_with,,String -netskope.events.referer,,String -netskope.events.region,,String -netskope.events.region.id,,String -netskope.events.repo,,String -netskope.events.request.count,,Integer -netskope.events.request.id,,String -netskope.events.response.content.length,,Integer -netskope.events.response.content.type,,String -netskope.events.response.count,,Integer -netskope.events.retro_scan_name,,String -netskope.events.risk_level,,String -netskope.events.risk_level_id,,String -netskope.events.role,,String -netskope.events.run_id,,String -netskope.events.sa.profile.id,,String -netskope.events.sa.profile.name,,String -netskope.events.sa.rule.severity,,String -netskope.events.scan.time,,String -netskope.events.scan.type,,String -netskope.events.scopes,,String -netskope.events.serial,,String -netskope.events.session.duration,,Integer -netskope.events.session.id,,String -netskope.events.session.packets,,Integer -netskope.events.severity.id,,String -netskope.events.severity.level,,String -netskope.events.severity.type,,String -netskope.events.sfwder,,String -netskope.events.shared.domains,,String -netskope.events.shared.is_shared,,String -netskope.events.shared.type,,String -netskope.events.shared.with,,String -netskope.events.site,,String -netskope.events.slc.geo.location.lat,,Floating Point -netskope.events.slc.geo.location.lon,,Floating Point -netskope.events.source.geoip_src,,Integer -netskope.events.ssl_decrypt_policy,,String -netskope.events.start_time,,Integer -netskope.events.sub_type,,String -netskope.events.supporting_data,,String -netskope.events.suppression.end_time,,Integer -netskope.events.suppression.key,,String -netskope.events.suppression.start_time,,Integer -netskope.events.team,,String -netskope.events.telemetry_app,,String -netskope.events.temp_user,,String -netskope.events.tenant.id,,String -netskope.events.threat.match.field,,String -netskope.events.threat.match.value,,String -netskope.events.threat.source.id,,String -netskope.events.threshold,,Integer -netskope.events.to.object,,String -netskope.events.to.storage,,String -netskope.events.to.user,,String -netskope.events.to.user_category,,String -netskope.events.total_packets,,Integer -netskope.events.total.collaborator_count,,String -netskope.events.traffic.type,,String -netskope.events.transaction.id,,String -netskope.events.tss_mode,,Integer -netskope.events.tunnel.id,,String -netskope.events.tunnel.type,,String -netskope.events.tunnel.up_time,,Integer -netskope.events.two_factor_auth,,Integer -netskope.events.type,,String -netskope.events.universal_connector,,String -netskope.events.url,,String -netskope.events.url_to_activity,,String -netskope.events.user.category,,String -netskope.events.user.generated,,String -netskope.events.user.group,,String -netskope.events.user.ip,,String -netskope.events.user.is_aggregated,,String -netskope.events.violating.user.name,,String -netskope.events.violating.user.type,,String -netskope.events.web_universal_connector,,String -netskope.events.web.url,,String -netskope.events.workspace.id,,String -netskope.events.workspace.name,,String -netskope.events.zip_password,,String -network.protocol,,String -rule.id,,String -rule.name,,String -server.bytes,,Integer -server.packets,,Integer -source.address,,String -source.geo.city_name,,String -source.geo.country_iso_code,,String -source.geo.location.lat,,Floating Point -source.geo.location.lon,,Floating Point -source.geo.postal_code,,String -source.geo.region_name,,String -source.geo.timezone,,String -source.ip,,String -source.port,,Integer -threat.indicator.file.hash.md5,,String -threat.indicator.file.hash.sha1,,String -threat.indicator.file.hash.sha256,,String -user_agent.name,,String -user_agent.original,,String -user_agent.os.name,,String -user_agent.os.version,,String -user_agent.version,,String -user.email,,String -user.group.name,,String -user.name,,String -user.roles,,String -file.mime_type.1,,String -file.mime_type.2,,String -user.email.1,,String -user.email.2,,String -user.email.3,,String -user.email.4,,String -user.email.5,,String -user.email.6,,String -``` - -## Fields and Sample event - -### Alerts - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module | constant_keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| netskope.alerts.Url2Activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | -| netskope.alerts.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword | -| netskope.alerts.account.id | Account ID (usually is account number as provided by the cloud provider). | keyword | -| netskope.alerts.account.name | Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. | keyword | -| netskope.alerts.acked | Whether user acknowledged the alert or not. | boolean | -| netskope.alerts.acting.role | N/A | keyword | -| netskope.alerts.action | Action taken on the event for the policy. | keyword | -| netskope.alerts.activities | N/A | array | -| netskope.alerts.activity.name | Description of the user performed activity. | keyword | -| netskope.alerts.activity.status | Displayed when the user is denied access while performing some activity. | keyword | -| netskope.alerts.activity.type | Displayed when only admins can perform the activity in question. | keyword | -| netskope.alerts.agg.window | N/A | long | -| netskope.alerts.aggregated.user | N/A | boolean | -| netskope.alerts.alert.affected.entities | N/A | keyword | -| netskope.alerts.alert.category | N/A | keyword | -| netskope.alerts.alert.description | N/A | keyword | -| netskope.alerts.alert.detection.stage | N/A | keyword | -| netskope.alerts.alert.id | Hash of alert generated from code. | keyword | -| netskope.alerts.alert.name | Name of the alert. | keyword | -| netskope.alerts.alert.notes | N/A | keyword | -| netskope.alerts.alert.query | N/A | keyword | -| netskope.alerts.alert.score | N/A | long | -| netskope.alerts.alert.source | N/A | keyword | -| netskope.alerts.alert.status | N/A | keyword | -| netskope.alerts.alert.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | -| netskope.alerts.alert.window | N/A | long | -| netskope.alerts.algorithm | N/A | keyword | -| netskope.alerts.anomaly.efficacy | Full anomaly details for debugging. | keyword | -| netskope.alerts.anomaly.fields | Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. | keyword | -| netskope.alerts.anomaly.id | N/A | keyword | -| netskope.alerts.anomaly.magnitude | N/A | double | -| netskope.alerts.anomaly.type | Type of UBA alert. | keyword | -| netskope.alerts.app.activity | N/A | keyword | -| netskope.alerts.app.app_name | N/A | keyword | -| netskope.alerts.app.category | N/A | keyword | -| netskope.alerts.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword | -| netskope.alerts.app.region | N/A | keyword | -| netskope.alerts.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword | -| netskope.alerts.app.suite | N/A | keyword | -| netskope.alerts.asn | N/A | long | -| netskope.alerts.asset.id | N/A | keyword | -| netskope.alerts.asset.object.id | N/A | keyword | -| netskope.alerts.attachment | File name. | keyword | -| netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword | -| netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword | -| netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long | -| netskope.alerts.breach.date | Breach date for compromised credentials. | double | -| netskope.alerts.breach.description | N/A | keyword | -| netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword | -| netskope.alerts.breach.media_references | Media references of breach. | keyword | -| netskope.alerts.breach.score | Breach score for compromised credentials. | long | -| netskope.alerts.breach.target_references | Breach target references for compromised credentials. | keyword | -| netskope.alerts.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword | -| netskope.alerts.bucket | N/A | keyword | -| netskope.alerts.bypass.traffic | Tells if traffic is bypassed by Netskope. | boolean | -| netskope.alerts.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword | -| netskope.alerts.category.name | N/A | keyword | -| netskope.alerts.cci | N/A | keyword | -| netskope.alerts.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword | -| netskope.alerts.channel | Channel of the user for slack and slack enterprise apps. | keyword | -| netskope.alerts.cloud.provider | N/A | keyword | -| netskope.alerts.compliance.standards | N/A | keyword | -| netskope.alerts.compute.instance | N/A | keyword | -| netskope.alerts.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long | -| netskope.alerts.connection.endtime | Connection end time. | long | -| netskope.alerts.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword | -| netskope.alerts.connection.starttime | Connection start time. | long | -| netskope.alerts.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long | -| netskope.alerts.created_at | N/A | keyword | -| netskope.alerts.data.type | Content type of upload/download. | keyword | -| netskope.alerts.data.version | N/A | long | -| netskope.alerts.description | N/A | keyword | -| netskope.alerts.destination.geoip_src | Source from where the location of Destination IP was derived. | long | -| netskope.alerts.detected-file-type | N/A | keyword | -| netskope.alerts.detection.engine | Customer exposed detection engine name. | keyword | -| netskope.alerts.detection.type | Same as malware type. Duplicate. | keyword | -| netskope.alerts.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword | -| netskope.alerts.device.name | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword | -| netskope.alerts.dlp.file | File/Object name extracted from the file/object. | keyword | -| netskope.alerts.dlp.fingerprint.classification | Fingerprint classification. | keyword | -| netskope.alerts.dlp.fingerprint.match | Fingerprint classification match file name. | keyword | -| netskope.alerts.dlp.fingerprint.score | Fingerprint classification score. | long | -| netskope.alerts.dlp.fv | N/A | long | -| netskope.alerts.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword | -| netskope.alerts.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean | -| netskope.alerts.dlp.mail.parent.id | N/A | keyword | -| netskope.alerts.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword | -| netskope.alerts.dlp.profile | DLP profile name. | keyword | -| netskope.alerts.dlp.rule.count | Count of rule hits. | long | -| netskope.alerts.dlp.rule.name | DLP rule that triggered. | keyword | -| netskope.alerts.dlp.rule.score | DLP rule score for weighted dictionaries. | long | -| netskope.alerts.dlp.rule.severity | Severity of rule. | keyword | -| netskope.alerts.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long | -| netskope.alerts.doc.count | N/A | long | -| netskope.alerts.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword | -| netskope.alerts.domain_shared_with | N/A | keyword | -| netskope.alerts.download.app | Applicable to only data exfiltration. Download App (App in the download event). | keyword | -| netskope.alerts.drive.id | N/A | keyword | -| netskope.alerts.dynamic.classification | URLs were categorized by NSURLC machine or not. | keyword | -| netskope.alerts.elastic_key | N/A | keyword | -| netskope.alerts.email.source | N/A | keyword | -| netskope.alerts.encrypt.failure | Reason of failure while encrypting. | keyword | -| netskope.alerts.encryption.service.key | N/A | keyword | -| netskope.alerts.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword | -| netskope.alerts.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword | -| netskope.alerts.entity.list | N/A | array | -| netskope.alerts.entity.type | N/A | keyword | -| netskope.alerts.entity.value | N/A | keyword | -| netskope.alerts.event.detail | N/A | keyword | -| netskope.alerts.event.id | N/A | keyword | -| netskope.alerts.event.type | Anomaly type. | keyword | -| netskope.alerts.event_source_channel | N/A | keyword | -| netskope.alerts.exposure | Exposure of a document. | keyword | -| netskope.alerts.external.collaborator.count | Count of external collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.external.email | N/A | long | -| netskope.alerts.feature.description | N/A | keyword | -| netskope.alerts.feature.id | N/A | keyword | -| netskope.alerts.feature.name | N/A | keyword | -| netskope.alerts.file.id | Unique identifier of the file. | keyword | -| netskope.alerts.file.lang | Language of the file. | keyword | -| netskope.alerts.file.name | N/A | keyword | -| netskope.alerts.file.password.protected | N/A | keyword | -| netskope.alerts.file.path.orignal | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.alerts.file.size | Size of the file in bytes. | long | -| netskope.alerts.file.type | File type. | keyword | -| netskope.alerts.flow_status | N/A | keyword | -| netskope.alerts.from.logs | Shows if the event was generated from the Risk Insights log. | keyword | -| netskope.alerts.from.object | Initial name of an object that has been renamed, copied or moved. | keyword | -| netskope.alerts.from.storage | N/A | keyword | -| netskope.alerts.from.user_category | Type of from_user. | keyword | -| netskope.alerts.gateway | N/A | keyword | -| netskope.alerts.graph.id | N/A | keyword | -| netskope.alerts.http_status | N/A | keyword | -| netskope.alerts.http_transaction_count | HTTP transaction count. | long | -| netskope.alerts.iaas.asset.tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword | -| netskope.alerts.iaas.remediated | N/A | keyword | -| netskope.alerts.iam.session | N/A | keyword | -| netskope.alerts.id | N/A | keyword | -| netskope.alerts.insertion_epoch_timestamp | Insertion timestamp. | long | -| netskope.alerts.instance.id | Unique ID associated with an organization application instance. | keyword | -| netskope.alerts.instance.name | Instance name associated with an organization application instance. | keyword | -| netskope.alerts.instance.type | Instance type. | keyword | -| netskope.alerts.instance_name | Instance associated with an organization application instance. | keyword | -| netskope.alerts.internal.collaborator.count | Count of internal collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.ip.protocol | N/A | keyword | -| netskope.alerts.ipblock | IPblock that caused the alert. | keyword | -| netskope.alerts.is_alert | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean | -| netskope.alerts.is_file_passwd_protected | Tells if the file is password protected. | boolean | -| netskope.alerts.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean | -| netskope.alerts.is_two_factor_auth | N/A | keyword | -| netskope.alerts.is_universal_connector | N/A | keyword | -| netskope.alerts.is_user_generated | Tells whether it is user generated page event. | boolean | -| netskope.alerts.is_web_universal_connector | N/A | boolean | -| netskope.alerts.isp | N/A | keyword | -| netskope.alerts.item.id | N/A | keyword | -| netskope.alerts.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword | -| netskope.alerts.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword | -| netskope.alerts.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.coordinates | Last location coordinates(latitude, longitude). Applies to only proximity alert. | keyword | -| netskope.alerts.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.modified_timestamp | Timestamp when alert is acknowledged. | long | -| netskope.alerts.last.region | Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long | -| netskope.alerts.latency.max | Max latency for a connection in milliseconds. | long | -| netskope.alerts.latency.min | Min latency for a connection in milliseconds. | long | -| netskope.alerts.latency.total | Total latency from proxy to app in milliseconds. | long | -| netskope.alerts.legal_hold.custodian_name | Custodian name of legal hold profile. | keyword | -| netskope.alerts.legal_hold.destination.app | Destination appname of legalhold action. | keyword | -| netskope.alerts.legal_hold.destination.instance | Destination instance of legal hold action. | keyword | -| netskope.alerts.legal_hold.file.id | File ID of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.name | File name of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.name_original | Original filename of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.path | File path of legal hold file. | keyword | -| netskope.alerts.legal_hold.profile_name | Legal hold profile name. | keyword | -| netskope.alerts.legal_hold.shared | Shared type of legal hold file. | keyword | -| netskope.alerts.legal_hold.shared_with | User shared with the legal hold file. | keyword | -| netskope.alerts.legal_hold.version | File version of original file. | keyword | -| netskope.alerts.list.id | N/A | keyword | -| netskope.alerts.local.md5 | md5 hash of file generated by Malware engine. | keyword | -| netskope.alerts.local.sha1 | sha1 hash of file generated by Malware engine. | keyword | -| netskope.alerts.local.sha256 | sha256 hash of file generated by Malware engine. | keyword | -| netskope.alerts.log.file.name | Log file name for Risk Insights. | keyword | -| netskope.alerts.login.type | Salesforce login type. | keyword | -| netskope.alerts.login.url | Salesforce login URL. | flattened | -| netskope.alerts.malsite.active | Since how many days malsite is Active. | long | -| netskope.alerts.malsite.as.number | Malsite ASN Number. | keyword | -| netskope.alerts.malsite.category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword | -| netskope.alerts.malsite.city | Malsite city. | keyword | -| netskope.alerts.malsite.confidence | Malsite confidence score. | long | -| netskope.alerts.malsite.consecutive | How many times that malsite is seen. | long | -| netskope.alerts.malsite.country | Malsite country. | keyword | -| netskope.alerts.malsite.dns.server | DNS server of the malsite URL/Domain/IP. | keyword | -| netskope.alerts.malsite.first_seen | Malsite first seen timestamp. | long | -| netskope.alerts.malsite.hostility | Malsite hostility score. | long | -| netskope.alerts.malsite.id | Malicious Site ID - Hash of threat match value. | keyword | -| netskope.alerts.malsite.ip_host | Malsite IP. | keyword | -| netskope.alerts.malsite.isp | Malsite ISP info. | keyword | -| netskope.alerts.malsite.last.seen | Malsite last seen timestamp. | long | -| netskope.alerts.malsite.latitude | Latitude plot of the Malsite URL/IP/Domain. | double | -| netskope.alerts.malsite.longitude | Longitude plot of the Malsite URL/IP/Domain. | double | -| netskope.alerts.malsite.region | Region of the malsite URL/IP/Domain. | keyword | -| netskope.alerts.malsite.reputation | Reputation score of Malsite IP/Domain/URL. | double | -| netskope.alerts.malsite.severity.level | Severity level of the Malsite ( High / Med / Low). | keyword | -| netskope.alerts.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword | -| netskope.alerts.malware.name | Netskope detection name. | keyword | -| netskope.alerts.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword | -| netskope.alerts.malware.severity | Malware severity. | keyword | -| netskope.alerts.malware.type | Malware Type. | keyword | -| netskope.alerts.managed.app | Whether or not the app in question is managed. | boolean | -| netskope.alerts.management.id | Management ID. | keyword | -| netskope.alerts.matched.username | N/A | keyword | -| netskope.alerts.matrix.columns | N/A | keyword | -| netskope.alerts.matrix.rows | N/A | keyword | -| netskope.alerts.md5 | md5 of the file. | keyword | -| netskope.alerts.md5_list | List of md5 hashes specific to the files that are part of custom sequence policy alert. | keyword | -| netskope.alerts.mime.type | MIME type of the file. | keyword | -| netskope.alerts.ml_detection | N/A | boolean | -| netskope.alerts.modified.date | N/A | long | -| netskope.alerts.modified.timestamp | Timestamp corresponding to the modification time of the entity (file, etc.). | long | -| netskope.alerts.netskope_pop | N/A | keyword | -| netskope.alerts.network.name | N/A | keyword | -| netskope.alerts.network.security.group | N/A | array | -| netskope.alerts.new.value | New value for a given file for salesforce.com. | keyword | -| netskope.alerts.nonzero.entries | N/A | long | -| netskope.alerts.nonzero.percentage | N/A | double | -| netskope.alerts.notify.template | N/A | keyword | -| netskope.alerts.ns_activity | Maps app activity to Netskope standard activity. | keyword | -| netskope.alerts.ns_device_uid | Device identifiers on macOS and Windows. | keyword | -| netskope.alerts.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long | -| netskope.alerts.obfuscate | N/A | boolean | -| netskope.alerts.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long | -| netskope.alerts.object.id | Unique ID associated with an object. | keyword | -| netskope.alerts.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword | -| netskope.alerts.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword | -| netskope.alerts.old.value | Old value for a given file for salesforce.com. | keyword | -| netskope.alerts.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword | -| netskope.alerts.organization.unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword | -| netskope.alerts.orig_ty | Event Type of original event. | keyword | -| netskope.alerts.original.file_path | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.alerts.os_version_hostname | Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). | keyword | -| netskope.alerts.other.categories | N/A | keyword | -| netskope.alerts.owner | Owner of the file. | keyword | -| netskope.alerts.page.site | N/A | keyword | -| netskope.alerts.page.url | The URL of the originating page. | flattened | -| netskope.alerts.parameters | N/A | keyword | -| netskope.alerts.parent.id | N/A | keyword | -| netskope.alerts.path.id | N/A | keyword | -| netskope.alerts.policy.actions | N/A | keyword | -| netskope.alerts.policy.id | The Netskope internal ID for the policy created by an admin. | keyword | -| netskope.alerts.policy.name | Predefined or Custom policy name. | keyword | -| netskope.alerts.pretty.sourcetype | N/A | keyword | -| netskope.alerts.processing.time | N/A | long | -| netskope.alerts.profile.emails | List of profile emails per policy. | keyword | -| netskope.alerts.profile.id | Anomaly profile ID. | keyword | -| netskope.alerts.quarantine.action.reason | Reason for the action taken for quarantine. | keyword | -| netskope.alerts.quarantine.admin | Quarantine profile custodian email/name. | keyword | -| netskope.alerts.quarantine.app | Quarantine app name. | keyword | -| netskope.alerts.quarantine.failure | Reason of failure. | keyword | -| netskope.alerts.quarantine.file.id | File ID of the quarantined file. | keyword | -| netskope.alerts.quarantine.file.name | File name of the quarantine file. | keyword | -| netskope.alerts.quarantine.instance | Quarantine instance name. | keyword | -| netskope.alerts.quarantine.original.file.name | Original file name which got quarantined. | keyword | -| netskope.alerts.quarantine.original.file.path | Original file path which got quarantined. | keyword | -| netskope.alerts.quarantine.original.shared | Original file shared user details. | keyword | -| netskope.alerts.quarantine.original.version | Original version of file which got quarantined. | keyword | -| netskope.alerts.quarantine.profile.id | Quarantine profile ID. | keyword | -| netskope.alerts.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword | -| netskope.alerts.quarantine.shared.with | N/A | keyword | -| netskope.alerts.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | keyword | -| netskope.alerts.region.id | Region ID (as provided by the cloud provider). | keyword | -| netskope.alerts.region.name | N/A | keyword | -| netskope.alerts.reladb | N/A | keyword | -| netskope.alerts.repo | N/A | keyword | -| netskope.alerts.request.cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long | -| netskope.alerts.request.id | Unique request ID for the event. | keyword | -| netskope.alerts.resource.category | Category of resource as defined in DOM. | keyword | -| netskope.alerts.resource.group | N/A | keyword | -| netskope.alerts.resources | N/A | keyword | -| netskope.alerts.response.cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long | -| netskope.alerts.response.content.length | N/A | long | -| netskope.alerts.response.content.type | N/A | keyword | -| netskope.alerts.retro.scan.name | Retro scan name. | keyword | -| netskope.alerts.risk_level.id | This field is set by both role-based access (RBA) and MLAD. | keyword | -| netskope.alerts.risk_level.tag | Corresponding field to risk_level_id. Name. | keyword | -| netskope.alerts.role | Roles for Box. | keyword | -| netskope.alerts.rule.id | N/A | keyword | -| netskope.alerts.sa.profile.id | CSA profile ID. | keyword | -| netskope.alerts.sa.profile.name | CSA profile name. | keyword | -| netskope.alerts.sa.rule.id | CSA rule ID. | keyword | -| netskope.alerts.sa.rule.name | CSA rule name. | keyword | -| netskope.alerts.sa.rule.remediation | N/A | keyword | -| netskope.alerts.sa.rule.severity | Rule severity. | keyword | -| netskope.alerts.scan.time | Time when the scan is done. | long | -| netskope.alerts.scan.type | Generated during retroactive scan or new ongoing activity. | keyword | -| netskope.alerts.scanner_result | N/A | keyword | -| netskope.alerts.scopes | List of permissions for google apps. | keyword | -| netskope.alerts.serial | N/A | keyword | -| netskope.alerts.server.bytes | Total number of downloaded from server to client. | long | -| netskope.alerts.session.id | Populated by Risk Insights. | keyword | -| netskope.alerts.severity.id | Severity ID used by watchlist and malware alerts. | keyword | -| netskope.alerts.severity.level | Severity used by watchlist and malware alerts. | keyword | -| netskope.alerts.severity.level_id | If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. | long | -| netskope.alerts.sfwder | N/A | keyword | -| netskope.alerts.shared.credential.user | Applicable to only shared credentials. User with whom the credentials are shared with. | keyword | -| netskope.alerts.shared.domains | List of domains of users the document is shared with. | keyword | -| netskope.alerts.shared.is_shared | If the file is shared or not. | boolean | -| netskope.alerts.shared.type | Shared Type. | keyword | -| netskope.alerts.shared.with | Array of emails with whom a document is shared with. | keyword | -| netskope.alerts.shared_type | N/A | keyword | -| netskope.alerts.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword | -| netskope.alerts.slc_latitude | N/A | keyword | -| netskope.alerts.slc_longitude | N/A | keyword | -| netskope.alerts.source.geoip_src | Source from where the location of Source IP was derived. | long | -| netskope.alerts.source.time | N/A | keyword | -| netskope.alerts.srcip2 | N/A | keyword | -| netskope.alerts.ssl.decrypt.policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration Bypass due to SSL Decrypt Policy The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword | -| netskope.alerts.start_time | Start time for alert time period. | long | -| netskope.alerts.statistics | This field & summary field go together. This field will either tell count or size of files. File size is in bytes. | long | -| netskope.alerts.storage_service_bucket | N/A | keyword | -| netskope.alerts.sub.type | Workplace by Facebook post sub category (files, comments, status etc). | keyword | -| netskope.alerts.summary | Tells whether anomaly was measured from count or size of files. | keyword | -| netskope.alerts.suppression.end.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.alerts.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword | -| netskope.alerts.suppression.start.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.alerts.target.entity.key | N/A | keyword | -| netskope.alerts.target.entity.type | N/A | keyword | -| netskope.alerts.target.entity.value | N/A | keyword | -| netskope.alerts.team | Slack team name. | keyword | -| netskope.alerts.telemetry.app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword | -| netskope.alerts.temp.user | N/A | keyword | -| netskope.alerts.tenant.id | Tenant id. | keyword | -| netskope.alerts.threat.match.field | Threat match field, either from domain or URL or IP. | keyword | -| netskope.alerts.threat.match.value | N/A | keyword | -| netskope.alerts.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword | -| netskope.alerts.threshold.time | Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. | long | -| netskope.alerts.threshold.value | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long | -| netskope.alerts.title | Title of the file. | keyword | -| netskope.alerts.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword | -| netskope.alerts.to.storage | N/A | keyword | -| netskope.alerts.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword | -| netskope.alerts.to.user_category | Type of user to which move is done. | keyword | -| netskope.alerts.total.collaborator.count | Count of collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword | -| netskope.alerts.transaction.id | Unique ID for a given request/response. | keyword | -| netskope.alerts.transformation | N/A | keyword | -| netskope.alerts.tss.mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword | -| netskope.alerts.tss.version | N/A | long | -| netskope.alerts.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword | -| netskope.alerts.type | Type of the alert. | keyword | -| netskope.alerts.uba_ap1 | N/A | keyword | -| netskope.alerts.uba_ap2 | N/A | keyword | -| netskope.alerts.uba_inst1 | N/A | keyword | -| netskope.alerts.uba_inst2 | N/A | keyword | -| netskope.alerts.updated | N/A | long | -| netskope.alerts.url | URL of the application that the user visited as provided by the log or data plane traffic. | flattened | -| netskope.alerts.user.category | Type of user in an enterprise - external / internal. | keyword | -| netskope.alerts.user.geo.city_name | City name. | keyword | -| netskope.alerts.user.geo.continent_name | Name of the continent. | keyword | -| netskope.alerts.user.geo.country_iso_code | Country ISO code. | keyword | -| netskope.alerts.user.geo.country_name | Country name. | keyword | -| netskope.alerts.user.geo.location | Longitude and latitude. | geo_point | -| netskope.alerts.user.geo.region_iso_code | Region ISO code. | keyword | -| netskope.alerts.user.geo.region_name | Region name. | keyword | -| netskope.alerts.user.group | N/A | keyword | -| netskope.alerts.user.ip | IP address of User. | keyword | -| netskope.alerts.value | N/A | double | -| netskope.alerts.violating_user.name | User who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.alerts.violating_user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.alerts.web.url | File preview URL. | flattened | -| netskope.alerts.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | -| netskope.alerts.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | -| netskope.alerts.zip.password | Zip the malicious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `alerts` looks as following: - -```json -{ - "@timestamp": "2021-12-23T16:27:09.000Z", - "agent": { - "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "id": "f621f259f5fbde850ad5593a", - "ingested": "2022-04-14T11:24:23Z", - "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}" - }, - "file": { - "hash": { - "md5": "4bb5d9501bf7685ecaed55e3eda9ca01" - }, - "mime_type": [ - "application\\\\/vnd.apps.document" - ], - "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs", - "size": 196869 - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:57542" - } - }, - "netskope": { - "alerts": { - "access_method": "API Connector", - "acked": false, - "action": "block", - "activity": { - "name": "Login Successful" - }, - "alert": { - "name": "policy-alert", - "type": "nspolicy" - }, - "app": { - "category": "Cloud Storage", - "name": "SomeApp" - }, - "category": { - "name": "Cloud Storage" - }, - "cci": "81", - "ccl": "high", - "count": 1, - "destination": { - "geoip_src": 2 - }, - "device": { - "name": "Other" - }, - "exposure": "organization_wide_link", - "file": { - "lang": "ENGLISH" - }, - "insertion_epoch_timestamp": 1640277131, - "instance": { - "id": "example.com", - "name": "example.com" - }, - "is_alert": true, - "modified": { - "timestamp": 1613760236 - }, - "object": { - "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg", - "name": "HjBuUvDLWgpudzQr", - "type": "File" - }, - "organization": { - "unit": "example.local\\\\/example\\\\/Active Users" - }, - "owner": "foobar", - "policy": { - "name": "Some Policy" - }, - "request": { - "id": "9262245914980288500" - }, - "scan": { - "type": "Ongoing" - }, - "shared": { - "with": "none" - }, - "site": "Example", - "source": { - "geoip_src": 2 - }, - "suppression": { - "key": "Tenant Migration across MPs" - }, - "traffic": { - "type": "CloudApp" - }, - "type": "policy", - "url": { - "extension": "com\\\\/open", - "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "path": "\\\\/\\\\/www.example.com\\\\/open", - "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "scheme": "http" - } - } - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.143" - ] - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "netskope-alerts" - ], - "user": { - "email": [ - "test@example.com" - ] - }, - "user_agent": { - "name": "unknown", - "os": { - "name": "unknown" - } - } -} -``` - -### Events - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.packets | Packets sent from the client to the server. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| netskope.events.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword | -| netskope.events.ack | Whether user acknowledged the alert or not. | boolean | -| netskope.events.activity.name | Description of the user performed activity. | keyword | -| netskope.events.activity.status | Displayed when the user is denied access while performing some activity. | keyword | -| netskope.events.activity.type | Displayed when only admins can perform the activity in question. | keyword | -| netskope.events.alarm.description | N/A | keyword | -| netskope.events.alarm.name | N/A | keyword | -| netskope.events.alert.is_present | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean | -| netskope.events.alert.name | Name of the alert. | keyword | -| netskope.events.alert.type | Type of the alert. | keyword | -| netskope.events.app.activity | N/A | keyword | -| netskope.events.app.category | N/A | keyword | -| netskope.events.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword | -| netskope.events.app.region | N/A | keyword | -| netskope.events.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword | -| netskope.events.attachment | File name. | keyword | -| netskope.events.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword | -| netskope.events.audit.log.event | N/A | keyword | -| netskope.events.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword | -| netskope.events.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword | -| netskope.events.bucket | N/A | keyword | -| netskope.events.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword | -| netskope.events.category.name | N/A | keyword | -| netskope.events.cci | N/A | keyword | -| netskope.events.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword | -| netskope.events.channel | Channel of the user for slack and slack enterprise apps. | keyword | -| netskope.events.client.bytes | Total number of bytes uploaded from client to server. | long | -| netskope.events.client.packets | N/A | long | -| netskope.events.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long | -| netskope.events.connection.end_time | Connection end time. | long | -| netskope.events.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword | -| netskope.events.connection.start_time | Connection start time. | long | -| netskope.events.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long | -| netskope.events.description | N/A | keyword | -| netskope.events.destination.geoip.source | Source from where the location of Destination IP was derived. | long | -| netskope.events.detail | N/A | keyword | -| netskope.events.detection.engine | Customer exposed detection engine name. | keyword | -| netskope.events.detection.type | Same as malware type. Duplicate. | keyword | -| netskope.events.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword | -| netskope.events.device.name | N/A | keyword | -| netskope.events.device.type | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword | -| netskope.events.dlp.count | Count of rule hits. | long | -| netskope.events.dlp.file | File/Object name extracted from the file/object. | keyword | -| netskope.events.dlp.fingerprint.classificaiton | Fingerprint classification. | keyword | -| netskope.events.dlp.fingerprint.match | Fingerprint classification match file name. | keyword | -| netskope.events.dlp.fingerprint.score | Fingerprint classification score. | long | -| netskope.events.dlp.fv | N/A | long | -| netskope.events.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword | -| netskope.events.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean | -| netskope.events.dlp.mail.parent_id | N/A | keyword | -| netskope.events.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword | -| netskope.events.dlp.profile | DLP profile name. | keyword | -| netskope.events.dlp.score | DLP rule score for weighted dictionaries. | long | -| netskope.events.dlp.severity | Severity of rule. | keyword | -| netskope.events.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long | -| netskope.events.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword | -| netskope.events.domain_shared_with | N/A | long | -| netskope.events.drive.id | N/A | keyword | -| netskope.events.encrypt.failure | Reason of failure while encrypting. | keyword | -| netskope.events.end_time | N/A | keyword | -| netskope.events.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword | -| netskope.events.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword | -| netskope.events.event.type | Anomaly type. | keyword | -| netskope.events.event_type | N/A | keyword | -| netskope.events.exposure | Exposure of a document. | keyword | -| netskope.events.external_collaborator_count | Count of external collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.file.id | Unique identifier of the file. | keyword | -| netskope.events.file.is_password_protected | N/A | keyword | -| netskope.events.file.lang | Language of the file. | keyword | -| netskope.events.from.logs | Shows if the event was generated from the Risk Insights log. | keyword | -| netskope.events.from.object | Initial name of an object that has been renamed, copied or moved. | keyword | -| netskope.events.from.storage | N/A | keyword | -| netskope.events.from.user_category | Type of from_user. | keyword | -| netskope.events.gateway | N/A | keyword | -| netskope.events.graph.id | N/A | keyword | -| netskope.events.http_status | N/A | keyword | -| netskope.events.http_transaction_count | HTTP transaction count. | long | -| netskope.events.iaas_asset_tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword | -| netskope.events.id | N/A | keyword | -| netskope.events.insertion.timestamp | Insertion timestamp. | long | -| netskope.events.instance.id | Unique ID associated with an organization application instance. | keyword | -| netskope.events.instance.name | Instance name associated with an organization application instance. | keyword | -| netskope.events.instance.type | Instance type. | keyword | -| netskope.events.instance_name | Instance associated with an organization application instance. | keyword | -| netskope.events.internal_collaborator_count | Count of internal collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.ip.protocol | N/A | keyword | -| netskope.events.is_bypass_traffic | Tells if traffic is bypassed by Netskope. | boolean | -| netskope.events.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean | -| netskope.events.item.id | N/A | keyword | -| netskope.events.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword | -| netskope.events.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword | -| netskope.events.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.region | Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long | -| netskope.events.latency.max | Max latency for a connection in milliseconds. | long | -| netskope.events.latency.min | Min latency for a connection in milliseconds. | long | -| netskope.events.latency.total | Total latency from proxy to app in milliseconds. | long | -| netskope.events.legal_hold_profile_name | Legal hold profile name. | keyword | -| netskope.events.lh.custodian.name | Custodian name of legal hold profile. | keyword | -| netskope.events.lh.destination.app | Destination appname of legalhold action. | keyword | -| netskope.events.lh.destination.instance | Destination instance of legal hold action. | keyword | -| netskope.events.lh.file_id | File ID of legal hold file. | keyword | -| netskope.events.lh.filename | File name of legal hold file. | keyword | -| netskope.events.lh.filename_original | Original filename of legal hold file. | keyword | -| netskope.events.lh.filepath | File path of legal hold file. | keyword | -| netskope.events.lh.shared | Shared type of legal hold file. | keyword | -| netskope.events.lh.shared_with | User shared with the legal hold file. | keyword | -| netskope.events.lh.version | File version of original file. | keyword | -| netskope.events.list.id | N/A | keyword | -| netskope.events.log_file.name | Log file name for Risk Insights. | keyword | -| netskope.events.login.type | Salesforce login type. | keyword | -| netskope.events.login.url | Salesforce login URL. | flattened | -| netskope.events.malsite_category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword | -| netskope.events.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword | -| netskope.events.malware.name | Netskope detection name. | keyword | -| netskope.events.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword | -| netskope.events.malware.severity | Malware severity. | keyword | -| netskope.events.malware.type | Malware Type. | keyword | -| netskope.events.managed_app | Whether or not the app in question is managed. | boolean | -| netskope.events.management.id | Management ID. | keyword | -| netskope.events.metric_value | N/A | long | -| netskope.events.modified_at | Timestamp corresponding to the modification time of the entity (file, etc.). | date | -| netskope.events.netskope_pop | N/A | keyword | -| netskope.events.network | N/A | keyword | -| netskope.events.new_value | New value for a given file for salesforce.com. | keyword | -| netskope.events.notify_template | N/A | keyword | -| netskope.events.ns.activity | Maps app activity to Netskope standard activity. | keyword | -| netskope.events.ns.device_uid | Device identifiers on macOS and Windows. | keyword | -| netskope.events.num_sessions | N/A | long | -| netskope.events.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long | -| netskope.events.obfuscate | N/A | boolean | -| netskope.events.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long | -| netskope.events.object.id | Unique ID associated with an object. | keyword | -| netskope.events.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword | -| netskope.events.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword | -| netskope.events.old_value | Old value for a given file for salesforce.com. | keyword | -| netskope.events.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword | -| netskope.events.organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword | -| netskope.events.orig_ty | Event Type of original event. | keyword | -| netskope.events.original_file_path | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.events.other.categories | N/A | keyword | -| netskope.events.owner | Owner of the file. | keyword | -| netskope.events.page | The URL of the originating page. | keyword | -| netskope.events.page_site | N/A | keyword | -| netskope.events.parent.id | N/A | keyword | -| netskope.events.path_id | Path ID of the file in the application. | long | -| netskope.events.policy.id | The Netskope internal ID for the policy created by an admin. | keyword | -| netskope.events.policy.name | Name of the policy configured by an admin. | keyword | -| netskope.events.profile.emails | List of profile emails per policy. | keyword | -| netskope.events.profile.id | Anomaly profile ID. | keyword | -| netskope.events.publisher_cn | N/A | keyword | -| netskope.events.qar | N/A | keyword | -| netskope.events.quarantine.action.reason | Reason for the action taken for quarantine. | keyword | -| netskope.events.quarantine.admin | Quarantine profile custodian email/name. | keyword | -| netskope.events.quarantine.app | Quarantine app name. | keyword | -| netskope.events.quarantine.app_name | N/A | keyword | -| netskope.events.quarantine.failure | Reason of failure. | keyword | -| netskope.events.quarantine.file.id | File ID of the quarantined file. | keyword | -| netskope.events.quarantine.file.name | File name of the quarantine file. | keyword | -| netskope.events.quarantine.instance | Quarantine instance name. | keyword | -| netskope.events.quarantine.original.file.name | Original file name which got quarantined. | keyword | -| netskope.events.quarantine.original.file.path | Original file path which got quarantined. | keyword | -| netskope.events.quarantine.original.shared | Original file shared user details. | keyword | -| netskope.events.quarantine.original.version | Original version of file which got quarantined. | keyword | -| netskope.events.quarantine.profile.id | Quarantine profile ID. | keyword | -| netskope.events.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword | -| netskope.events.quarantine.shared_with | N/A | keyword | -| netskope.events.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | flattened | -| netskope.events.region | N/A | keyword | -| netskope.events.region.id | Region ID (as provided by the cloud provider). | keyword | -| netskope.events.repo | N/A | keyword | -| netskope.events.request.count | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long | -| netskope.events.request.id | Unique request ID for the event. | keyword | -| netskope.events.response.content.length | N/A | long | -| netskope.events.response.content.type | N/A | keyword | -| netskope.events.response.count | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long | -| netskope.events.retro_scan_name | Retro scan name. | keyword | -| netskope.events.risk_level | Corresponding field to risk_level_id. Name. | keyword | -| netskope.events.risk_level_id | This field is set by both role-based access (RBA) and MLAD. | keyword | -| netskope.events.role | Roles for Box. | keyword | -| netskope.events.run_id | Run ID. | long | -| netskope.events.sa.profile.id | CSA profile ID. | keyword | -| netskope.events.sa.profile.name | CSA profile name. | keyword | -| netskope.events.sa.rule.severity | Rule severity. | keyword | -| netskope.events.scan.time | Time when the scan is done. | long | -| netskope.events.scan.type | Generated during retroactive scan or new ongoing activity. | keyword | -| netskope.events.scopes | List of permissions for google apps. | keyword | -| netskope.events.serial | N/A | keyword | -| netskope.events.server.bytes | Total number of downloaded from server to client. | long | -| netskope.events.server.packets | N/A | long | -| netskope.events.session.duration | N/A | long | -| netskope.events.session.id | Session ID for Dropbox application. | keyword | -| netskope.events.session.packets | N/A | long | -| netskope.events.severity.id | Severity ID used by watchlist and malware alerts. | keyword | -| netskope.events.severity.level | Severity used by watchlist and malware alerts. | keyword | -| netskope.events.severity.type | Severity type used by watchlist and malware alerts | keyword | -| netskope.events.sfwder | N/A | keyword | -| netskope.events.shared.domains | List of domains of users the document is shared with. | keyword | -| netskope.events.shared.is_shared | If the file is shared or not. | boolean | -| netskope.events.shared.type | Shared Type. | keyword | -| netskope.events.shared.with | Array of emails with whom a document is shared with. | keyword | -| netskope.events.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword | -| netskope.events.slc.geo.location | Longitude and latitude. | geo_point | -| netskope.events.source.geoip_src | Source from where the location of Source IP was derived. | long | -| netskope.events.ssl_decrypt_policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword | -| netskope.events.start_time | N/A | keyword | -| netskope.events.sub_type | Workplace by Facebook post sub category (files, comments, status etc). | keyword | -| netskope.events.supporting_data | N/A | keyword | -| netskope.events.suppression.end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.events.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword | -| netskope.events.suppression.start_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.events.team | Slack team name. | keyword | -| netskope.events.telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword | -| netskope.events.temp_user | N/A | keyword | -| netskope.events.tenant.id | Tenant id. | keyword | -| netskope.events.threat.match_field | Threat match field, either from domain or URL or IP. | keyword | -| netskope.events.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword | -| netskope.events.threshold | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long | -| netskope.events.tnetwork_session_id | N/A | keyword | -| netskope.events.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword | -| netskope.events.to.storage | N/A | keyword | -| netskope.events.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword | -| netskope.events.to.user_category | Type of user to which move is done. | keyword | -| netskope.events.total.collaborator_count | Count of collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.total_packets | N/A | long | -| netskope.events.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword | -| netskope.events.transaction.id | Unique ID for a given request/response. | keyword | -| netskope.events.tss_mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword | -| netskope.events.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword | -| netskope.events.tunnel.type | N/A | keyword | -| netskope.events.tunnel.up_time | N/A | long | -| netskope.events.two_factor_auth | N/A | keyword | -| netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | -| netskope.events.universal_connector | N/A | keyword | -| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic | flattened | -| netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | -| netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword | -| netskope.events.user.generated | Tells whether it is user generated page event. | boolean | -| netskope.events.user.geo.city_name | N/A | keyword | -| netskope.events.user.geo.continent_name | N/A | keyword | -| netskope.events.user.geo.country_iso_code | N/A | keyword | -| netskope.events.user.geo.country_name | N/A | keyword | -| netskope.events.user.geo.location | Longitude and latitude. | geo_point | -| netskope.events.user.geo.region_iso_code | N/A | keyword | -| netskope.events.user.geo.region_name | N/A | keyword | -| netskope.events.user.group | N/A | keyword | -| netskope.events.user.ip | IP address of User. | keyword | -| netskope.events.user.is_aggregated | N/A | boolean | -| netskope.events.violating.user.name | User who caused a vioaltion. Populated for Workplace by Facebook. | keyword | -| netskope.events.violating.user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.events.web.url | File preview URL. | flattened | -| netskope.events.web_universal_connector | N/A | keyword | -| netskope.events.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | -| netskope.events.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | -| netskope.events.zip_password | Zip the malacious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.packets | Packets sent from the server to the client. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2021-12-24T00:29:56.000Z", - "agent": { - "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "netskope.events", - "ingested": "2022-04-14T09:24:43Z", - "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}" - }, - "event.id": "613ee55ec9d868fc47654a73", - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:46522" - } - }, - "netskope": { - "events": { - "alarm": { - "description": "Events from device not received in the last 24 hours", - "name": "No_events_from_device" - }, - "device": { - "name": "device-1" - }, - "event_type": "infrastructure", - "metric_value": 43831789, - "serial": "FFFFFFFFFFFFFFFF", - "severity": { - "level": "high" - }, - "supporting_data": "abc" - } - }, - "tags": [ - "forwarded", - "netskope-events" - ] -} -``` diff --git a/packages/netskope/1.0.1/img/netskope-alerts-screenshot.png b/packages/netskope/1.0.1/img/netskope-alerts-screenshot.png deleted file mode 100755 index 3478a97c30..0000000000 Binary files a/packages/netskope/1.0.1/img/netskope-alerts-screenshot.png and /dev/null differ diff --git a/packages/netskope/1.0.1/img/netskope-events-screenshot.png b/packages/netskope/1.0.1/img/netskope-events-screenshot.png deleted file mode 100755 index a429b80386..0000000000 Binary files a/packages/netskope/1.0.1/img/netskope-events-screenshot.png and /dev/null differ diff --git a/packages/netskope/1.0.1/img/netskope-logo.svg b/packages/netskope/1.0.1/img/netskope-logo.svg deleted file mode 100755 index cf1c8bcb3d..0000000000 --- a/packages/netskope/1.0.1/img/netskope-logo.svg +++ /dev/null @@ -1,26 +0,0 @@ - - - - - - - - - - - - - diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 23c328b567..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"panelRefName\":\"panel_6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"panelRefName\":\"panel_4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"panelRefName\":\"panel_45c067c5-0e47-4988-90f8-fc788f006afd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"panelRefName\":\"panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"panelRefName\":\"panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"panelRefName\":\"panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"panelRefName\":\"panel_afe687dc-fbb2-4277-b415-2d63dc660034\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"panelRefName\":\"panel_84973327-83fa-4d3e-a605-942aa2f8d165\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"panelRefName\":\"panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"panelRefName\":\"panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"panelRefName\":\"panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"panelRefName\":\"panel_e9392a59-5f4d-405d-8779-6b1400c25493\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"panelRefName\":\"panel_f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"panelRefName\":\"panel_8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"panelRefName\":\"panel_a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"panelRefName\":\"panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"panelRefName\":\"panel_d726178a-8c9a-465c-ac2d-974f77abb85f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"panelRefName\":\"panel_5d065d8d-9b03-4707-9c50-4b655a013932\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"panelRefName\":\"panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"panelRefName\":\"panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"panelRefName\":\"panel_b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"panelRefName\":\"panel_e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"panelRefName\":\"panel_99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"panelRefName\":\"panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"panelRefName\":\"panel_f01b8e09-267d-433e-965b-20d3483143a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Quarantine", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02", - "name": "6fa82f60-f04f-444f-ba2f-00773e1e6108:panel_6fa82f60-f04f-444f-ba2f-00773e1e6108", - "type": "visualization" - }, - { - "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02", - "name": "4652af1f-2400-4b6c-bc5e-571191e2a14f:panel_4652af1f-2400-4b6c-bc5e-571191e2a14f", - "type": "visualization" - }, - { - "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02", - "name": "45c067c5-0e47-4988-90f8-fc788f006afd:panel_45c067c5-0e47-4988-90f8-fc788f006afd", - "type": "visualization" - }, - { - "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02", - "name": "a9793bf2-d220-4b8c-a5b5-ce31043445f9:panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "feaa25d0-fc21-4688-ad80-aac792a6f5a7:panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "366ab0ac-ca2e-42af-a6c3-ed7af9892b33:panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "afe687dc-fbb2-4277-b415-2d63dc660034:panel_afe687dc-fbb2-4277-b415-2d63dc660034", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "84973327-83fa-4d3e-a605-942aa2f8d165:panel_84973327-83fa-4d3e-a605-942aa2f8d165", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "b4492c2d-8d65-4ba1-88ff-477837e47ba7:panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "1ff971d6-add3-4c2e-b392-13c5487ac4ee:panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "1f30c1e5-042e-48ce-99e5-5f1fc9e12d12:panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "e9392a59-5f4d-405d-8779-6b1400c25493:panel_e9392a59-5f4d-405d-8779-6b1400c25493", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "f722efca-df82-46e8-bb4d-8217b1fac3e3:panel_f722efca-df82-46e8-bb4d-8217b1fac3e3", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "8c4361bf-c0be-44e9-a898-0f2de9b10187:panel_8c4361bf-c0be-44e9-a898-0f2de9b10187", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "a65412a1-13cd-40ed-900e-4fc49f388ee7:panel_a65412a1-13cd-40ed-900e-4fc49f388ee7", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "eb9e1079-4966-4ae9-abbf-e0df000f17d6:panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "d726178a-8c9a-465c-ac2d-974f77abb85f:panel_d726178a-8c9a-465c-ac2d-974f77abb85f", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "5d065d8d-9b03-4707-9c50-4b655a013932:panel_5d065d8d-9b03-4707-9c50-4b655a013932", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "5da4dcb5-1642-48d8-8b08-cc24ad43f53d:panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "65a1d845-2c17-4bd6-8cd8-d8c651d89bd5:panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "b2f14091-11cf-492c-bd71-06a8096e4cc2:panel_b2f14091-11cf-492c-bd71-06a8096e4cc2", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "e0331a0a-3091-48e8-8591-31ed4cb1e001:panel_e0331a0a-3091-48e8-8591-31ed4cb1e001", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "99617f89-4bf3-4426-9d51-d486cde5c8a6:panel_99617f89-4bf3-4426-9d51-d486cde5c8a6", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "44f4cc45-f34e-4034-aa95-aab9bae9be7b:panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "f01b8e09-267d-433e-965b-20d3483143a6:panel_f01b8e09-267d-433e-965b-20d3483143a6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ec910490e0..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"panelRefName\":\"panel_9ecea79f-aedc-4c49-a78d-113c35d00646\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"panelRefName\":\"panel_f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"panelRefName\":\"panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"panelRefName\":\"panel_48681f61-2ad6-4dac-aafd-895b2c267d93\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"panelRefName\":\"panel_414e518e-6119-4905-9052-0bab7a7e53c2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"panelRefName\":\"panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"panelRefName\":\"panel_dedb010c-aa2b-4849-a123-01d05df8391e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"panelRefName\":\"panel_769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"panelRefName\":\"panel_c15e2f15-51e0-450b-8b65-68ad53160156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"panelRefName\":\"panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"panelRefName\":\"panel_abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"panelRefName\":\"panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"panelRefName\":\"panel_5fe16d63-f752-4c67-b033-54924d7a631a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"panelRefName\":\"panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"panelRefName\":\"panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"panelRefName\":\"panel_f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"panelRefName\":\"panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"panelRefName\":\"panel_f9e38ddf-3807-4283-8612-12890da9ddbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"panelRefName\":\"panel_4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Security Assessment", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02", - "name": "9ecea79f-aedc-4c49-a78d-113c35d00646:panel_9ecea79f-aedc-4c49-a78d-113c35d00646", - "type": "visualization" - }, - { - "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02", - "name": "f7136693-69cc-43e0-b9ad-3b975bbe830a:panel_f7136693-69cc-43e0-b9ad-3b975bbe830a", - "type": "visualization" - }, - { - "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02", - "name": "6a352e9d-2bda-4c4d-a65f-70086fe9e098:panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098", - "type": "visualization" - }, - { - "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02", - "name": "48681f61-2ad6-4dac-aafd-895b2c267d93:panel_48681f61-2ad6-4dac-aafd-895b2c267d93", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "414e518e-6119-4905-9052-0bab7a7e53c2:panel_414e518e-6119-4905-9052-0bab7a7e53c2", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "f52d5fe1-0317-4341-8828-34c8eb20e6c5:panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "dedb010c-aa2b-4849-a123-01d05df8391e:panel_dedb010c-aa2b-4849-a123-01d05df8391e", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "769bdbcd-f96e-41c7-ba73-76bc435f8573:panel_769bdbcd-f96e-41c7-ba73-76bc435f8573", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "c15e2f15-51e0-450b-8b65-68ad53160156:panel_c15e2f15-51e0-450b-8b65-68ad53160156", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "75d0c42b-7852-4914-95e7-6d2e92b99bd0:panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "abd95a27-a1f0-4808-88fb-3bb5f770f543:panel_abd95a27-a1f0-4808-88fb-3bb5f770f543", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "15c3b9dc-93ee-48ca-a860-fd4f1b768c4c:panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "5fe16d63-f752-4c67-b033-54924d7a631a:panel_5fe16d63-f752-4c67-b033-54924d7a631a", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "87ee17ee-d40e-4a43-b26f-9622bf1bcbad:panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "802cd7a9-7704-4a53-b143-1b9a4f75cc2b:panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "f6e061ee-b7ac-47c8-9915-3fca33a23317:panel_f6e061ee-b7ac-47c8-9915-3fca33a23317", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "5a0acb1a-ce64-413f-a582-567d7fa79fc0:panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "f9e38ddf-3807-4283-8612-12890da9ddbe:panel_f9e38ddf-3807-4283-8612-12890da9ddbe", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "4f45dac1-2a01-418a-9174-86fa1d613f5f:panel_4f45dac1-2a01-418a-9174-86fa1d613f5f", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1d99e0f070..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"panelRefName\":\"panel_de113850-0514-4327-bf4a-96fd3bff0aa1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"panelRefName\":\"panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"panelRefName\":\"panel_1ae18052-f555-4f33-b76c-7f425a337c95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"panelRefName\":\"panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"panelRefName\":\"panel_40a99b00-0503-4360-b2ee-4758402ddbc6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"panelRefName\":\"panel_c56aec99-3085-448f-b3ce-d68d4d758354\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"panelRefName\":\"panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"panelRefName\":\"panel_91fb5be5-9fe1-446c-b5de-0a9844698834\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"panelRefName\":\"panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"panelRefName\":\"panel_cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"panelRefName\":\"panel_199442bd-7bb0-4112-ade5-3264743defd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"panelRefName\":\"panel_90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"panelRefName\":\"panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"panelRefName\":\"panel_cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"panelRefName\":\"panel_68eae1da-9479-4de6-a888-790e7bee6449\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"panelRefName\":\"panel_8368a6ca-b543-4adc-a9c5-624e74497329\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"panelRefName\":\"panel_4b05e711-810e-4014-9b25-0bd307954aa0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"panelRefName\":\"panel_893dd429-9e30-4fd6-9419-dbe51aafc104\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"panelRefName\":\"panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"panelRefName\":\"panel_39191fce-eb15-468c-ad46-923e47f84456\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"panelRefName\":\"panel_aedad988-c987-4390-b904-8ed71a118d4d\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Network", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02", - "name": "de113850-0514-4327-bf4a-96fd3bff0aa1:panel_de113850-0514-4327-bf4a-96fd3bff0aa1", - "type": "visualization" - }, - { - "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02", - "name": "81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842:panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842", - "type": "visualization" - }, - { - "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02", - "name": "1ae18052-f555-4f33-b76c-7f425a337c95:panel_1ae18052-f555-4f33-b76c-7f425a337c95", - "type": "visualization" - }, - { - "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02", - "name": "cf91b73d-8723-4207-a9db-2f2eec6dbc83:panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83", - "type": "visualization" - }, - { - "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02", - "name": "40a99b00-0503-4360-b2ee-4758402ddbc6:panel_40a99b00-0503-4360-b2ee-4758402ddbc6", - "type": "visualization" - }, - { - "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02", - "name": "c56aec99-3085-448f-b3ce-d68d4d758354:panel_c56aec99-3085-448f-b3ce-d68d4d758354", - "type": "visualization" - }, - { - "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02", - "name": "cfbe5876-f02d-42c0-ae50-b85b43223f2d:panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d", - "type": "visualization" - }, - { - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "name": "91fb5be5-9fe1-446c-b5de-0a9844698834:panel_91fb5be5-9fe1-446c-b5de-0a9844698834", - "type": "visualization" - }, - { - "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02", - "name": "e89d1bab-dd1c-4b06-bad0-77f26fb8e217:panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217", - "type": "visualization" - }, - { - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "name": "cafd5a6f-d702-4870-b85d-8c5619997cb6:panel_cafd5a6f-d702-4870-b85d-8c5619997cb6", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "199442bd-7bb0-4112-ade5-3264743defd1:panel_199442bd-7bb0-4112-ade5-3264743defd1", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "90e8a139-5ac8-4a10-a5ed-802d30eca519:panel_90e8a139-5ac8-4a10-a5ed-802d30eca519", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339:panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "cbe6b18e-b303-4b00-b573-f9856a82e15e:panel_cbe6b18e-b303-4b00-b573-f9856a82e15e", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "68eae1da-9479-4de6-a888-790e7bee6449:panel_68eae1da-9479-4de6-a888-790e7bee6449", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "8368a6ca-b543-4adc-a9c5-624e74497329:panel_8368a6ca-b543-4adc-a9c5-624e74497329", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "4b05e711-810e-4014-9b25-0bd307954aa0:panel_4b05e711-810e-4014-9b25-0bd307954aa0", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "893dd429-9e30-4fd6-9419-dbe51aafc104:panel_893dd429-9e30-4fd6-9419-dbe51aafc104", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb:panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "39191fce-eb15-468c-ad46-923e47f84456:panel_39191fce-eb15-468c-ad46-923e47f84456", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "aedad988-c987-4390-b904-8ed71a118d4d:panel_aedad988-c987-4390-b904-8ed71a118d4d", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d2e6875041..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"panelRefName\":\"panel_eef1d418-6eb7-4ca7-963c-376163e018cc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"panelRefName\":\"panel_b8ce0876-320e-4903-919e-3101df39f199\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"panelRefName\":\"panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"panelRefName\":\"panel_cb25209c-af4f-46d4-8055-e0165377c186\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Infrastructure", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02", - "name": "eef1d418-6eb7-4ca7-963c-376163e018cc:panel_eef1d418-6eb7-4ca7-963c-376163e018cc", - "type": "visualization" - }, - { - "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02", - "name": "b8ce0876-320e-4903-919e-3101df39f199:panel_b8ce0876-320e-4903-919e-3101df39f199", - "type": "visualization" - }, - { - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "name": "bcd7cd0f-3d14-4165-ad36-411e407c1b3a:panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a", - "type": "visualization" - }, - { - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "name": "cb25209c-af4f-46d4-8055-e0165377c186:panel_cb25209c-af4f-46d4-8055-e0165377c186", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 35312a2ab0..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"panelRefName\":\"panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"panelRefName\":\"panel_5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"panelRefName\":\"panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"panelRefName\":\"panel_067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"panelRefName\":\"panel_26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"panelRefName\":\"panel_98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"panelRefName\":\"panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"panelRefName\":\"panel_822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"panelRefName\":\"panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"panelRefName\":\"panel_1773342f-dd53-4c10-9b38-82b4e09a7395\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"panelRefName\":\"panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"panelRefName\":\"panel_d9355657-e78e-4edf-89b0-4f0e0698372e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"panelRefName\":\"panel_82495547-fdb7-4c0c-8e55-83246013d66f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"panelRefName\":\"panel_c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope] Events Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02", - "name": "26fbf4d7-3b96-4d0a-a206-1c0b6c36a654:panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654", - "type": "visualization" - }, - { - "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02", - "name": "5a43e517-99d6-425a-b5cb-7ee124b327e7:panel_5a43e517-99d6-425a-b5cb-7ee124b327e7", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "6a0e0f49-951b-47ca-8664-5507bae1d7f4:panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "067dda5d-b9eb-495c-b663-5bb1eaa164da:panel_067dda5d-b9eb-495c-b663-5bb1eaa164da", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "26a44d07-f0e4-4c58-a209-ebe227dfe682:panel_26a44d07-f0e4-4c58-a209-ebe227dfe682", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "98d0578d-b4f5-46f6-8c5d-db6939548a41:panel_98d0578d-b4f5-46f6-8c5d-db6939548a41", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "1150af83-f4ee-4aa3-8b31-7d5c5dccc716:panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "822a62d6-ed17-4a9c-bcbc-b29b25538156:panel_822a62d6-ed17-4a9c-bcbc-b29b25538156", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec:panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "1773342f-dd53-4c10-9b38-82b4e09a7395:panel_1773342f-dd53-4c10-9b38-82b4e09a7395", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "e297318d-0e02-4fc2-a5dd-6b6d57f5e35b:panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "d9355657-e78e-4edf-89b0-4f0e0698372e:panel_d9355657-e78e-4edf-89b0-4f0e0698372e", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "82495547-fdb7-4c0c-8e55-83246013d66f:panel_82495547-fdb7-4c0c-8e55-83246013d66f", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "c291aef0-c76c-4c83-ae56-2c2126f817a7:panel_c291aef0-c76c-4c83-ae56-2c2126f817a7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 84042f8c6d..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"panelRefName\":\"panel_77a59f05-8734-4361-a4ee-f0081a667f90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"panelRefName\":\"panel_ba5dff68-0c84-4678-bf9b-a20767da4594\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"panelRefName\":\"panel_04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"panelRefName\":\"panel_1fb9cef2-f112-4a25-985e-e191d044a824\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"panelRefName\":\"panel_d6851ddb-5402-419a-b8e2-91e060a5a715\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"panelRefName\":\"panel_8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-97349920-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02", - "name": "77a59f05-8734-4361-a4ee-f0081a667f90:panel_77a59f05-8734-4361-a4ee-f0081a667f90", - "type": "visualization" - }, - { - "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02", - "name": "ba5dff68-0c84-4678-bf9b-a20767da4594:panel_ba5dff68-0c84-4678-bf9b-a20767da4594", - "type": "visualization" - }, - { - "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02", - "name": "04a815f0-2d0c-4189-9382-c4b5c4455bce:panel_04a815f0-2d0c-4189-9382-c4b5c4455bce", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "1fb9cef2-f112-4a25-985e-e191d044a824:panel_1fb9cef2-f112-4a25-985e-e191d044a824", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "d6851ddb-5402-419a-b8e2-91e060a5a715:panel_d6851ddb-5402-419a-b8e2-91e060a5a715", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "8c1ee365-4a0c-4b03-858a-26c7d6652699:panel_8c1ee365-4a0c-4b03-858a-26c7d6652699", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 94ccc020a5..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"panelRefName\":\"panel_ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"panelRefName\":\"panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"panelRefName\":\"panel_85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"panelRefName\":\"panel_d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"panelRefName\":\"panel_516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"panelRefName\":\"panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"panelRefName\":\"panel_e6fdc807-d7d7-4c8d-a592-584e42001712\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"panelRefName\":\"panel_fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"panelRefName\":\"panel_5de4021e-f3ba-4155-83c6-d44937ad4564\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"panelRefName\":\"panel_6b88f03d-4441-4081-b031-7af3644a3421\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"panelRefName\":\"panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"panelRefName\":\"panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"panelRefName\":\"panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"panelRefName\":\"panel_51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"panelRefName\":\"panel_85ba4c06-11ce-4bfe-ba79-983562383efb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"panelRefName\":\"panel_2209097a-5361-4924-b89b-30cb69fc1aa9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"panelRefName\":\"panel_313214f2-83b2-41eb-98f6-d2e061b84267\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"panelRefName\":\"panel_18e2231e-c783-4353-a799-b41f01154e97\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Application", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02", - "name": "ab32506e-cd95-4643-94f4-ff3d7f10655b:panel_ab32506e-cd95-4643-94f4-ff3d7f10655b", - "type": "visualization" - }, - { - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "name": "f04eaee2-b656-45f0-bf2e-7db096fe5ba5:panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5", - "type": "visualization" - }, - { - "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02", - "name": "85a443dc-c3dd-4198-8273-b2edbe5254a6:panel_85a443dc-c3dd-4198-8273-b2edbe5254a6", - "type": "visualization" - }, - { - "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02", - "name": "d8da7946-0d47-405d-b219-b3f4519ee4d9:panel_d8da7946-0d47-405d-b219-b3f4519ee4d9", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "516a4ca3-23b4-4d6d-9162-50197cbfe306:panel_516a4ca3-23b4-4d6d-9162-50197cbfe306", - "type": "visualization" - }, - { - "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02", - "name": "ab75c7fa-d665-4ce4-b2d0-62428fd846da:panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "e6fdc807-d7d7-4c8d-a592-584e42001712:panel_e6fdc807-d7d7-4c8d-a592-584e42001712", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "fe337472-7a96-402a-b7e5-b8ea37e6328c:panel_fe337472-7a96-402a-b7e5-b8ea37e6328c", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "5de4021e-f3ba-4155-83c6-d44937ad4564:panel_5de4021e-f3ba-4155-83c6-d44937ad4564", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "6b88f03d-4441-4081-b031-7af3644a3421:panel_6b88f03d-4441-4081-b031-7af3644a3421", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "ebf8e192-7eba-438f-96cc-5e6d80d08fd0:panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "6a003a65-76ee-43fa-9f63-a8c96c129fd1:panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4:panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "51fc9a00-6109-46eb-9264-cfb81fafbb90:panel_51fc9a00-6109-46eb-9264-cfb81fafbb90", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "85ba4c06-11ce-4bfe-ba79-983562383efb:panel_85ba4c06-11ce-4bfe-ba79-983562383efb", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "2209097a-5361-4924-b89b-30cb69fc1aa9:panel_2209097a-5361-4924-b89b-30cb69fc1aa9", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "313214f2-83b2-41eb-98f6-d2e061b84267:panel_313214f2-83b2-41eb-98f6-d2e061b84267", - "type": "visualization" - }, - { - "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02", - "name": "18e2231e-c783-4353-a799-b41f01154e97:panel_18e2231e-c783-4353-a799-b41f01154e97", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0c48984958..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"panelRefName\":\"panel_3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"df123261-3370-4572-b118-09a2654264f2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"df123261-3370-4572-b118-09a2654264f2\",\"panelRefName\":\"panel_df123261-3370-4572-b118-09a2654264f2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"panelRefName\":\"panel_649b0d8e-5d17-411d-9117-a63ad74960f1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"panelRefName\":\"panel_92b99046-01c4-413a-84dd-93ad174171b0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"panelRefName\":\"panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"panelRefName\":\"panel_3d78958c-581d-4ad4-a768-346a4f234b25\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"panelRefName\":\"panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"panelRefName\":\"panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"panelRefName\":\"panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":162},{\"colIndex\":1,\"width\":355.5}]}}},\"gridData\":{\"h\":15,\"i\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"panelRefName\":\"panel_b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"panelRefName\":\"panel_5513d359-dd47-44a7-856b-fadc0178aa5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"panelRefName\":\"panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"panelRefName\":\"panel_6c932713-9d4b-430a-a799-6d31b45ecacf\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"panelRefName\":\"panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"panelRefName\":\"panel_90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"panelRefName\":\"panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"panelRefName\":\"panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"panelRefName\":\"panel_650391d6-5467-4b6e-b529-f89b34cacdee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"panelRefName\":\"panel_6b8089ba-e257-40d5-847f-516759ce8475\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"panelRefName\":\"panel_2d4098eb-54b0-474e-81b5-75fc222cb341\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"panelRefName\":\"panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"panelRefName\":\"panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"panelRefName\":\"panel_690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"panelRefName\":\"panel_3753bbb6-64ab-4b10-8526-232375c9da38\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"panelRefName\":\"panel_ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"w\":24,\"x\":0,\"y\":195},\"panelIndex\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"panelRefName\":\"panel_97611e00-8013-43c4-856d-54b0e78313d5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"w\":24,\"x\":24,\"y\":180},\"panelIndex\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"panelRefName\":\"panel_32296ddd-d26c-431a-8227-7ee72592cb3e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"w\":24,\"x\":0,\"y\":210},\"panelIndex\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"panelRefName\":\"panel_1394aa3a-d711-4634-9623-5dbaff400068\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"w\":24,\"x\":24,\"y\":195},\"panelIndex\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"panelRefName\":\"panel_4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"w\":24,\"x\":0,\"y\":225},\"panelIndex\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"panelRefName\":\"panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"w\":24,\"x\":24,\"y\":210},\"panelIndex\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"panelRefName\":\"panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] UBA", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a03670f0-7208-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02", - "name": "3b340e55-d9eb-4304-a0d3-583150bd54eb:panel_3b340e55-d9eb-4304-a0d3-583150bd54eb", - "type": "visualization" - }, - { - "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02", - "name": "df123261-3370-4572-b118-09a2654264f2:panel_df123261-3370-4572-b118-09a2654264f2", - "type": "visualization" - }, - { - "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02", - "name": "649b0d8e-5d17-411d-9117-a63ad74960f1:panel_649b0d8e-5d17-411d-9117-a63ad74960f1", - "type": "visualization" - }, - { - "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02", - "name": "92b99046-01c4-413a-84dd-93ad174171b0:panel_92b99046-01c4-413a-84dd-93ad174171b0", - "type": "visualization" - }, - { - "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02", - "name": "aa10cc62-fe46-420a-88fc-9df0b78e58c1:panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1", - "type": "visualization" - }, - { - "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02", - "name": "3d78958c-581d-4ad4-a768-346a4f234b25:panel_3d78958c-581d-4ad4-a768-346a4f234b25", - "type": "visualization" - }, - { - "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02", - "name": "cee9c637-74f0-42bd-8a30-7c8b8cb4ed01:panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01", - "type": "visualization" - }, - { - "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02", - "name": "9422ea18-43fb-4271-9c06-bfb40b9f9c78:panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78", - "type": "visualization" - }, - { - "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02", - "name": "e0b7f071-f82f-457c-ad45-de3f45cd9ee8:panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8", - "type": "visualization" - }, - { - "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02", - "name": "b205b75e-5675-49ed-90d3-f183e7b80d2f:panel_b205b75e-5675-49ed-90d3-f183e7b80d2f", - "type": "visualization" - }, - { - "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02", - "name": "5513d359-dd47-44a7-856b-fadc0178aa5f:panel_5513d359-dd47-44a7-856b-fadc0178aa5f", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "ccf70172-a85b-40e1-a616-b3b1e9a6088c:panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "6c932713-9d4b-430a-a799-6d31b45ecacf:panel_6c932713-9d4b-430a-a799-6d31b45ecacf", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "c483ecaf-49f8-4dc5-b0f0-0e1339a67d22:panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "90096c7a-a554-4a30-89a3-7d0d63ea804c:panel_90096c7a-a554-4a30-89a3-7d0d63ea804c", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "cd490c17-67ea-4bd1-aa9a-88f1a9c139b5:panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "0b6ca0f2-57a6-4e90-9592-56bb052d4ca7:panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "650391d6-5467-4b6e-b529-f89b34cacdee:panel_650391d6-5467-4b6e-b529-f89b34cacdee", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "6b8089ba-e257-40d5-847f-516759ce8475:panel_6b8089ba-e257-40d5-847f-516759ce8475", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "2d4098eb-54b0-474e-81b5-75fc222cb341:panel_2d4098eb-54b0-474e-81b5-75fc222cb341", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "bbc3957b-53a2-47dd-9760-56f8ceb5289d:panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "37776b9c-bfc6-4c6f-9079-2c0d23fe4a89:panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "690c706e-c8bc-4f19-ab9e-9ba64e268647:panel_690c706e-c8bc-4f19-ab9e-9ba64e268647", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "3753bbb6-64ab-4b10-8526-232375c9da38:panel_3753bbb6-64ab-4b10-8526-232375c9da38", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "ebec8d00-4d63-44cd-9970-4882fcf5108f:panel_ebec8d00-4d63-44cd-9970-4882fcf5108f", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "97611e00-8013-43c4-856d-54b0e78313d5:panel_97611e00-8013-43c4-856d-54b0e78313d5", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "32296ddd-d26c-431a-8227-7ee72592cb3e:panel_32296ddd-d26c-431a-8227-7ee72592cb3e", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "1394aa3a-d711-4634-9623-5dbaff400068:panel_1394aa3a-d711-4634-9623-5dbaff400068", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "4812c275-ae66-4de9-913e-4ebe6b8a7782:panel_4812c275-ae66-4de9-913e-4ebe6b8a7782", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc:panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "2be4e6e2-c325-4e05-9ed7-bb4534507f5a:panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1ef5de3f2e..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"panelRefName\":\"panel_baaf2231-c596-479b-b0ad-238fc8c7405f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4202f297-6899-4b88-8d71-286c85369671\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4202f297-6899-4b88-8d71-286c85369671\",\"panelRefName\":\"panel_4202f297-6899-4b88-8d71-286c85369671\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"panelRefName\":\"panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"panelRefName\":\"panel_714f5073-96fc-4838-a2b3-987a3b62bc33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"panelRefName\":\"panel_323b1896-5cd9-4382-982c-7be72721ae48\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"panelRefName\":\"panel_bf72a578-2949-4de8-b4de-5d56b067efd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"panelRefName\":\"panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"panelRefName\":\"panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"panelRefName\":\"panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"panelRefName\":\"panel_f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"panelRefName\":\"panel_648b3fc0-5826-4478-a8a8-be02ec93b757\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"panelRefName\":\"panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"panelRefName\":\"panel_365a5a5d-0a5a-4723-935c-346fafc76c55\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"panelRefName\":\"panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"panelRefName\":\"panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"panelRefName\":\"panel_fd2a100e-72d7-4432-8fdf-2b8185964894\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"panelRefName\":\"panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"panelRefName\":\"panel_d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"panelRefName\":\"panel_36f7a988-2b45-4ce1-b613-5a97f2708865\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"panelRefName\":\"panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"panelRefName\":\"panel_162ca71c-5ea9-44d1-9667-c48682cd7292\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"panelRefName\":\"panel_4e858190-599f-4e73-8772-c8a0d3fe103f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Policy", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02", - "name": "baaf2231-c596-479b-b0ad-238fc8c7405f:panel_baaf2231-c596-479b-b0ad-238fc8c7405f", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "4202f297-6899-4b88-8d71-286c85369671:panel_4202f297-6899-4b88-8d71-286c85369671", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "5a6d5d65-1709-4f03-8bfb-f8fc721c932d:panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "714f5073-96fc-4838-a2b3-987a3b62bc33:panel_714f5073-96fc-4838-a2b3-987a3b62bc33", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "323b1896-5cd9-4382-982c-7be72721ae48:panel_323b1896-5cd9-4382-982c-7be72721ae48", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "bf72a578-2949-4de8-b4de-5d56b067efd0:panel_bf72a578-2949-4de8-b4de-5d56b067efd0", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "069358fe-da68-4d45-a0f0-aa7eaa4c1db7:panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "f4521dff-0b61-4d7c-b86d-8cd3fe341b61:panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "ca498f3d-dee7-4ad3-ad0b-92e9719890f6:panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "f7bb1094-f089-4f2d-98b2-8ad73597a045:panel_f7bb1094-f089-4f2d-98b2-8ad73597a045", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "648b3fc0-5826-4478-a8a8-be02ec93b757:panel_648b3fc0-5826-4478-a8a8-be02ec93b757", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "5ac14a5f-c30a-4e76-8d13-984f21ceb9ba:panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "365a5a5d-0a5a-4723-935c-346fafc76c55:panel_365a5a5d-0a5a-4723-935c-346fafc76c55", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "8dce8a31-9c43-4a5c-afcd-a0ca9cdda312:panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "6bfbea77-62ee-49f6-a0c4-d38b5894a137:panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "fd2a100e-72d7-4432-8fdf-2b8185964894:panel_fd2a100e-72d7-4432-8fdf-2b8185964894", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "0a553ef7-103e-495c-9e6d-3e3fe2945fbe:panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "d7e9ce08-5c56-4606-a7c9-afc702edee17:panel_d7e9ce08-5c56-4606-a7c9-afc702edee17", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "36f7a988-2b45-4ce1-b613-5a97f2708865:panel_36f7a988-2b45-4ce1-b613-5a97f2708865", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "cbc5ad63-8ee6-4f93-8502-60ceb118e14e:panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "162ca71c-5ea9-44d1-9667-c48682cd7292:panel_162ca71c-5ea9-44d1-9667-c48682cd7292", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "4e858190-599f-4e73-8772-c8a0d3fe103f:panel_4e858190-599f-4e73-8772-c8a0d3fe103f", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 36550b0059..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"panelRefName\":\"panel_729f9e92-d075-4a1a-bcf0-db456d39e724\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"panelRefName\":\"panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"panelRefName\":\"panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"panelRefName\":\"panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"panelRefName\":\"panel_92b187cb-5b44-404e-890b-fa8326868e36\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"panelRefName\":\"panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"panelRefName\":\"panel_23dfb547-1341-4b1a-9011-02f307aed221\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"panelRefName\":\"panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"panelRefName\":\"panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"panelRefName\":\"panel_a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"panelRefName\":\"panel_55bda241-c95f-4c9f-ad5b-8a199890b163\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"panelRefName\":\"panel_8eee17e1-802f-47f7-b29d-669762b68849\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"panelRefName\":\"panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"panelRefName\":\"panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"panelRefName\":\"panel_41f74a84-f471-4895-9443-cdf02a955cd8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"panelRefName\":\"panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"panelRefName\":\"panel_f3a73b11-012a-4517-9a2f-623494321346\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"panelRefName\":\"panel_f43a0df7-6e17-4523-891c-04e65c22ad22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"panelRefName\":\"panel_774541fd-cefb-422b-ac26-12f4b8528e7e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"panelRefName\":\"panel_38569123-9613-46c8-ae0f-10f87bee71ed\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"panelRefName\":\"panel_a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"panelRefName\":\"panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"89576865-7807-4305-abee-1b92248de9fc\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"89576865-7807-4305-abee-1b92248de9fc\",\"panelRefName\":\"panel_89576865-7807-4305-abee-1b92248de9fc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"panelRefName\":\"panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] DLP", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02", - "name": "729f9e92-d075-4a1a-bcf0-db456d39e724:panel_729f9e92-d075-4a1a-bcf0-db456d39e724", - "type": "visualization" - }, - { - "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02", - "name": "1c47cf4d-6ec1-48fd-9db4-237bbf50dcde:panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc:panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c:panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c", - "type": "visualization" - }, - { - "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02", - "name": "92b187cb-5b44-404e-890b-fa8326868e36:panel_92b187cb-5b44-404e-890b-fa8326868e36", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9:panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "23dfb547-1341-4b1a-9011-02f307aed221:panel_23dfb547-1341-4b1a-9011-02f307aed221", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b:panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "faced4fb-cc57-4a4e-a51b-5b27fda57ab0:panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "a2bf7e9f-4500-4848-b180-0a567d702d6b:panel_a2bf7e9f-4500-4848-b180-0a567d702d6b", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "55bda241-c95f-4c9f-ad5b-8a199890b163:panel_55bda241-c95f-4c9f-ad5b-8a199890b163", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "8eee17e1-802f-47f7-b29d-669762b68849:panel_8eee17e1-802f-47f7-b29d-669762b68849", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "9175a01c-5781-4771-b5ab-fceaf12bfcc7:panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "decfcd4a-6565-43ab-bccf-0ba7a992fd94:panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "41f74a84-f471-4895-9443-cdf02a955cd8:panel_41f74a84-f471-4895-9443-cdf02a955cd8", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0:panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "f3a73b11-012a-4517-9a2f-623494321346:panel_f3a73b11-012a-4517-9a2f-623494321346", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "f43a0df7-6e17-4523-891c-04e65c22ad22:panel_f43a0df7-6e17-4523-891c-04e65c22ad22", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "774541fd-cefb-422b-ac26-12f4b8528e7e:panel_774541fd-cefb-422b-ac26-12f4b8528e7e", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "38569123-9613-46c8-ae0f-10f87bee71ed:panel_38569123-9613-46c8-ae0f-10f87bee71ed", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "a9d1659e-0caf-416c-8520-f96b7e765fb1:panel_a9d1659e-0caf-416c-8520-f96b7e765fb1", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "1e02ac55-c2e1-4383-a282-129bcf97ef4f:panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "89576865-7807-4305-abee-1b92248de9fc:panel_89576865-7807-4305-abee-1b92248de9fc", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "2b3e3a8f-4689-4aad-a5ef-8380200768c0:panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8f2f13b1cf..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"panelRefName\":\"panel_9b39019c-58f4-4613-9109-2865e86acee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"panelRefName\":\"panel_ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"panelRefName\":\"panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"panelRefName\":\"panel_fa6b11ac-3e40-4a52-9596-52d73081690d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"panelRefName\":\"panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"panelRefName\":\"panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"panelRefName\":\"panel_b7a38f86-d6e4-45d5-a490-34a522910597\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"panelRefName\":\"panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"panelRefName\":\"panel_3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"panelRefName\":\"panel_428a29ce-c3cf-4c1e-8884-28216396972a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"panelRefName\":\"panel_8236132e-146b-46b9-80c7-8566b41ac58c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"panelRefName\":\"panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"panelRefName\":\"panel_87729323-edef-43f8-9ec7-b9c3212ba067\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"panelRefName\":\"panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"panelRefName\":\"panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"panelRefName\":\"panel_29065c13-ac1a-49d3-a76e-de75726936ac\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"panelRefName\":\"panel_49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"panelRefName\":\"panel_13b86156-05e3-4be7-98b9-1e4b9833c411\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"panelRefName\":\"panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"panelRefName\":\"panel_1aa39804-8029-4770-bc25-e2e94a29e83b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"panelRefName\":\"panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Page", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "name": "9b39019c-58f4-4613-9109-2865e86acee2:panel_9b39019c-58f4-4613-9109-2865e86acee2", - "type": "visualization" - }, - { - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "name": "ad69cae5-30ec-424e-b6b9-44e3d3979273:panel_ad69cae5-30ec-424e-b6b9-44e3d3979273", - "type": "visualization" - }, - { - "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02", - "name": "8c6f7513-48aa-4457-ab23-7e528bfe1dcd:panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd", - "type": "visualization" - }, - { - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "name": "fa6b11ac-3e40-4a52-9596-52d73081690d:panel_fa6b11ac-3e40-4a52-9596-52d73081690d", - "type": "visualization" - }, - { - "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02", - "name": "a1e0af01-0501-4fa8-96ab-b5f8cccd50c3:panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3", - "type": "visualization" - }, - { - "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02", - "name": "ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745:panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745", - "type": "visualization" - }, - { - "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02", - "name": "b7a38f86-d6e4-45d5-a490-34a522910597:panel_b7a38f86-d6e4-45d5-a490-34a522910597", - "type": "visualization" - }, - { - "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02", - "name": "8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5:panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5", - "type": "visualization" - }, - { - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "name": "3729697c-99a7-44aa-b08f-956fbdd7fd52:panel_3729697c-99a7-44aa-b08f-956fbdd7fd52", - "type": "visualization" - }, - { - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "name": "428a29ce-c3cf-4c1e-8884-28216396972a:panel_428a29ce-c3cf-4c1e-8884-28216396972a", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "8236132e-146b-46b9-80c7-8566b41ac58c:panel_8236132e-146b-46b9-80c7-8566b41ac58c", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "bc8801ce-4f2e-43ee-94f9-7dbed415fa95:panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "87729323-edef-43f8-9ec7-b9c3212ba067:panel_87729323-edef-43f8-9ec7-b9c3212ba067", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "6ae15ec6-52a8-4037-82f4-0c6d6438a301:panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "014d7310-feb8-4078-9ff4-4174cf8f0c7a:panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "29065c13-ac1a-49d3-a76e-de75726936ac:panel_29065c13-ac1a-49d3-a76e-de75726936ac", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "49f8d21b-3a7b-4d6e-a478-e815766c292a:panel_49f8d21b-3a7b-4d6e-a478-e815766c292a", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "13b86156-05e3-4be7-98b9-1e4b9833c411:panel_13b86156-05e3-4be7-98b9-1e4b9833c411", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8:panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "1aa39804-8029-4770-bc25-e2e94a29e83b:panel_1aa39804-8029-4770-bc25-e2e94a29e83b", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "85675e54-cd8f-4ca1-b0a6-e4f2766011e2:panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index f6150287fe..0000000000 --- a/packages/netskope/1.0.1/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"panelRefName\":\"panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"panelRefName\":\"panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"panelRefName\":\"panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"panelRefName\":\"panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"panelRefName\":\"panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"panelRefName\":\"panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"panelRefName\":\"panel_e71428cd-6aa7-410e-9401-b00c6661589d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"panelRefName\":\"panel_5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"panelRefName\":\"panel_e6adbd85-a30a-4210-a05a-0c56c2362657\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"panelRefName\":\"panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"panelRefName\":\"panel_a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"panelRefName\":\"panel_651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"panelRefName\":\"panel_454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"panelRefName\":\"panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"w\":24,\"x\":24,\"y\":95},\"panelIndex\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"panelRefName\":\"panel_22dad9c8-4909-4efa-9f59-02a3ca979151\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"w\":24,\"x\":0,\"y\":110},\"panelIndex\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"panelRefName\":\"panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"w\":24,\"x\":24,\"y\":110},\"panelIndex\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"panelRefName\":\"panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"w\":24,\"x\":0,\"y\":140},\"panelIndex\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"panelRefName\":\"panel_7846948a-db42-497c-b956-ac5d7dd7383d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"w\":24,\"x\":24,\"y\":125},\"panelIndex\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"panelRefName\":\"panel_8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"w\":24,\"x\":0,\"y\":125},\"panelIndex\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"panelRefName\":\"panel_de6f44ab-bef8-4518-bbb0-4afde2144001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"w\":24,\"x\":24,\"y\":140},\"panelIndex\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"panelRefName\":\"panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"w\":24,\"x\":0,\"y\":155},\"panelIndex\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"panelRefName\":\"panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"w\":24,\"x\":24,\"y\":155},\"panelIndex\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"panelRefName\":\"panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope] Alerts Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02", - "name": "7b3d09e3-1987-4202-a3a7-6f0ea3c441d3:panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3", - "type": "visualization" - }, - { - "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02", - "name": "a6294ee5-eaed-4c98-9e3d-2ddcc1c24649:panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "3f9bbd86-5074-4a11-82e0-dd80b2727b63:panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "758d5f91-4e32-4dba-b9a2-78dd39a2ae33:panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "50a67c99-45bf-4877-a02a-1c2fbabf5a7d:panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a:panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "e71428cd-6aa7-410e-9401-b00c6661589d:panel_e71428cd-6aa7-410e-9401-b00c6661589d", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "5296e207-4ad5-4936-b802-7a57e9bad6f5:panel_5296e207-4ad5-4936-b802-7a57e9bad6f5", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "e6adbd85-a30a-4210-a05a-0c56c2362657:panel_e6adbd85-a30a-4210-a05a-0c56c2362657", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2:panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "a7581748-99c7-4a63-aa09-61a0c039fe4b:panel_a7581748-99c7-4a63-aa09-61a0c039fe4b", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "651622f6-9e33-486b-b996-6fe0a89d3ad9:panel_651622f6-9e33-486b-b996-6fe0a89d3ad9", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "454a5cbd-3538-4448-84fc-b0f83c8a1970:panel_454a5cbd-3538-4448-84fc-b0f83c8a1970", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "bcd9b35e-19ef-42d9-847a-d7518a21b0d9:panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "22dad9c8-4909-4efa-9f59-02a3ca979151:panel_22dad9c8-4909-4efa-9f59-02a3ca979151", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "8c6ab1fd-e0c5-438b-b0c9-392d90c273b1:panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "a5927e76-29f1-4c6b-85e0-ed1dee3de6c9:panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "7846948a-db42-497c-b956-ac5d7dd7383d:panel_7846948a-db42-497c-b956-ac5d7dd7383d", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "8cb62986-e557-4d71-8de0-6f88ec7535d8:panel_8cb62986-e557-4d71-8de0-6f88ec7535d8", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "de6f44ab-bef8-4518-bbb0-4afde2144001:panel_de6f44ab-bef8-4518-bbb0-4afde2144001", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "b2e8e6c8-d585-49c1-ba49-5a8c4fab5080:panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "d1633b77-5ee0-42ed-995f-d5e01cef7d3b:panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "17fbf33c-a3be-4e8e-afae-195fb4a37fa8:panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e63d8d3ea0..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.telemetry.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.telemetry.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Telemetery App", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Telemetry App\",\"exclude\":\"none\",\"field\":\"netskope.alerts.telemetry.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Telemetery App\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index de6a746151..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Access Method", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Access Method\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65bda788f2..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.page.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.page.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Page Site", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page Site\",\"field\":\"netskope.alerts.page.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Site\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 82e9f663f4..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.events.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d150083ad3..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 97177729c6..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Security Assessment Rule Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Security Assessment Rule Name\",\"field\":\"netskope.alerts.sa.rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Rule Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 155dfcfe37..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.activity.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.activity.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Activity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Activity\",\"field\":\"netskope.alerts.activity.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Activity\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 7dcdb32b6d..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Tunnel Uptime Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Tunnel Uptime\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Tunnel Uptime\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Tunnel Uptime Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 06e6a0996b..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Severity Level Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Level Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1db1e211f9..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.file\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.file\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 DLP Files", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Files\",\"field\":\"netskope.alerts.dlp.file\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 DLP Files\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b076fbb38e..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"file.mime_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"file.mime_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 File Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Types\",\"field\":\"file.mime_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 File Types\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1aeeb1b3e6..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Access Method", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.alerts.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Access Method\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fbf09761cb..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 UBA Policy", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 UBA Policy\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0362694068..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.managed.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.managed.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Managed App\",\"field\":\"netskope.alerts.managed.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index dd7813210d..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Network Events by Tunnel Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Network Events by Tunnel Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 55fea541c8..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Sites", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.events.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Sites\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3b2074fa94..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by App Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.alerts.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by App Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a5bcfcf409..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.threshold.value\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.threshold.value\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Max Threshold Value per User", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threshold Value\",\"field\":\"netskope.alerts.threshold.value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Max Threshold Value per User\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e233be9f9a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Source Location, Source Region, Source Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location, Source Region, Source Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 75dd366a3f..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.device.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Device", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.events.device.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Device\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0291951a06..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Highest Tunnel Uptime for Tunnel Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Max Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Highest Tunnel Uptime for Tunnel Type\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 7636bd384a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Cloud Confidence Level", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Cloud Confidence Level\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8308ba4195..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Trend of Cloud Confidence Level Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index f08ad9f6bf..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of DLP Alerts by DLP Rule Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Rule Severity\",\"field\":\"netskope.alerts.dlp.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of DLP Alerts by DLP Rule Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 72987c814c..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Browser, Browser Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Browser, Browser Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ff92cee1a0..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.domain\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.domain\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Domain Accessed by Page Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"netskope.events.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Domain Accessed by Page Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ece13da665..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Policy used", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.events.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy used\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ea167e2cc1..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Object Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.alerts.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Object Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8c2a0beaab..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"event.action\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Network Events by Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Network Events by Action\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 08db6fd3dc..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Policy for Quarantine Alerts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy for Quarantine Alerts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5bc1f93605..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Policy Alerts by Alert Name ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Policy Alerts by Alert Name \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 264570500c..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.app.activity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.activity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Application Activities by Application", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Activities\",\"field\":\"netskope.events.app.activity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Application\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities by Application\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c8ee17f5e9..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Application Activities", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 585f434e24..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.acked\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.acked\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Acknowledgement", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : false\"},\"label\":\"False\"},{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : true\"},\"label\":\"True\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Acknowledgement\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 35dd2ab157..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.actions\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.actions\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Policy Action", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Action\",\"field\":\"netskope.alerts.policy.actions\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Policy Action\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a6e659852a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Source Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b66ef1d6cd..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Infrastructure Events by Device Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"netskope.events.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Device Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a801c22acc..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Page Accessed by Page Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Accessed by Page Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c50947064c..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.ip.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ip.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Networks Events by IP Protocol", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Protocol\",\"field\":\"netskope.events.ip.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by IP Protocol\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8bc7685fcb..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.region.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.region.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of SA Alerts by Region Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Region Name\",\"field\":\"netskope.alerts.region.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of SA Alerts by Region Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d51452f475..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.file.lang\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.file.lang\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by File Language ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Language\",\"field\":\"netskope.alerts.file.lang\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by File Language \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5f68195714..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Site", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.alerts.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Site\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 9453bd293f..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Cloud Confidence Level", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Cloud Confidence Level\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65c66d83c7..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.orig_ty\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.orig_ty\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Event Type of Original Event ", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type of Original Event\",\"field\":\"netskope.alerts.orig_ty\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Event Type of Original Event \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 179a06a4ba..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top Users By Access Method", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top Users By Access Method\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b21098fd2a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Alert Type by User ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Alert Type by User \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 63cd952080..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"destination.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Destination Location, Destination Region, Destination Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Region\",\"field\":\"destination.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location, Destination Region, Destination Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 24544002e8..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.original.shared\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.original.shared\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Quarantine Events by File Shared ", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Shared\",\"field\":\"netskope.alerts.quarantine.original.shared\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Quarantine Events by File Shared \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 26b81c25f7..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Source Location", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index aa1a3fd85e..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.audit.log.event\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.audit.log.event\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Audit Events by User, Audit Log Event", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Audit Log Event\",\"field\":\"netskope.events.audit.log.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Distribution of Audit Events by User, Audit Log Event\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0510139e15..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index dbdd28303a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Objects which is being acted on", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object\",\"field\":\"netskope.events.object.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Objects which is being acted on\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 53cadf2c6b..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Trend of Cloud Confidence Level Over Time for Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time for Events\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 95533fb16a..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Browser", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Browser\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b2644fad90..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Security Assessment Alert Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"json\":\"\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Alert Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 6b50b42626..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"network.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Networks Events by Protocol", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by Protocol\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 344a4153b5..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Application Events by Browser", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Browser\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 613ab40309..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.request.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.request.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Request Count for Page", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Count\",\"field\":\"netskope.events.request.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Request Count for Page\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c7a1d45680..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Application Events by Object Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.events.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Object Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3972019d7b..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Traffic Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.alerts.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Traffic Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bf2807eacf..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Netskope][Events] Select Event Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.events.event_type\",\"id\":\"1641881851553\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Event Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Events] Select Event Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8dc80cbff7..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.alerts.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bc2e9cf751..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Source Region", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Source Region\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65b9d928d6..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Destination Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e157906e4e..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by OS Version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 054db583b4..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Device", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.alerts.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Device\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fdc31c9ea6..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Quarantine Applications", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Quarantine Application\",\"field\":\"netskope.alerts.quarantine.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Quarantine Applications\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 875f0b687c..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Severity Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":13},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 48b1e7a670..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by App Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.events.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by App Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 44b8effcdb..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Users doing Activities ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Users doing Activities \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b108b09856..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Apps", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.alerts.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Apps\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 39f63b6634..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ff38d96f8b..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Destination Location", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index cfa47a672b..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Traffic Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.events.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Traffic Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bbac81c480..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.response.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.response.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Response Count for Page", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Count\",\"field\":\"netskope.events.response.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Response Count for Page\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3de7dd6294..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by OS, OS Version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index eba12a9f4e..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Policy ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top 10 DLP Policy\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 354947d7c5..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Netskope][Alerts] Select Alert Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.alerts.type\",\"id\":\"1641794009450\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Alert Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Alerts] Select Alert Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index de6dadfd9d..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.event_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Event Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"netskope.events.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Event Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1dde9bccd5..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.alarm.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.alarm.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Infrastructure Events by Alarm Name ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alarm Name\",\"field\":\"netskope.events.alarm.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Alarm Name \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 74969e6a5d..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.events.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 414d3d6f30..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.device.classification\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.classification\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Device Classification", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Classification\",\"field\":\"netskope.alerts.device.classification\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Device Classification\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fc285b9b3f..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Alert Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Alert Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 6dbf820574..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Category ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.alerts.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Category \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e32e00549f..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of SA Alerts by SA Rule Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"SA Rule Severity\",\"field\":\"netskope.alerts.sa.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of SA Alerts by SA Rule Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5cb3c8d1e5..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Total Number of Apps Quarantined", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Quarantined Applications\",\"field\":\"netskope.alerts.quarantine.app\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Netskope] Total Number of Apps Quarantined\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d8d371bba7..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.1/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 9ed3fc8eca..0000000000 --- a/packages/netskope/1.0.1/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Audit Events by Severity Level", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Audit Events by Severity Level\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.1/manifest.yml b/packages/netskope/1.0.1/manifest.yml deleted file mode 100755 index 8804b80b62..0000000000 --- a/packages/netskope/1.0.1/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -format_version: 1.0.0 -name: netskope -title: "Netskope" -version: 1.0.1 -license: basic -description: Collect logs from Netskope with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/netskope-alerts-screenshot.png - title: Netskope Alert logs screenshot - size: 600x600 - type: image/png - - src: /img/netskope-events-screenshot.png - title: Netskope Event logs screenshot - size: 600x600 - type: image/png -icons: - - src: /img/netskope-logo.svg - title: Netskope logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: netskope - title: Netskope logs - description: Collect Netskope logs - inputs: - - type: tcp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - title: Collect Netskope logs via TCP input - description: Collecting Netskope logs via TCP input -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.3.0/changelog.yml b/packages/network_traffic/1.3.0/changelog.yml deleted file mode 100755 index d10fe68735..0000000000 --- a/packages/network_traffic/1.3.0/changelog.yml +++ /dev/null @@ -1,149 +0,0 @@ -# newer versions go on top -- version: "1.3.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.2.0" - changes: - - description: Add option to monitor processes. - type: enhancement - link: https://github.com/elastic/integrations/pull/3456 -- version: "1.1.0" - changes: - - description: Add configuration documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/3371 -- version: "1.0.2" - changes: - - description: Remove invalid value from `event.category` for TLS and Thrift - type: bugfix - link: https://github.com/elastic/integrations/pull/3409 -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.3.0/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index e22e20e774..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/manifest.yml b/packages/network_traffic/1.3.0/data_stream/amqp/manifest.yml deleted file mode 100755 index a94af8b08b..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/amqp/sample_event.json b/packages/network_traffic/1.3.0/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.3.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 112bc832e8..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.3.0/data_stream/cassandra/manifest.yml deleted file mode 100755 index 1af2f7ff38..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.3.0/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.3.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index d29d14891c..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.3.0/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index 164d86ca2f..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,49 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.3.0/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.3.0/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index 1c81667ce1..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/dns/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.3.0/data_stream/dns/manifest.yml b/packages/network_traffic/1.3.0/data_stream/dns/manifest.yml deleted file mode 100755 index 4cbea720eb..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/dns/sample_event.json b/packages/network_traffic/1.3.0/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.3.0/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 8089322070..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/flow/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/flow/manifest.yml b/packages/network_traffic/1.3.0/data_stream/flow/manifest.yml deleted file mode 100755 index 88301fa55b..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/flow/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.3.0/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.3.0/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index a9fc16e488..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,89 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/http/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/http/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/http/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.3.0/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.3.0/data_stream/http/manifest.yml b/packages/network_traffic/1.3.0/data_stream/http/manifest.yml deleted file mode 100755 index e7f68c99df..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,182 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/http/sample_event.json b/packages/network_traffic/1.3.0/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.3.0/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index 2c27e9ec06..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/manifest.yml b/packages/network_traffic/1.3.0/data_stream/icmp/manifest.yml deleted file mode 100755 index 65389d2e13..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.3.0/data_stream/icmp/sample_event.json b/packages/network_traffic/1.3.0/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.3.0/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index fb53ef747c..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/manifest.yml b/packages/network_traffic/1.3.0/data_stream/memcached/manifest.yml deleted file mode 100755 index a40b7e1c77..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/memcached/sample_event.json b/packages/network_traffic/1.3.0/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.3.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index c640e07523..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.3.0/data_stream/mongodb/manifest.yml deleted file mode 100755 index 67dbb005f5..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.3.0/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.3.0/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index ded52aaee1..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/manifest.yml b/packages/network_traffic/1.3.0/data_stream/mysql/manifest.yml deleted file mode 100755 index 1f206a34a6..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/mysql/sample_event.json b/packages/network_traffic/1.3.0/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.3.0/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index 8212b36930..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/manifest.yml b/packages/network_traffic/1.3.0/data_stream/nfs/manifest.yml deleted file mode 100755 index 2d98b08dc8..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/nfs/sample_event.json b/packages/network_traffic/1.3.0/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.3.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 1b9acf9a22..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.3.0/data_stream/pgsql/manifest.yml deleted file mode 100755 index 721877d6c7..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.3.0/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.3.0/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index c611b9e05d..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/redis/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.3.0/data_stream/redis/manifest.yml b/packages/network_traffic/1.3.0/data_stream/redis/manifest.yml deleted file mode 100755 index 4260d9a6a7..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/redis/sample_event.json b/packages/network_traffic/1.3.0/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.3.0/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 01ce8f5470..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/sip/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.3.0/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.3.0/data_stream/sip/manifest.yml b/packages/network_traffic/1.3.0/data_stream/sip/manifest.yml deleted file mode 100755 index 325149aad5..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,63 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/sip/sample_event.json b/packages/network_traffic/1.3.0/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.3.0/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index 5437c4f132..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,68 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 987bedd730..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/manifest.yml b/packages/network_traffic/1.3.0/data_stream/thrift/manifest.yml deleted file mode 100755 index 4429f53567..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,150 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/thrift/sample_event.json b/packages/network_traffic/1.3.0/data_stream/thrift/sample_event.json deleted file mode 100755 index 523e6958a6..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.3.0/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index b4e8f496fc..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index af2d5a91f5..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true - -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -- append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" -- append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.0/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.3.0/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.0/data_stream/tls/fields/base.yml b/packages/network_traffic/1.3.0/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.0/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.3.0/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.0/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.3.0/data_stream/tls/fields/ecs.yml deleted file mode 100755 index d73e780eba..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,371 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.3.0/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.3.0/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.3.0/data_stream/tls/manifest.yml b/packages/network_traffic/1.3.0/data_stream/tls/manifest.yml deleted file mode 100755 index 1a5c670684..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.3.0/data_stream/tls/sample_event.json b/packages/network_traffic/1.3.0/data_stream/tls/sample_event.json deleted file mode 100755 index 6c9779651e..0000000000 --- a/packages/network_traffic/1.3.0/data_stream/tls/sample_event.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/docs/README.md b/packages/network_traffic/1.3.0/docs/README.md deleted file mode 100755 index ddb4873213..0000000000 --- a/packages/network_traffic/1.3.0/docs/README.md +++ /dev/null @@ -1,4721 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -Monitoring your network traffic is critical to gaining observability and -securing your environment — ensuring high levels of performance and security. -The Network Packet Capture integration captures the network traffic between -your application servers, decodes common application layer protocols and -records the interesting fields for each transaction. - -## Supported Protocols - -Currently, Network Packet Capture supports the following protocols: - -- ICMP (v4 and v6) -- DHCP (v4) -- DNS -- HTTP -- AMQP 0.9.1 -- Cassandra -- Mysql -- PostgreSQL -- Redis -- Thrift-RPC -- MongoDB -- Memcache -- NFS -- TLS -- SIP/SDP (beta) - -### Common protocol options - -The following options are available for all protocols: - -#### `enabled` - -The enabled setting is a boolean setting to enable or disable protocols -without having to comment out configuration sections. If set to false, -the protocol is disabled. - -The default value is true. - -#### `ports` - -Exception: For ICMP the option `enabled` has to be used instead. - -The ports where Network Packet Capture will look to capture traffic for specific -protocols. Network Packet Capture installs a -[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based -on the ports specified in this section. If a packet doesn’t match the -filter, very little CPU is required to discard the packet. Network Packet Capture -also uses the ports specified here to determine which parser to use for -each packet. - -#### `monitor_processes` - -If this option is enabled then network traffic events will be enriched -with information about the process associated with the events. - -The default value is false. - -#### `send_request` - -If this option is enabled, the raw message of the request (`request` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole request. Note that for HTTP, the -body is not included by default, only the HTTP headers. - -#### `send_response` - -If this option is enabled, the raw message of the response (`response` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole response. Note that for HTTP, -the body is not included by default, only the HTTP headers. - -#### `transaction_timeout` - -The per protocol transaction timeout. Expired transactions will no -longer be correlated to incoming responses, but sent to Elasticsearch -immediately. - -#### `tags` - -A list of tags that will be sent with the transaction event. This -setting is optional. - -#### `processors` - -A list of processors to apply to the data generated by the protocol. - -#### `keep_null` - -If this option is set to true, fields with `null` values will be -published in the output document. By default, `keep_null` is set to -`false`. - - -## Network Flows - -Overall flow information about the network connections on a -host. - -You can configure Network Packet Capture to collect and report statistics -on network flows. A *flow* is a group of packets sent over the same time -period that share common properties, such as the same source and destination -address and protocol. You can use this feature to analyze network -traffic over specific protocols on your network. - -For each flow, Network Packet Capture reports the number of packets and the -total number of bytes sent from the source to the destination. Each flow event -also contains information about the source and destination hosts, such -as their IP address. For bi-directional flows, Network Packet Capture reports -statistics for the reverse flow. - -Network Packet Capture collects and reports statistics up to and including the -transport layer. - -**Configuration options** - -You can specify the following options for capturing flows. - -#### `enabled` - -Enables flows support if set to true. Set to false to disable network -flows support without having to delete or comment out the flows section. -The default value is true. - -#### `timeout` - -Timeout configures the lifetime of a flow. If no packets have been -received for a flow within the timeout time window, the flow is killed -and reported. The default value is 30s. - -#### `period` - -Configure the reporting interval. All flows are reported at the very -same point in time. Periodical reporting can be disabled by setting the -value to -1. If disabled, flows are still reported once being timed out. -The default value is 10s. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_body_length` - -The maximum size in bytes of the message displayed in the request or -response fields. Messages that are bigger than the specified size are -truncated. Use this option to avoid publishing huge messages when -[`send_request`](#send-request-option) or -[`send_response`](#send-response-option) is enabled. The default is -1000 bytes. - -#### `parse_headers` - -If set to true, Network Packet Capture parses the additional arguments specified in -the headers field of a message. Those arguments are key-value pairs that -specify information such as the content type of the message or the -message priority. The default is true. - -#### `parse_arguments` - -If set to true, Network Packet Capture parses the additional arguments specified in -AMQP methods. Those arguments are key-value pairs specified by the user -and can be of any length. The default is true. - -#### `hide_connection_information` - -If set to false, the connection layer methods of the protocol are also -displayed, such as the opening and closing of connections and channels -by clients, or the quality of service negotiation. The default is true. - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `send_request_header` - -If this option is enabled, the raw message of the response -(`cassandra_request.request_headers` field) is sent to Elasticsearch. -The default is true. Enable `send_request` first before enabling this -option. - -#### `send_response_header` - -If this option is enabled, the raw message of the response -(`cassandra_response.response_headers` field) is included in published -events. The default is true. enable `send_response` first before enable -this option. - -#### `ignored_ops` - -This option indicates which Operator/Operators captured will be ignored. -currently support: `ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` -,`OPTIONS` ,`SUPPORTED` , `QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` -,`REGISTER` ,`EVENT` , `BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` -,`AUTH_SUCCESS` . - -#### `compressor` - -Configures the default compression algorithm being used to uncompress -compressed frames by name. Currently only `snappy` is can be configured. -By default no compressor is configured. - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -The DNS protocol supports processing DNS messages on TCP and UDP. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `include_authorities` - -If this option is enabled, dns.authority fields (authority resource -records) are added to DNS events. The default is false. - -#### `include_additionals` - -If this option is enabled, dns.additionals fields (additional resource -records) are added to DNS events. The default is false. - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `hide_keywords` - -A list of query parameters that Network Packet Capture will automatically censor in -the transactions that it saves. The values associated with these -parameters are replaced by `'xxxxx'`. By default, no changes are made to -the HTTP messages. - -Network Packet Capture has this option because, unlike SQL traffic, which typically -only contains the hashes of the passwords, HTTP traffic may contain -sensitive data. To reduce security risks, you can configure this option -to avoid sending the contents of certain HTTP POST parameters. - -This option replaces query parameters from GET requests and top-level -parameters from POST requests. If sensitive data is encoded inside a -parameter that you don’t specify here, Network Packet Capture cannot censor it. -Also, note that if you configure Network Packet Capture to save the raw request and -response fields (see the [`send_request`](#send-request-option) and -the [`send_response`](#send-response-option) options), sensitive data -may be present in those fields. - -#### `redact_authorization` - -When this option is enabled, Network Packet Capture obscures the value of -`Authorization` and `Proxy-Authorization` HTTP headers, and censors -those strings in the response. - -You should set this option to true for transactions that use Basic -Authentication because they may contain the base64 unencrypted username -and password. - -#### `send_headers` - -A list of header names to capture and send to Elasticsearch. These -headers are placed under the `headers` dictionary in the resulting JSON. - -#### `send_all_headers` - -Instead of sending a white list of headers to Elasticsearch, you can -send all headers by setting this option to true. The default is false. - -#### `redact_headers` - -A list of headers to redact if present in the HTTP request. This will -keep the header field present, but will redact it’s value to show the -header’s presence. - -#### `include_body_for` - -The list of content types for which Network Packet Capture exports the full HTTP -payload. The HTTP body is available under `http.request.body.content` -and `http.response.body.content` for these Content-Types. - -In addition, if [`send_response`](#send-response-option) option is -enabled, then the HTTP body is exported together with the HTTP headers -under `response` and if [`send_request`](#send-request-option) -enabled, then `request` contains the entire HTTP message including the -body. - -In the following example, the HTML attachments of the HTTP responses are -exported under the `response` field and under -`http.request.body.content` or `http.response.body.content`: - - Network Packet Capture.protocols: - - type: http - ports: [80, 8080] - send_response: true - include_body_for: ["text/html"] - -#### `decode_body` - -A boolean flag that controls decoding of HTTP payload. It interprets the -`Content-Encoding` and `Transfer-Encoding` headers and uncompresses the -entity body. Supported encodings are `gzip` and `deflate`. This option -is only applicable in the cases where the HTTP payload is exported, that -is, when one of the `include_*_body_for` options is specified or a POST -request contains url-encoded parameters. - -#### `split_cookie` - -If the `Cookie` or `Set-Cookie` headers are sent, this option controls -whether they are split into individual values. For example, with this -option set, an HTTP response might result in the following JSON: - - "response": { - "code": 200, - "headers": { - "connection": "close", - "content-language": "en", - "content-type": "text/html; charset=utf-8", - "date": "Fri, 21 Nov 2014 17:07:34 GMT", - "server": "gunicorn/19.1.1", - "set-cookie": { - "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf", - "expires": "Fri, 20-Nov-2015 17:07:34 GMT", - "max-age": "31449600", - "path": "/" - }, - "vary": "Cookie, Accept-Language" - }, - "status_phrase": "OK" - } - -- Note that `set-cookie` is a map containing the cookie names as keys. - -The default is false. - -#### `real_ip_header` - -The header field to extract the real IP from. This setting is useful -when you want to capture traffic behind a reverse proxy, but you want to -get the geo-location information. If this header is present and contains -a valid IP addresses, the information is used for the -`network.forwarded_ip` field. - -#### `max_message_size` - -If an individual HTTP message is larger than this setting (in bytes), it -will be trimmed to this size. Unless this value is very small -(<1.5K), Network Packet Capture is able to still correctly follow the transaction -and create an event for it. The default is 10485760 (10 MB). - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -**`enabled`** - -The ICMP protocol can be enabled/disabled via this option. The default -is true. - -If enabled Network Packet Capture will generate the following BPF filter: -`"icmp or icmp6"`. -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parseunknown` - -When this option is enabled, it forces the memcache text protocol parser -to accept unknown commands. - -The unknown commands MUST NOT contain a data part. - -#### `maxvalues` - -The maximum number of values to store in the message (multi-get). All -values will be base64 encoded. - -The possible settings for this option are: - -- `maxvalue: -1`, which stores all values (text based protocol multi-get) -- `maxvalue: 0`, which stores no values (default) -- `maxvalue: N`, which stores up to N values - -#### `maxbytespervalue` - -The maximum number of bytes to be copied for each value element. - -Values will be base64 encoded, so the actual size in the JSON document -will be 4 times the value that you specify for `maxbytespervalue`. - -#### `udptransactiontimeout` - -The transaction timeout in milliseconds. The defaults is 10000 -milliseconds. - -Quiet messages in UDP binary protocol get responses only if there is an -error. The memcache protocol analyzer will wait for the number of -milliseconds specified by `udptransactiontimeout` before publishing -quiet messages. Non-quiet messages or quiet requests with an error -response are published immediately. - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -**Configuration options** - -The `max_docs` and `max_doc_length` settings are useful for limiting the -amount of data Network Packet Capture indexes in the `response` fields. - -Also see [Common protocol options](#common-protocol-options). - -#### `max_docs` - -The maximum number of documents from the response to index in the -`response` field. The default is 10. You can set this to 0 to index an -unlimited number of documents. - -Network Packet Capture adds a `[...]` line at the end to signify that there were -additional documents that weren’t saved because of this setting. - -#### `max_doc_length` - -The maximum number of characters in a single document indexed in the -`response` field. The default is 5000. You can set this to 0 to index an -unlimited number of characters per document. - -If the document is trimmed because of this setting, Network Packet Capture adds the -string `...` at the end of the document. - -Note that limiting documents in this way means that they are no longer -correctly formatted JSON objects. - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -### `statement_timeout` - -The duration for which prepared statements are cached after their last -use. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The -default is `1h`. - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `queue_max_bytes` and `queue_max_messages` - -store requests in memory until a response is received. These settings -impose a limit on the number of bytes (`queue_max_bytes`) and number of -requests (`queue_max_messages`) that can be stored. These limits are -per-connection. The default is to queue up to 1MB or 20.000 requests per -connection, which allows to use request pipelining while at the same -time limiting the amount of memory consumed by replication sessions. - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parse_authorization` - -If set to true Network Packet Capture will parse the authorization headers -and include them in events. The default is true. - -#### `parse_body` - -If set to true, Network Packet Capture parses the SIP body when the body -contains Session Description Protocol data. The default is true. - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -[Apache Thrift](https://thrift.apache.org/) is a communication protocol -and RPC framework initially created at Facebook. It is sometimes used in -[microservices](http://martinfowler.com/articles/microservices.html) -architectures because it provides better performance when compared to -the more obvious HTTP/RESTful API choice, while still supporting a wide -range of programming languages and frameworks. - -Network Packet Capture works based on a copy of the traffic, which means that you -get performance management features without having to modify your -services in any way and without any latency overhead. Network Packet Capture -captures the transactions from the network and indexes them in -Elasticsearch so that they can be analyzed and searched. - -Network Packet Capture indexes the method, parameters, return value, and exceptions -of each Thrift-RPC call. You can search by and create statistics based -on any of these fields. Network Packet Capture automatically fills in the `status` -column with either `OK` or `Error`, so it’s easy to find the problematic -RPC calls. A transaction is put into the `Error` state if it returned an -exception. - -Network Packet Capture also indexes the `event.duration` field so you can get -performance analytics and find the slow RPC calls. - -Thrift supports multiple [transport and protocol -types](http://en.wikipedia.org/wiki/Apache_Thrift). Currently Network Packet Capture -supports the default `TSocket` transport as well as the `TFramed` -transport. From the protocol point of view, Network Packet Capture currently -supports only the default `TBinary` protocol. - -Network Packet Capture also has several configuration options that allow you to get -the right balance between visibility, disk usage, and data protection. -You can, for example, choose to obfuscate all strings or to store the -requests but not the responses, while still capturing the response time -for each of the RPC calls. You can also choose to limit the size of -strings and lists to a given number of elements, so you can fine tune -how much data you want to have stored in Elasticsearch. - -The Thrift protocol has several specific configuration options. - -Providing the Thrift IDL files to Network Packet Capture is optional. The binary -Thrift messages include the called method name and enough structural -information to decode the messages without needing the IDL files. -However, if you provide the IDL files, Network Packet Capture can also resolve the -service name, arguments, and exception names. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `transport_type` - -The Thrift transport type. Currently this option accepts the values -`socket` for TSocket, which is the default Thrift transport, and -`framed` for the TFramed Thrift transport. The default is `socket`. - -#### `protocol_type` - -The Thrift protocol type. Currently the only accepted value is `binary` -for the TBinary protocol, which is the default Thrift protocol. - -#### `idl_files` - -The Thrift interface description language (IDL) files for the service -that Network Packet Capture is monitoring. Providing the IDL files is optional, -because the Thrift messages contain enough information to decode them -without having the IDL files. However, providing the IDL enables -Network Packet Capture to include parameter and exception names. - -#### `string_max_size` - -The maximum length for strings in parameters or return values. If a -string is longer than this value, the string is automatically truncated -to this length. Network Packet Capture adds dots at the end of the string to mark -that it was truncated. The default is 200. - -#### `collection_max_size` - -The maximum number of elements in a Thrift list, set, map, or structure. -If a collection has more elements than this value, Network Packet Capture captures -only the specified number of elements. Network Packet Capture adds a fictive last -element `...` to the end of the collection to mark that it was -truncated. The default is 15. - -#### `capture_reply` - -If this option is set to false, Network Packet Capture decodes the method name from -the reply and simply skips the rest of the response message. This -setting can be useful for performance, disk usage, or data retention -reasons. The default is true. - -#### `obfuscate_strings` - -If this option is set to true, Network Packet Capture replaces all strings found in -method parameters, return codes, or exception structures with the `"*"` -string. - -#### `drop_after_n_struct_fields` - -The maximum number of fields that a structure can have before Network Packet Capture -ignores the whole transaction. This is a memory protection mechanism (so -that Network Packet Capture’s memory doesn’t grow indefinitely), so you would -typically set this to a relatively high value. The default is 500. - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -TLS is a cryptographic protocol that provides secure communications on -top of an existing application protocol, like HTTP or MySQL. - -Network Packet Capture intercepts the initial handshake in a TLS connection and -extracts useful information that helps operators diagnose problems and -strengthen the security of their network and systems. It does not -decrypt any information from the encapsulated protocol, nor does it -reveal any sensitive information such as cryptographic keys. TLS -versions 1.0 to 1.3 are supported. - -It works by intercepting the client and server "hello" messages, which -contain the negotiated parameters for the connection such as -cryptographic ciphers and protocol versions. It can also intercept TLS -alerts, which are sent by one of the parties to signal a problem with -the negotiation, such as an expired certificate or a cryptographic -error. - -Detailed information that is not defined in ECS is added under the -`tls.detailed` key. The [`include_detailed_fields`](#include_detailed_fields) configuration flag -is used to control whether this information is exported. - -The fields under `tls.detailed.client_hello` contain the algorithms and -extensions supported by the client, as well as the maximum TLS version -it supports. - -Fields under `tls.detailed.server_hello` contain the final settings for -the TLS session: The selected cipher, compression method, TLS version to -use and other extensions such as application layer protocol negotiation -(ALPN). - -**Configuration options** - -The `send_certificates` and `include_detailed_fields` settings are -useful for limiting the amount of data Network Packet Capture indexes, as multiple -certificates are usually exchanged in a single transaction, and those -can take a considerable amount of storage. - -Also see [Common protocol options](#common-protocol-options). - -#### `send_certificates` - -This setting causes information about the certificates presented by the -client and server to be included in the detailed fields. The server’s -certificate is indexed under `tls.detailed.server_certificate` and its -certification chain under `tls.detailed.server_certificate_chain`. For -the client, the `client_certificate` and `client_certificate_chain` -fields are used. The default is true. - -#### `include_raw_certificates` - -You can set `include_raw_certificates` to include the raw certificate -chains encoded in PEM format, under the `tls.server.certificate_chain` -and `tls.client.certificate_chain` fields. The default is false. - -#### `include_detailed_fields` - -Controls whether the [https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html](#exported-fields-tls_detailed) are added to exported documents. When -set to false, only [ECS TLS](https://www.elastic.co/guide/en/ecs/8.2/ecs-tls.html) fields are included. -exported are included. The default is `true`. - -#### `fingerprints` - -Defines a list of hash algorithms to calculate the certificate’s -fingerprints. Valid values are `sha1`, `sha256` and `md5`. - -The default is to output SHA-1 fingerprints. - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.3.0/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-search.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.3.0/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.3.0/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.3.0/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.0/manifest.yml b/packages/network_traffic/1.3.0/manifest.yml deleted file mode 100755 index 4fab59a91c..0000000000 --- a/packages/network_traffic/1.3.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.3.0 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.3.1/changelog.yml b/packages/network_traffic/1.3.1/changelog.yml deleted file mode 100755 index 657af52ffe..0000000000 --- a/packages/network_traffic/1.3.1/changelog.yml +++ /dev/null @@ -1,154 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: Fix doc build - type: enhancement - link: https://github.com/elastic/integrations/pull/3530 -- version: "1.3.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "1.2.0" - changes: - - description: Add option to monitor processes. - type: enhancement - link: https://github.com/elastic/integrations/pull/3456 -- version: "1.1.0" - changes: - - description: Add configuration documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/3371 -- version: "1.0.2" - changes: - - description: Remove invalid value from `event.category` for TLS and Thrift - type: bugfix - link: https://github.com/elastic/integrations/pull/3409 -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.3.1/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index e22e20e774..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/manifest.yml b/packages/network_traffic/1.3.1/data_stream/amqp/manifest.yml deleted file mode 100755 index a94af8b08b..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,114 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/amqp/sample_event.json b/packages/network_traffic/1.3.1/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.3.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 112bc832e8..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.3.1/data_stream/cassandra/manifest.yml deleted file mode 100755 index 1af2f7ff38..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.3.1/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.3.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index d29d14891c..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.3.1/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index 164d86ca2f..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,49 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.3.1/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.3.1/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index 1c81667ce1..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/dns/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.3.1/data_stream/dns/manifest.yml b/packages/network_traffic/1.3.1/data_stream/dns/manifest.yml deleted file mode 100755 index 4cbea720eb..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,104 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/dns/sample_event.json b/packages/network_traffic/1.3.1/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.3.1/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 8089322070..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/flow/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/flow/manifest.yml b/packages/network_traffic/1.3.1/data_stream/flow/manifest.yml deleted file mode 100755 index 88301fa55b..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/flow/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.3.1/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.3.1/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index a9fc16e488..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,89 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/http/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/http/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/http/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.3.1/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.3.1/data_stream/http/manifest.yml b/packages/network_traffic/1.3.1/data_stream/http/manifest.yml deleted file mode 100755 index e7f68c99df..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/manifest.yml +++ /dev/null @@ -1,182 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/http/sample_event.json b/packages/network_traffic/1.3.1/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.3.1/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index 2c27e9ec06..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/manifest.yml b/packages/network_traffic/1.3.1/data_stream/icmp/manifest.yml deleted file mode 100755 index 65389d2e13..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.3.1/data_stream/icmp/sample_event.json b/packages/network_traffic/1.3.1/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.3.1/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index fb53ef747c..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,53 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/manifest.yml b/packages/network_traffic/1.3.1/data_stream/memcached/manifest.yml deleted file mode 100755 index a40b7e1c77..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/memcached/sample_event.json b/packages/network_traffic/1.3.1/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.3.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index c640e07523..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.3.1/data_stream/mongodb/manifest.yml deleted file mode 100755 index 67dbb005f5..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.3.1/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.3.1/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index ded52aaee1..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/manifest.yml b/packages/network_traffic/1.3.1/data_stream/mysql/manifest.yml deleted file mode 100755 index 1f206a34a6..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/mysql/sample_event.json b/packages/network_traffic/1.3.1/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.3.1/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index 8212b36930..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/manifest.yml b/packages/network_traffic/1.3.1/data_stream/nfs/manifest.yml deleted file mode 100755 index 2d98b08dc8..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/nfs/sample_event.json b/packages/network_traffic/1.3.1/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.3.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 1b9acf9a22..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.3.1/data_stream/pgsql/manifest.yml deleted file mode 100755 index 721877d6c7..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.3.1/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.3.1/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index c611b9e05d..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/redis/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.3.1/data_stream/redis/manifest.yml b/packages/network_traffic/1.3.1/data_stream/redis/manifest.yml deleted file mode 100755 index 4260d9a6a7..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/redis/sample_event.json b/packages/network_traffic/1.3.1/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.3.1/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 01ce8f5470..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/sip/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.3.1/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.3.1/data_stream/sip/manifest.yml b/packages/network_traffic/1.3.1/data_stream/sip/manifest.yml deleted file mode 100755 index 325149aad5..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/manifest.yml +++ /dev/null @@ -1,63 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/sip/sample_event.json b/packages/network_traffic/1.3.1/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.3.1/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index 5437c4f132..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,68 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 987bedd730..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/manifest.yml b/packages/network_traffic/1.3.1/data_stream/thrift/manifest.yml deleted file mode 100755 index 4429f53567..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,150 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/thrift/sample_event.json b/packages/network_traffic/1.3.1/data_stream/thrift/sample_event.json deleted file mode 100755 index 523e6958a6..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.3.1/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index b4e8f496fc..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if monitor_processes}} -procs: - enabled: true -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.3.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.3.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index af2d5a91f5..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true - -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -- append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" -- append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.3.1/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.3.1/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.3.1/data_stream/tls/fields/base.yml b/packages/network_traffic/1.3.1/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.3.1/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.3.1/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.3.1/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.3.1/data_stream/tls/fields/ecs.yml deleted file mode 100755 index d73e780eba..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,371 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.3.1/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.3.1/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.3.1/data_stream/tls/manifest.yml b/packages/network_traffic/1.3.1/data_stream/tls/manifest.yml deleted file mode 100755 index 1a5c670684..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: monitor_processes - type: bool - title: Monitor Processes - description: |- - If this option is enabled then network traffic events will be enriched - with information about the process associated with the events. - show_user: true - multi: false - required: false - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.3.1/data_stream/tls/sample_event.json b/packages/network_traffic/1.3.1/data_stream/tls/sample_event.json deleted file mode 100755 index 6c9779651e..0000000000 --- a/packages/network_traffic/1.3.1/data_stream/tls/sample_event.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/docs/README.md b/packages/network_traffic/1.3.1/docs/README.md deleted file mode 100755 index e8695e261d..0000000000 --- a/packages/network_traffic/1.3.1/docs/README.md +++ /dev/null @@ -1,4725 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -Monitoring your network traffic is critical to gaining observability and -securing your environment — ensuring high levels of performance and security. -The Network Packet Capture integration captures the network traffic between -your application servers, decodes common application layer protocols and -records the interesting fields for each transaction. - -## Supported Protocols - -Currently, Network Packet Capture supports the following protocols: - -- ICMP (v4 and v6) -- DHCP (v4) -- DNS -- HTTP -- AMQP 0.9.1 -- Cassandra -- Mysql -- PostgreSQL -- Redis -- Thrift-RPC -- MongoDB -- Memcache -- NFS -- TLS -- SIP/SDP (beta) - -### Common protocol options - -The following options are available for all protocols: - -#### `enabled` - -The enabled setting is a boolean setting to enable or disable protocols -without having to comment out configuration sections. If set to false, -the protocol is disabled. - -The default value is true. - -#### `ports` - -Exception: For ICMP the option `enabled` has to be used instead. - -The ports where Network Packet Capture will look to capture traffic for specific -protocols. Network Packet Capture installs a -[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based -on the ports specified in this section. If a packet doesn’t match the -filter, very little CPU is required to discard the packet. Network Packet Capture -also uses the ports specified here to determine which parser to use for -each packet. - -#### `monitor_processes` - -If this option is enabled then network traffic events will be enriched -with information about the process associated with the events. - -The default value is false. - -#### `send_request` - -If this option is enabled, the raw message of the request (`request` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole request. Note that for HTTP, the -body is not included by default, only the HTTP headers. - -#### `send_response` - -If this option is enabled, the raw message of the response (`response` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole response. Note that for HTTP, -the body is not included by default, only the HTTP headers. - -#### `transaction_timeout` - -The per protocol transaction timeout. Expired transactions will no -longer be correlated to incoming responses, but sent to Elasticsearch -immediately. - -#### `tags` - -A list of tags that will be sent with the transaction event. This -setting is optional. - -#### `processors` - -A list of processors to apply to the data generated by the protocol. - -#### `keep_null` - -If this option is set to true, fields with `null` values will be -published in the output document. By default, `keep_null` is set to -`false`. - - -## Network Flows - -Overall flow information about the network connections on a -host. - -You can configure Network Packet Capture to collect and report statistics -on network flows. A *flow* is a group of packets sent over the same time -period that share common properties, such as the same source and destination -address and protocol. You can use this feature to analyze network -traffic over specific protocols on your network. - -For each flow, Network Packet Capture reports the number of packets and the -total number of bytes sent from the source to the destination. Each flow event -also contains information about the source and destination hosts, such -as their IP address. For bi-directional flows, Network Packet Capture reports -statistics for the reverse flow. - -Network Packet Capture collects and reports statistics up to and including the -transport layer. - -**Configuration options** - -You can specify the following options for capturing flows. - -#### `enabled` - -Enables flows support if set to true. Set to false to disable network -flows support without having to delete or comment out the flows section. -The default value is true. - -#### `timeout` - -Timeout configures the lifetime of a flow. If no packets have been -received for a flow within the timeout time window, the flow is killed -and reported. The default value is 30s. - -#### `period` - -Configure the reporting interval. All flows are reported at the very -same point in time. Periodical reporting can be disabled by setting the -value to -1. If disabled, flows are still reported once being timed out. -The default value is 10s. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_body_length` - -The maximum size in bytes of the message displayed in the request or -response fields. Messages that are bigger than the specified size are -truncated. Use this option to avoid publishing huge messages when -[`send_request`](#send-request-option) or -[`send_response`](#send-response-option) is enabled. The default is -1000 bytes. - -#### `parse_headers` - -If set to true, Network Packet Capture parses the additional arguments specified in -the headers field of a message. Those arguments are key-value pairs that -specify information such as the content type of the message or the -message priority. The default is true. - -#### `parse_arguments` - -If set to true, Network Packet Capture parses the additional arguments specified in -AMQP methods. Those arguments are key-value pairs specified by the user -and can be of any length. The default is true. - -#### `hide_connection_information` - -If set to false, the connection layer methods of the protocol are also -displayed, such as the opening and closing of connections and channels -by clients, or the quality of service negotiation. The default is true. - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `send_request_header` - -If this option is enabled, the raw message of the response -(`cassandra_request.request_headers` field) is sent to Elasticsearch. -The default is true. Enable `send_request` first before enabling this -option. - -#### `send_response_header` - -If this option is enabled, the raw message of the response -(`cassandra_response.response_headers` field) is included in published -events. The default is true. enable `send_response` first before enable -this option. - -#### `ignored_ops` - -This option indicates which Operator/Operators captured will be ignored. -currently support: `ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` -,`OPTIONS` ,`SUPPORTED` , `QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` -,`REGISTER` ,`EVENT` , `BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` -,`AUTH_SUCCESS` . - -#### `compressor` - -Configures the default compression algorithm being used to uncompress -compressed frames by name. Currently only `snappy` is can be configured. -By default no compressor is configured. - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -The DNS protocol supports processing DNS messages on TCP and UDP. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `include_authorities` - -If this option is enabled, dns.authority fields (authority resource -records) are added to DNS events. The default is false. - -#### `include_additionals` - -If this option is enabled, dns.additionals fields (additional resource -records) are added to DNS events. The default is false. - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `hide_keywords` - -A list of query parameters that Network Packet Capture will automatically censor in -the transactions that it saves. The values associated with these -parameters are replaced by `'xxxxx'`. By default, no changes are made to -the HTTP messages. - -Network Packet Capture has this option because, unlike SQL traffic, which typically -only contains the hashes of the passwords, HTTP traffic may contain -sensitive data. To reduce security risks, you can configure this option -to avoid sending the contents of certain HTTP POST parameters. - -This option replaces query parameters from GET requests and top-level -parameters from POST requests. If sensitive data is encoded inside a -parameter that you don’t specify here, Network Packet Capture cannot censor it. -Also, note that if you configure Network Packet Capture to save the raw request and -response fields (see the [`send_request`](#send-request-option) and -the [`send_response`](#send-response-option) options), sensitive data -may be present in those fields. - -#### `redact_authorization` - -When this option is enabled, Network Packet Capture obscures the value of -`Authorization` and `Proxy-Authorization` HTTP headers, and censors -those strings in the response. - -You should set this option to true for transactions that use Basic -Authentication because they may contain the base64 unencrypted username -and password. - -#### `send_headers` - -A list of header names to capture and send to Elasticsearch. These -headers are placed under the `headers` dictionary in the resulting JSON. - -#### `send_all_headers` - -Instead of sending a white list of headers to Elasticsearch, you can -send all headers by setting this option to true. The default is false. - -#### `redact_headers` - -A list of headers to redact if present in the HTTP request. This will -keep the header field present, but will redact it’s value to show the -header’s presence. - -#### `include_body_for` - -The list of content types for which Network Packet Capture exports the full HTTP -payload. The HTTP body is available under `http.request.body.content` -and `http.response.body.content` for these Content-Types. - -In addition, if [`send_response`](#send-response-option) option is -enabled, then the HTTP body is exported together with the HTTP headers -under `response` and if [`send_request`](#send-request-option) -enabled, then `request` contains the entire HTTP message including the -body. - -In the following example, the HTML attachments of the HTTP responses are -exported under the `response` field and under -`http.request.body.content` or `http.response.body.content`: - -```yaml -Network Packet Capture.protocols: -- type: http - ports: [80, 8080] - send_response: true - include_body_for: ["text/html"] -``` - -#### `decode_body` - -A boolean flag that controls decoding of HTTP payload. It interprets the -`Content-Encoding` and `Transfer-Encoding` headers and uncompresses the -entity body. Supported encodings are `gzip` and `deflate`. This option -is only applicable in the cases where the HTTP payload is exported, that -is, when one of the `include_*_body_for` options is specified or a POST -request contains url-encoded parameters. - -#### `split_cookie` - -If the `Cookie` or `Set-Cookie` headers are sent, this option controls -whether they are split into individual values. For example, with this -option set, an HTTP response might result in the following JSON: - -```json -"response": { - "code": 200, - "headers": { - "connection": "close", - "content-language": "en", - "content-type": "text/html; charset=utf-8", - "date": "Fri, 21 Nov 2014 17:07:34 GMT", - "server": "gunicorn/19.1.1", - "set-cookie": { - "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf", - "expires": "Fri, 20-Nov-2015 17:07:34 GMT", - "max-age": "31449600", - "path": "/" - }, - "vary": "Cookie, Accept-Language" - }, - "status_phrase": "OK" -} -``` - -- Note that `set-cookie` is a map containing the cookie names as keys. - -The default is false. - -#### `real_ip_header` - -The header field to extract the real IP from. This setting is useful -when you want to capture traffic behind a reverse proxy, but you want to -get the geo-location information. If this header is present and contains -a valid IP addresses, the information is used for the -`network.forwarded_ip` field. - -#### `max_message_size` - -If an individual HTTP message is larger than this setting (in bytes), it -will be trimmed to this size. Unless this value is very small -(less than 1.5K), Network Packet Capture is able to still correctly follow the transaction -and create an event for it. The default is 10485760 (10 MB). - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -**`enabled`** - -The ICMP protocol can be enabled/disabled via this option. The default -is true. - -If enabled Network Packet Capture will generate the following BPF filter: -`"icmp or icmp6"`. -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parseunknown` - -When this option is enabled, it forces the memcache text protocol parser -to accept unknown commands. - -The unknown commands MUST NOT contain a data part. - -#### `maxvalues` - -The maximum number of values to store in the message (multi-get). All -values will be base64 encoded. - -The possible settings for this option are: - -- `maxvalue: -1`, which stores all values (text based protocol multi-get) -- `maxvalue: 0`, which stores no values (default) -- `maxvalue: N`, which stores up to N values - -#### `maxbytespervalue` - -The maximum number of bytes to be copied for each value element. - -Values will be base64 encoded, so the actual size in the JSON document -will be 4 times the value that you specify for `maxbytespervalue`. - -#### `udptransactiontimeout` - -The transaction timeout in milliseconds. The defaults is 10000 -milliseconds. - -Quiet messages in UDP binary protocol get responses only if there is an -error. The memcache protocol analyzer will wait for the number of -milliseconds specified by `udptransactiontimeout` before publishing -quiet messages. Non-quiet messages or quiet requests with an error -response are published immediately. - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -**Configuration options** - -The `max_docs` and `max_doc_length` settings are useful for limiting the -amount of data Network Packet Capture indexes in the `response` fields. - -Also see [Common protocol options](#common-protocol-options). - -#### `max_docs` - -The maximum number of documents from the response to index in the -`response` field. The default is 10. You can set this to 0 to index an -unlimited number of documents. - -Network Packet Capture adds a `[...]` line at the end to signify that there were -additional documents that weren’t saved because of this setting. - -#### `max_doc_length` - -The maximum number of characters in a single document indexed in the -`response` field. The default is 5000. You can set this to 0 to index an -unlimited number of characters per document. - -If the document is trimmed because of this setting, Network Packet Capture adds the -string `...` at the end of the document. - -Note that limiting documents in this way means that they are no longer -correctly formatted JSON objects. - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -### `statement_timeout` - -The duration for which prepared statements are cached after their last -use. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The -default is `1h`. - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `queue_max_bytes` and `queue_max_messages` - -store requests in memory until a response is received. These settings -impose a limit on the number of bytes (`queue_max_bytes`) and number of -requests (`queue_max_messages`) that can be stored. These limits are -per-connection. The default is to queue up to 1MB or 20.000 requests per -connection, which allows to use request pipelining while at the same -time limiting the amount of memory consumed by replication sessions. - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parse_authorization` - -If set to true Network Packet Capture will parse the authorization headers -and include them in events. The default is true. - -#### `parse_body` - -If set to true, Network Packet Capture parses the SIP body when the body -contains Session Description Protocol data. The default is true. - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -[Apache Thrift](https://thrift.apache.org/) is a communication protocol -and RPC framework initially created at Facebook. It is sometimes used in -[microservices](http://martinfowler.com/articles/microservices.html) -architectures because it provides better performance when compared to -the more obvious HTTP/RESTful API choice, while still supporting a wide -range of programming languages and frameworks. - -Network Packet Capture works based on a copy of the traffic, which means that you -get performance management features without having to modify your -services in any way and without any latency overhead. Network Packet Capture -captures the transactions from the network and indexes them in -Elasticsearch so that they can be analyzed and searched. - -Network Packet Capture indexes the method, parameters, return value, and exceptions -of each Thrift-RPC call. You can search by and create statistics based -on any of these fields. Network Packet Capture automatically fills in the `status` -column with either `OK` or `Error`, so it’s easy to find the problematic -RPC calls. A transaction is put into the `Error` state if it returned an -exception. - -Network Packet Capture also indexes the `event.duration` field so you can get -performance analytics and find the slow RPC calls. - -Thrift supports multiple [transport and protocol -types](http://en.wikipedia.org/wiki/Apache_Thrift). Currently Network Packet Capture -supports the default `TSocket` transport as well as the `TFramed` -transport. From the protocol point of view, Network Packet Capture currently -supports only the default `TBinary` protocol. - -Network Packet Capture also has several configuration options that allow you to get -the right balance between visibility, disk usage, and data protection. -You can, for example, choose to obfuscate all strings or to store the -requests but not the responses, while still capturing the response time -for each of the RPC calls. You can also choose to limit the size of -strings and lists to a given number of elements, so you can fine tune -how much data you want to have stored in Elasticsearch. - -The Thrift protocol has several specific configuration options. - -Providing the Thrift IDL files to Network Packet Capture is optional. The binary -Thrift messages include the called method name and enough structural -information to decode the messages without needing the IDL files. -However, if you provide the IDL files, Network Packet Capture can also resolve the -service name, arguments, and exception names. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `transport_type` - -The Thrift transport type. Currently this option accepts the values -`socket` for TSocket, which is the default Thrift transport, and -`framed` for the TFramed Thrift transport. The default is `socket`. - -#### `protocol_type` - -The Thrift protocol type. Currently the only accepted value is `binary` -for the TBinary protocol, which is the default Thrift protocol. - -#### `idl_files` - -The Thrift interface description language (IDL) files for the service -that Network Packet Capture is monitoring. Providing the IDL files is optional, -because the Thrift messages contain enough information to decode them -without having the IDL files. However, providing the IDL enables -Network Packet Capture to include parameter and exception names. - -#### `string_max_size` - -The maximum length for strings in parameters or return values. If a -string is longer than this value, the string is automatically truncated -to this length. Network Packet Capture adds dots at the end of the string to mark -that it was truncated. The default is 200. - -#### `collection_max_size` - -The maximum number of elements in a Thrift list, set, map, or structure. -If a collection has more elements than this value, Network Packet Capture captures -only the specified number of elements. Network Packet Capture adds a fictive last -element `...` to the end of the collection to mark that it was -truncated. The default is 15. - -#### `capture_reply` - -If this option is set to false, Network Packet Capture decodes the method name from -the reply and simply skips the rest of the response message. This -setting can be useful for performance, disk usage, or data retention -reasons. The default is true. - -#### `obfuscate_strings` - -If this option is set to true, Network Packet Capture replaces all strings found in -method parameters, return codes, or exception structures with the `"*"` -string. - -#### `drop_after_n_struct_fields` - -The maximum number of fields that a structure can have before Network Packet Capture -ignores the whole transaction. This is a memory protection mechanism (so -that Network Packet Capture’s memory doesn’t grow indefinitely), so you would -typically set this to a relatively high value. The default is 500. - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -TLS is a cryptographic protocol that provides secure communications on -top of an existing application protocol, like HTTP or MySQL. - -Network Packet Capture intercepts the initial handshake in a TLS connection and -extracts useful information that helps operators diagnose problems and -strengthen the security of their network and systems. It does not -decrypt any information from the encapsulated protocol, nor does it -reveal any sensitive information such as cryptographic keys. TLS -versions 1.0 to 1.3 are supported. - -It works by intercepting the client and server "hello" messages, which -contain the negotiated parameters for the connection such as -cryptographic ciphers and protocol versions. It can also intercept TLS -alerts, which are sent by one of the parties to signal a problem with -the negotiation, such as an expired certificate or a cryptographic -error. - -Detailed information that is not defined in ECS is added under the -`tls.detailed` key. The [`include_detailed_fields`](#include_detailed_fields) configuration flag -is used to control whether this information is exported. - -The fields under `tls.detailed.client_hello` contain the algorithms and -extensions supported by the client, as well as the maximum TLS version -it supports. - -Fields under `tls.detailed.server_hello` contain the final settings for -the TLS session: The selected cipher, compression method, TLS version to -use and other extensions such as application layer protocol negotiation -(ALPN). - -**Configuration options** - -The `send_certificates` and `include_detailed_fields` settings are -useful for limiting the amount of data Network Packet Capture indexes, as multiple -certificates are usually exchanged in a single transaction, and those -can take a considerable amount of storage. - -Also see [Common protocol options](#common-protocol-options). - -#### `send_certificates` - -This setting causes information about the certificates presented by the -client and server to be included in the detailed fields. The server’s -certificate is indexed under `tls.detailed.server_certificate` and its -certification chain under `tls.detailed.server_certificate_chain`. For -the client, the `client_certificate` and `client_certificate_chain` -fields are used. The default is true. - -#### `include_raw_certificates` - -You can set `include_raw_certificates` to include the raw certificate -chains encoded in PEM format, under the `tls.server.certificate_chain` -and `tls.client.certificate_chain` fields. The default is false. - -#### `include_detailed_fields` - -Controls whether the [TLS fields](https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html) are added to exported documents. When -set to false, only [ECS TLS](https://www.elastic.co/guide/en/ecs/8.2/ecs-tls.html) fields are included. -exported are included. The default is `true`. - -#### `fingerprints` - -Defines a list of hash algorithms to calculate the certificate’s -fingerprints. Valid values are `sha1`, `sha256` and `md5`. - -The default is to output SHA-1 fingerprints. - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.3.1/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-search.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.3.1/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.3.1/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.3.1/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.3.1/manifest.yml b/packages/network_traffic/1.3.1/manifest.yml deleted file mode 100755 index 8baea71d27..0000000000 --- a/packages/network_traffic/1.3.1/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.3.1 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/okta/1.8.0/changelog.yml b/packages/okta/1.8.0/changelog.yml deleted file mode 100755 index d1af29ea33..0000000000 --- a/packages/okta/1.8.0/changelog.yml +++ /dev/null @@ -1,160 +0,0 @@ -# newer versions go on top -- version: "1.8.0" - changes: - - description: Add `okta.debug_context.debug_data.risk_level` field - type: enhancement - link: https://github.com/elastic/integrations/pull/3362 - - description: Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.*` fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3362 - - description: Fix mapping type for `client.as.number` - type: bugfix - link: https://github.com/elastic/integrations/pull/3362 -- version: "1.7.0" - changes: - - description: Add flattened `okta.request.ip_chain.*` fields - type: enhancement - link: https://github.com/elastic/integrations/pull/3326 -- version: "1.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.5.2" - changes: - - description: Handle invalid values in client.ipAddress - type: bugfix - link: https://github.com/elastic/integrations/pull/3010 -- version: "1.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.5.0" - changes: - - description: Increase the limit for the number of results in an API response. - type: enhancement - link: https://github.com/elastic/integrations/pull/2791 -- version: "1.4.1" - changes: - - description: Add missing field mapping for event.created. - type: enhancement - link: https://github.com/elastic/integrations/pull/2774 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2428 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2264 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2095 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1977 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1838 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1638 -- version: "1.1.3" - changes: - - description: Add proxy config - type: enhancement - link: https://github.com/elastic/integrations/pull/1648 -- version: "1.1.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1494 -- version: "1.1.1" - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1403 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.1" - changes: - - description: add missing `initial_interval` option to the manifest - type: bugfix - link: https://github.com/elastic/integrations/pull/1299 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1222 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1222 -- version: "0.6.0" - changes: - - description: Update to ECS 1.10.0 and add event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1067 -- version: "0.5.2" - changes: - - description: Add httpjson system tests and remove log input. - type: enhancement - link: https://github.com/elastic/integrations/pull/1034 -- version: "0.5.1" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/1009 -- version: "0.5.0" - changes: - - description: change okta.target to flattened type - type: enhancement - link: https://github.com/elastic/integrations/pull/899 -- version: "0.4.2" - changes: - - description: add fail_on_template_error on pagination - type: bugfix - link: https://github.com/elastic/integrations/pull/901 -- version: "0.4.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/861 -- version: "0.4.0" - changes: - - description: Moves edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/759/ -- version: "0.3.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/232 diff --git a/packages/okta/1.8.0/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/1.8.0/data_stream/system/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 24a3d77d72..0000000000 --- a/packages/okta/1.8.0/data_stream/system/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,56 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.rate_limit: - limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' - remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' - reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' -request.transforms: - - set: - target: header.Authorization - value: "SSWS {{api_key}}" - - set: - target: url.params.limit - value: '1000' - - set: - target: url.params.since - value: "[[.cursor.published]]" - default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]' -response.pagination: - - set: - target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' - fail_on_template_error: true - -cursor: - published: - value: "[[.last_event.published]]" - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/okta/1.8.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/1.8.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2f8904dc41..0000000000 --- a/packages/okta/1.8.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,628 +0,0 @@ ---- -description: Pipeline for Okta system logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - convert: - field: json.uuid - target_field: _id - type: string - ignore_failure: true - if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" - - date: - field: json.published - formats: - - ISO8601 - ignore_failure: true - - set: - field: event.kind - value: event - - rename: - field: json.displayMessage - target_field: okta.display_message - ignore_missing: true - ignore_failure: true - - rename: - field: json.eventType - target_field: okta.event_type - ignore_missing: true - ignore_failure: true - - append: - field: event.category - value: iam - if: | - ["group.user_membership.add","group.user_membership.remove", - "user.lifecycle.activate","user.lifecycle.create", - "user.lifecycle.deactivate","user.lifecycle.suspend", - "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) - - append: - field: event.category - value: configuration - if: | - ["policy.lifecycle.activate","policy.lifecycle.create", - "policy.lifecycle.deactivate","policy.lifecycle.delete", - "policy.lifecycle.update","policy.rule.activate","policy.rule.add", - "policy.rule.deactivate","policy.rule.delete", - "application.lifecycle.create","application.lifecycle.delete", - "policy.rule.update","application.lifecycle.activate", - "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) - - append: - field: event.category - value: authentication - if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' - - append: - field: event.category - value: session - if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: info - if: | - ["system.org.rate_limit.warning","system.org.rate_limit.violation", - "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: network - if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: network - if: | - ["system.org.rate_limit.warning","system.org.rate_limit.violation", - "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: start - if: '["user.session.start"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: end - if: '["user.session.end"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: group - if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: user - if: | - ["user.lifecycle.activate","user.lifecycle.create", - "user.lifecycle.deactivate","user.lifecycle.suspend", - "user.lifecycle.unsuspend","user.authentication.sso", - "user.session.start","user.session.end","application.user_membership.add", - "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: change - if: | - ["user.lifecycle.activate","user.lifecycle.deactivate", - "user.lifecycle.suspend","user.lifecycle.unsuspend", - "group.user_membership.add","group.user_membership.remove", - "policy.lifecycle.activate","policy.lifecycle.deactivate", - "policy.lifecycle.update","policy.rule.activate","policy.rule.add", - "policy.rule.deactivate","policy.rule.update","application.user_membership.add", - "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) - - append: - field: event.type - value: creation - if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: deletion - if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' - - append: - field: event.type - value: info - if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' - - rename: - field: json.uuid - target_field: okta.uuid - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.alternateId - target_field: okta.actor.alternate_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.displayName - target_field: okta.actor.display_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.id - target_field: okta.actor.id - ignore_missing: true - ignore_failure: true - - rename: - field: json.actor.type - target_field: okta.actor.type - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.device - target_field: okta.client.device - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.geolocation - target_field: client.geo.location - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.city - target_field: client.geo.city_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.state - target_field: client.geo.region_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.geographicalContext.country - target_field: client.geo.country_name - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.id - target_field: okta.client.id - ignore_missing: true - ignore_failure: true - - convert: - field: json.client.ipAddress - target_field: okta.client.ip - type: ip - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.browser - target_field: okta.client.user_agent.browser - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.os - target_field: okta.client.user_agent.os - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.userAgent.rawUserAgent - target_field: okta.client.user_agent.raw_user_agent - ignore_missing: true - ignore_failure: true - - rename: - field: json.client.zone - target_field: okta.client.zone - ignore_missing: true - ignore_failure: true - - rename: - field: json.outcome.reason - target_field: okta.outcome.reason - ignore_missing: true - ignore_failure: true - - rename: - field: json.outcome.result - target_field: okta.outcome.result - ignore_missing: true - ignore_failure: true - - rename: - field: json.target - target_field: okta.target - ignore_missing: true - ignore_failure: true - - rename: - field: json.transaction.id - target_field: okta.transaction.id - ignore_missing: true - ignore_failure: true - - rename: - field: json.transaction.type - target_field: okta.transaction.type - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.flattened - copy_from: json.debugContext.debugData - ignore_failure: true - - json: - field: okta.debug_context.debug_data.flattened.logOnlySecurityData - ignore_failure: true - - dissect: - field: okta.debug_context.debug_data.flattened.behaviors - pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.behaviors - field_split: ", " - value_split: "=" - target_field: _behaviors_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null - - remove: - field: okta.debug_context.debug_data.flattened.behaviors - if: ctx._behaviors_object != null - - rename: - field: _behaviors_object - target_field: okta.debug_context.debug_data.flattened.behaviors - ignore_missing: true - ignore_failure: true - - dissect: - field: okta.debug_context.debug_data.flattened.risk - pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" - ignore_missing: true - ignore_failure: true - - kv: - field: okta.debug_context.debug_data.flattened.risk - field_split: ", " - value_split: "=" - target_field: _risk_object - if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null - - remove: - field: okta.debug_context.debug_data.flattened.risk - if: ctx._risk_object != null - - rename: - field: _risk_object - target_field: okta.debug_context.debug_data.flattened.risk - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.deviceFingerprint - target_field: okta.debug_context.debug_data.device_fingerprint - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestId - target_field: okta.debug_context.debug_data.request_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.requestUri - target_field: okta.debug_context.debug_data.request_uri - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.threatSuspected - target_field: okta.debug_context.debug_data.threat_suspected - ignore_missing: true - ignore_failure: true - - rename: - field: json.debugContext.debugData.url - target_field: okta.debug_context.debug_data.url - ignore_missing: true - ignore_failure: true - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' - - set: - field: okta.debug_context.debug_data.risk_level - value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" - if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""' - - rename: - field: json.authenticationContext.authenticationProvider - target_field: okta.authentication_context.authentication_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.authenticationStep - target_field: okta.authentication_context.authentication_step - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.credentialProvider - target_field: okta.authentication_context.credential_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.credentialType - target_field: okta.authentication_context.credential_type - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.externalSessionId - target_field: okta.authentication_context.external_session_id - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.interface - target_field: okta.authentication_context.authentication_provider - ignore_missing: true - ignore_failure: true - - rename: - field: json.authenticationContext.issuer - target_field: okta.authentication_context.issuer - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.asNumber - target_field: okta.security_context.as.number - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.asOrg - target_field: okta.security_context.as.organization.name - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.domain - target_field: okta.security_context.domain - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.isProxy - target_field: okta.security_context.is_proxy - ignore_missing: true - ignore_failure: true - - rename: - field: json.securityContext.isp - target_field: okta.security_context.isp - ignore_missing: true - ignore_failure: true - - rename: - field: json.request.ipChain - target_field: okta.request.ip_chain - ignore_missing: true - ignore_failure: true - - foreach: - field: okta.request.ip_chain - processor: - rename: - field: _ingest._value.geographicalContext - target_field: _ingest._value.geographical_context - ignore_missing: true - ignore_failure: true - ignore_missing: true - - foreach: - field: okta.request.ip_chain - processor: - rename: - field: _ingest._value.geographical_context.postalCode - target_field: _ingest._value.geographical_context.postal_code - ignore_missing: true - ignore_failure: true - ignore_missing: true - - convert: - field: okta.client.user_agent.raw_user_agent - target_field: user_agent.original - type: string - ignore_failure: true - - set: - field: client.ip - copy_from: okta.client.ip - if: ctx?.okta?.client?.ip != null - - set: - field: source.ip - copy_from: okta.client.ip - if: ctx?.okta?.client?.ip != null - - convert: - field: okta.event_type - target_field: event.action - type: string - ignore_failure: true - - convert: - field: okta.security_context.as.organization.name - target_field: client.as.organization.name - type: string - ignore_failure: true - - convert: - field: okta.security_context.domain - target_field: client.domain - type: string - ignore_failure: true - - convert: - field: okta.security_context.domain - target_field: source.domain - type: string - ignore_failure: true - - convert: - field: okta.uuid - target_field: event.id - type: string - ignore_failure: true - - lowercase: - field: okta.outcome.result - target_field: okta.outcome.result_lower - ignore_missing: true - - set: - field: event.outcome - value: success - if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") - - set: - field: event.outcome - value: failure - if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") - - set: - field: event.outcome - value: unknown - if: ctx?.event?.outcome == null - - remove: - field: okta.outcome.result_lower - ignore_missing: true - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - arr[i]["alternate_id"] = arr[i]["alternateId"]; - arr[i].remove("alternateId"); - arr[i]["display_name"] = arr[i]["displayName"]; - arr[i].remove("displayName"); - arr[i].remove("detailEntry"); - } - } - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - if (arr[i]["type"].toLowerCase().contains("user")) { - ctx["okta_target_user"] = arr[i]; - break; - } - } - } - if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") - - script: - lang: painless - source: | - def arr = ctx?.okta?.target; - if (arr != null) { - for (def i = 0; i < arr.length; i++) { - if (arr[i]["type"].toLowerCase().contains("group")) { - ctx["okta_target_group"] = arr[i]; - break; - } - } - } - if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") - - rename: - field: okta_target_user.display_name - target_field: user.target.full_name - ignore_missing: true - - rename: - field: okta_target_user.id - target_field: user.target.id - ignore_missing: true - - rename: - field: okta_target_user.login - target_field: user.target.email - ignore_missing: true - - rename: - field: okta_target_group.display_name - target_field: user.target.group.name - ignore_missing: true - - rename: - field: okta_target_group.id - target_field: user.target.group.id - ignore_missing: true - - remove: - field: - - okta_target_user - - okta_target_group - ignore_missing: true - - set: - field: client.user.id - value: "{{okta.actor.id}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.id != null - - set: - field: source.user.id - value: "{{okta.actor.id}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.id != null - - set: - field: client.user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - set: - field: source.user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - set: - field: user.full_name - value: "{{okta.actor.display_name}}" - ignore_empty_value: true - if: ctx?.okta?.actor?.display_name != null - - append: - field: related.user - value: "{{okta.actor.display_name}}" - allow_duplicates: false - if: ctx?.okta?.actor?.display_name != null - - append: - field: related.user - value: "{{user.target.full_name}}" - allow_duplicates: false - if: ctx?.user?.target?.full_name != null - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - remove: - field: json - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/okta/1.8.0/data_stream/system/fields/agent.yml b/packages/okta/1.8.0/data_stream/system/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/okta/1.8.0/data_stream/system/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/okta/1.8.0/data_stream/system/fields/base-fields.yml b/packages/okta/1.8.0/data_stream/system/fields/base-fields.yml deleted file mode 100755 index 915728ae0c..0000000000 --- a/packages/okta/1.8.0/data_stream/system/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: okta -- name: event.dataset - type: constant_keyword - description: Event dataset - value: okta.system -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/okta/1.8.0/data_stream/system/fields/beats.yml b/packages/okta/1.8.0/data_stream/system/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/okta/1.8.0/data_stream/system/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/okta/1.8.0/data_stream/system/fields/ecs.yml b/packages/okta/1.8.0/data_stream/system/fields/ecs.yml deleted file mode 100755 index 70ee18f075..0000000000 --- a/packages/okta/1.8.0/data_stream/system/fields/ecs.yml +++ /dev/null @@ -1,300 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: client.user.full_name - type: keyword -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: Unique container id. - name: container.id - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.domain - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.target.full_name - type: keyword -- description: |- - Name of the directory the group is a member of. - For example, an LDAP or Active Directory domain name. - name: user.target.group.domain - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.target.group.id - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/okta/1.8.0/data_stream/system/fields/fields.yml b/packages/okta/1.8.0/data_stream/system/fields/fields.yml deleted file mode 100755 index 88055c4d48..0000000000 --- a/packages/okta/1.8.0/data_stream/system/fields/fields.yml +++ /dev/null @@ -1,270 +0,0 @@ -- name: okta.uuid - title: UUID - type: keyword - description: | - The unique identifier of the Okta LogEvent. -- name: okta.event_type - title: Event Type - type: keyword - description: | - The type of the LogEvent. -- name: okta.version - title: Version - type: keyword - description: | - The version of the LogEvent. -- name: okta.severity - title: Severity - type: keyword - description: | - The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. -- name: okta.display_message - title: Display Message - type: keyword - description: | - The display message of the LogEvent. -- name: okta.actor - title: Actor - type: group - fields: - - name: id - type: keyword - description: | - Identifier of the actor. - - name: type - type: keyword - description: | - Type of the actor. - - name: alternate_id - type: keyword - description: | - Alternate identifier of the actor. - - name: display_name - type: keyword - description: | - Display name of the actor. -- name: okta.client - title: Client - type: group - fields: - - name: ip - type: ip - description: | - The IP address of the client. - - name: user_agent - type: group - fields: - - name: raw_user_agent - type: keyword - description: | - The raw informaton of the user agent. - - name: os - type: keyword - description: | - The OS informaton. - - name: browser - type: keyword - description: | - The browser informaton of the client. - - name: zone - type: keyword - description: | - The zone information of the client. - - name: device - type: keyword - description: | - The information of the client device. - - name: id - type: keyword - description: | - The identifier of the client. -- name: okta.outcome - title: Outcome of the LogEvent. - type: group - fields: - - name: reason - type: keyword - description: | - The reason of the outcome. - - name: result - type: keyword - description: | - The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. -- name: okta.target - title: Target - type: flattened - description: | - The list of targets. - fields: - - name: id - type: keyword - description: | - Identifier of the actor. - - name: type - type: keyword - description: | - Type of the actor. - - name: alternate_id - type: keyword - description: | - Alternate identifier of the actor. - - name: display_name - type: keyword - description: | - Display name of the actor. -- name: okta.transaction - title: Transaction - type: group - fields: - - name: id - type: keyword - description: | - Identifier of the transaction. - - name: type - type: keyword - description: | - The type of transaction. Must be one of "WEB", "JOB". -- name: okta.debug_context - title: Debug Context - type: group - fields: - - name: debug_data - type: group - fields: - - name: device_fingerprint - type: keyword - description: | - The fingerprint of the device. - - name: request_id - type: keyword - description: | - The identifier of the request. - - name: request_uri - type: keyword - description: | - The request URI. - - name: threat_suspected - type: keyword - description: | - Threat suspected. - - name: risk_level - type: keyword - description: | - The risk level assigned to the sign in attempt. - - name: url - type: keyword - description: | - The URL. - - name: flattened - type: flattened - description: | - The complete debug_data object. -- name: okta.authentication_context - title: Authentication Context - type: group - fields: - - name: authentication_provider - type: keyword - description: | - The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - - name: authentication_step - type: integer - description: | - The authentication step. - - name: credential_provider - type: keyword - description: | - The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - - name: credential_type - type: keyword - description: | - The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - - name: issuer - type: array - description: | - The information about the issuer. - fields: - - name: id - type: keyword - description: | - The identifier of the issuer. - - name: type - type: keyword - description: | - The type of the issuer. - - name: external_session_id - type: keyword - description: | - The session identifer of the external session if any. - - name: interface - type: keyword - description: | - The interface used. e.g., Outlook, Office365, wsTrust -- name: okta.security_context - title: Security Context - type: group - fields: - - name: as - type: group - fields: - - name: number - type: integer - description: | - The AS number. - - name: organization - type: group - fields: - - name: name - type: keyword - description: | - The organization name. - - name: isp - type: keyword - description: | - The Internet Service Provider. - - name: domain - type: keyword - description: | - The domain name. - - name: is_proxy - type: boolean - description: | - Whether it is a proxy or not. -- name: okta.request - title: Request - type: group - fields: - - name: ip_chain - type: flattened - fields: - - name: ip - type: ip - description: | - IP address. - - name: version - type: keyword - description: | - IP version. Must be one of V4, V6. - - name: source - type: keyword - description: | - Source information. - - name: geographical_context - type: group - fields: - - name: city - type: keyword - description: The city. - - name: state - type: keyword - description: The state. - - name: postal_code - type: keyword - description: The postal code. - - name: country - type: keyword - description: The country. - - name: geolocation - type: geo_point - description: | - Geolocation information. diff --git a/packages/okta/1.8.0/data_stream/system/manifest.yml b/packages/okta/1.8.0/data_stream/system/manifest.yml deleted file mode 100755 index 442cc16cd2..0000000000 --- a/packages/okta/1.8.0/data_stream/system/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -type: logs -title: Okta system logs -streams: - - input: httpjson - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - okta-system - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Okta system logs - description: Collect Okta system logs diff --git a/packages/okta/1.8.0/data_stream/system/sample_event.json b/packages/okta/1.8.0/data_stream/system/sample_event.json deleted file mode 100755 index f50738dcc0..0000000000 --- a/packages/okta/1.8.0/data_stream/system/sample_event.json +++ /dev/null @@ -1,163 +0,0 @@ -{ - "@timestamp": "2020-02-14T20:18:57.718Z", - "agent": { - "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "client": { - "geo": { - "city_name": "Dublin", - "country_name": "United States", - "location": { - "lat": 37.7201, - "lon": -121.919 - }, - "region_name": "California" - }, - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "data_stream": { - "dataset": "okta.system", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "snapshot": true, - "version": "8.2.1" - }, - "event": { - "action": "user.session.start", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-05-18T08:57:39.484Z", - "dataset": "okta.system", - "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-05-18T08:57:40Z", - "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", - "outcome": "success", - "type": [ - "start", - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "okta": { - "actor": { - "alternate_id": "xxxxxx@elastic.co", - "display_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6", - "type": "User" - }, - "authentication_context": { - "authentication_step": 0, - "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" - }, - "client": { - "device": "Computer", - "ip": "108.255.197.247", - "user_agent": { - "browser": "FIREFOX", - "os": "Mac OS X", - "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" - }, - "zone": "null" - }, - "debug_context": { - "debug_data": { - "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "flattened": { - "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestUri": "/api/v1/authn", - "threatSuspected": "false", - "url": "/api/v1/authn?" - }, - "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "request_uri": "/api/v1/authn", - "threat_suspected": "false", - "url": "/api/v1/authn?" - } - }, - "display_message": "User login to Okta", - "event_type": "user.session.start", - "outcome": { - "result": "SUCCESS" - }, - "request": { - "ip_chain": [ - { - "geographical_context": { - "city": "Dublin", - "country": "United States", - "geolocation": { - "lat": 37.7201, - "lon": -121.919 - }, - "postal_code": "94568", - "state": "California" - }, - "ip": "108.255.197.247", - "version": "V4" - } - ] - }, - "transaction": { - "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "type": "WEB" - }, - "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" - }, - "related": { - "ip": [ - "108.255.197.247" - ], - "user": [ - "xxxxxx" - ] - }, - "source": { - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "okta-system" - ], - "user": { - "full_name": "xxxxxx" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "72.0." - } -} \ No newline at end of file diff --git a/packages/okta/1.8.0/docs/README.md b/packages/okta/1.8.0/docs/README.md deleted file mode 100755 index d14118f0d9..0000000000 --- a/packages/okta/1.8.0/docs/README.md +++ /dev/null @@ -1,356 +0,0 @@ -# Okta Integration - -The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API. - -## Logs - -### System - -The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta. - -An example event for `system` looks as following: - -```json -{ - "@timestamp": "2020-02-14T20:18:57.718Z", - "agent": { - "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.1" - }, - "client": { - "geo": { - "city_name": "Dublin", - "country_name": "United States", - "location": { - "lat": 37.7201, - "lon": -121.919 - }, - "region_name": "California" - }, - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "data_stream": { - "dataset": "okta.system", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", - "snapshot": true, - "version": "8.2.1" - }, - "event": { - "action": "user.session.start", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "created": "2022-05-18T08:57:39.484Z", - "dataset": "okta.system", - "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", - "ingested": "2022-05-18T08:57:40Z", - "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", - "outcome": "success", - "type": [ - "start", - "user" - ] - }, - "input": { - "type": "httpjson" - }, - "okta": { - "actor": { - "alternate_id": "xxxxxx@elastic.co", - "display_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6", - "type": "User" - }, - "authentication_context": { - "authentication_step": 0, - "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" - }, - "client": { - "device": "Computer", - "ip": "108.255.197.247", - "user_agent": { - "browser": "FIREFOX", - "os": "Mac OS X", - "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" - }, - "zone": "null" - }, - "debug_context": { - "debug_data": { - "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "flattened": { - "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", - "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestUri": "/api/v1/authn", - "threatSuspected": "false", - "url": "/api/v1/authn?" - }, - "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "request_uri": "/api/v1/authn", - "threat_suspected": "false", - "url": "/api/v1/authn?" - } - }, - "display_message": "User login to Okta", - "event_type": "user.session.start", - "outcome": { - "result": "SUCCESS" - }, - "request": { - "ip_chain": [ - { - "geographical_context": { - "city": "Dublin", - "country": "United States", - "geolocation": { - "lat": 37.7201, - "lon": -121.919 - }, - "postal_code": "94568", - "state": "California" - }, - "ip": "108.255.197.247", - "version": "V4" - } - ] - }, - "transaction": { - "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "type": "WEB" - }, - "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" - }, - "related": { - "ip": [ - "108.255.197.247" - ], - "user": [ - "xxxxxx" - ] - }, - "source": { - "ip": "108.255.197.247", - "user": { - "full_name": "xxxxxx", - "id": "00u1abvz4pYqdM8ms4x6" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "okta-system" - ], - "user": { - "full_name": "xxxxxx" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", - "os": { - "full": "Mac OS X 10.15", - "name": "Mac OS X", - "version": "10.15" - }, - "version": "72.0." - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.full_name | User's full name, if available. | keyword | -| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| okta.actor.alternate_id | Alternate identifier of the actor. | keyword | -| okta.actor.display_name | Display name of the actor. | keyword | -| okta.actor.id | Identifier of the actor. | keyword | -| okta.actor.type | Type of the actor. | keyword | -| okta.authentication_context.authentication_provider | The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. | keyword | -| okta.authentication_context.authentication_step | The authentication step. | integer | -| okta.authentication_context.credential_provider | The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. | keyword | -| okta.authentication_context.credential_type | The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. | keyword | -| okta.authentication_context.external_session_id | The session identifer of the external session if any. | keyword | -| okta.authentication_context.interface | The interface used. e.g., Outlook, Office365, wsTrust | keyword | -| okta.authentication_context.issuer.id | The identifier of the issuer. | keyword | -| okta.authentication_context.issuer.type | The type of the issuer. | keyword | -| okta.client.device | The information of the client device. | keyword | -| okta.client.id | The identifier of the client. | keyword | -| okta.client.ip | The IP address of the client. | ip | -| okta.client.user_agent.browser | The browser informaton of the client. | keyword | -| okta.client.user_agent.os | The OS informaton. | keyword | -| okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | -| okta.client.zone | The zone information of the client. | keyword | -| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | -| okta.debug_context.debug_data.flattened | The complete debug_data object. | flattened | -| okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | -| okta.debug_context.debug_data.request_uri | The request URI. | keyword | -| okta.debug_context.debug_data.risk_level | The risk level assigned to the sign in attempt. | keyword | -| okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | -| okta.debug_context.debug_data.url | The URL. | keyword | -| okta.display_message | The display message of the LogEvent. | keyword | -| okta.event_type | The type of the LogEvent. | keyword | -| okta.outcome.reason | The reason of the outcome. | keyword | -| okta.outcome.result | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. | keyword | -| okta.request.ip_chain.geographical_context.city | The city. | keyword | -| okta.request.ip_chain.geographical_context.country | The country. | keyword | -| okta.request.ip_chain.geographical_context.geolocation | Geolocation information. | geo_point | -| okta.request.ip_chain.geographical_context.postal_code | The postal code. | keyword | -| okta.request.ip_chain.geographical_context.state | The state. | keyword | -| okta.request.ip_chain.ip | IP address. | ip | -| okta.request.ip_chain.source | Source information. | keyword | -| okta.request.ip_chain.version | IP version. Must be one of V4, V6. | keyword | -| okta.security_context.as.number | The AS number. | integer | -| okta.security_context.as.organization.name | The organization name. | keyword | -| okta.security_context.domain | The domain name. | keyword | -| okta.security_context.is_proxy | Whether it is a proxy or not. | boolean | -| okta.security_context.isp | The Internet Service Provider. | keyword | -| okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword | -| okta.target.alternate_id | Alternate identifier of the actor. | keyword | -| okta.target.display_name | Display name of the actor. | keyword | -| okta.target.id | Identifier of the actor. | keyword | -| okta.target.type | Type of the actor. | keyword | -| okta.transaction.id | Identifier of the transaction. | keyword | -| okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | -| okta.uuid | The unique identifier of the Okta LogEvent. | keyword | -| okta.version | The version of the LogEvent. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.email | User email address. | keyword | -| user.target.full_name | User's full name, if available. | keyword | -| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | -| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.target.group.name | Name of the group. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/okta/1.8.0/img/filebeat-okta-dashboard.png b/packages/okta/1.8.0/img/filebeat-okta-dashboard.png deleted file mode 100755 index 6a28b4363b..0000000000 Binary files a/packages/okta/1.8.0/img/filebeat-okta-dashboard.png and /dev/null differ diff --git a/packages/okta/1.8.0/img/okta-logo.svg b/packages/okta/1.8.0/img/okta-logo.svg deleted file mode 100755 index d806cb7dc6..0000000000 --- a/packages/okta/1.8.0/img/okta-logo.svg +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json deleted file mode 100755 index d8725c4d60..0000000000 --- a/packages/okta/1.8.0/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "attributes": { - "description": "Logs Okta integration Kibana dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":26.54701,\"lon\":-44.69098,\"zoom\":2.75},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"w\":10,\"x\":0,\"y\":22},\"panelIndex\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"w\":9,\"x\":10,\"y\":22},\"panelIndex\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"w\":19,\"x\":29,\"y\":22},\"panelIndex\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"w\":10,\"x\":19,\"y\":22},\"panelIndex\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Okta] Overview", - "version": 1 - }, - "id": "okta-749203a0-67b1-11ea-a76f-bf44814e437d", - "migrationVersion": { - "dashboard": "7.3.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", - "name": "panel_0", - "type": "map" - }, - { - "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", - "name": "panel_5", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 916a10ca30..0000000000 --- a/packages/okta/1.8.0/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":false,\"geoField\":\"client.geo.location\",\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":26.54701,\"lon\":-44.69098},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"zoom\":2.75}", - "title": "Geolocation [Logs Okta]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", - "migrationVersion": { - "map": "7.9.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 35112753e0..0000000000 --- a/packages/okta/1.8.0/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"FAILURE\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"FAILURE\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ], - [ - "event.created", - "desc" - ] - ], - "title": "Okta Failure Events", - "version": 1 - }, - "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", - "migrationVersion": { - "search": "7.4.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json deleted file mode 100755 index e31342b53d..0000000000 --- a/packages/okta/1.8.0/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Actor Types [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.actor.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Actor Types [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json deleted file mode 100755 index c1c400b37c..0000000000 --- a/packages/okta/1.8.0/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Event Outcome [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json deleted file mode 100755 index beb76986ed..0000000000 --- a/packages/okta/1.8.0/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Transaction Types [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.transaction.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Transaction Types [Logs Okta]\",\"type\":\"pie\"}" - }, - "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.8.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json deleted file mode 100755 index 4e314cfd4c..0000000000 --- a/packages/okta/1.8.0/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Time Series [Logs Okta]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"abd68650-67c6-11ea-8c7d-ed286611413e\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Time Series [Logs Okta]\",\"type\":\"metrics\"}" - }, - "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/okta/1.8.0/manifest.yml b/packages/okta/1.8.0/manifest.yml deleted file mode 100755 index ef0e5684ee..0000000000 --- a/packages/okta/1.8.0/manifest.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: okta -title: Okta Logs -version: 1.8.0 -release: ga -description: Collect and parse event logs from Okta API with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -icons: - - src: /img/okta-logo.svg - title: Okta - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/filebeat-okta-dashboard.png - title: Okta Dashboard - size: 1024x662 - type: image/png -policy_templates: - - name: okta - title: Okta logs - description: Collect logs from Okta - inputs: - - type: httpjson - vars: - - name: api_key - type: text - title: API Key - multi: false - required: false - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 60s - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: url - type: text - title: Okta System Log API Url - multi: false - required: false - show_user: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - title: "Collect Okta logs via API" - description: "Collecting logs from Okta via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/panw_cortex_xdr/1.2.1/changelog.yml b/packages/panw_cortex_xdr/1.2.1/changelog.yml deleted file mode 100755 index 71cf075efe..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/changelog.yml +++ /dev/null @@ -1,71 +0,0 @@ -# newer versions go on top -- version: "1.2.1" - changes: - - description: Updated the links in the file to Palo Alto Cortex XDR documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3144 -- version: "1.2.0" - changes: - - description: Update to ECS 8.2 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2799 -- version: "1.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2431 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2275 -- version: "0.2.6" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.5" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.4" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2092 -- version: "0.2.3" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1980 -- version: "0.2.2" - changes: - - description: Fix duplicate events - type: bugfix - link: https://github.com/elastic/integrations/pull/1921 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1841 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1673 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1327 diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/agent/stream/httpjson.yml.hbs b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2056ceabb1..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,79 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: POST - -{{#if url}} -request.url: {{url}}/public_api/v1/alerts/get_alerts_multi_events -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if request_timeout}} -request.timeout: {{request_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: -- set: - target: header.Authorization - value: {{api_token}} -- set: - target: header.x-xdr-auth-id - value: {{token_id}} -- set: - target: body.request_data.sort.field - value: creation_time -- set: - target: body.request_data.sort.keyword - value: asc -- append: - target: body.request_data.filters - value: |- - { - "field": "creation_time", - "operator": "gte", - "value": [[ .cursor.next_ts ]] - } - default: |- - { - "field": "creation_time", - "operator": "gte", - "value": [[ mul (add (now (parseDuration "-{{initial_interval}}")).Unix) 1000 ]] - } - value_type: json -response.split: - target: body.reply.alerts - split: - target: body.events - keep_parent: true -response.pagination: - - set: - target: body.request_data.search_from - value: "[[mul .last_response.page 100]]" - value_type: int - fail_on_template_error: true - - set: - target: body.request_data.search_to - value: "[[add (mul .last_response.page 100) 100]]" - value_type: int - fail_on_template_error: true -cursor: - next_ts: - value: "[[.last_event.detection_timestamp]]" - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 650d72243d..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,458 +0,0 @@ ---- -description: Pipeline for Palo Alto XDR API. -processors: - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: alert - - append: - field: event.category - value: malware - - append: - field: event.type - value: info - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: panw_cortex.xdr - - fingerprint: - fields: - - panw_cortex.xdr.events.event_timestamp - - panw_cortex.xdr.events.event_id - - panw_cortex.xdr.events.event_type - - panw_cortex.xdr.alert_id - target_field: "_id" - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean drop(Object o) { - if (o == null || o == "") { - return true; - } else if (o instanceof Map) { - ((Map) o).values().removeIf(v -> drop(v)); - return (((Map) o).size() == 0); - } else if (o instanceof List) { - ((List) o).removeIf(v -> drop(v)); - return (((List) o).length == 0); - } - return false; - } - drop(ctx); - - date: - field: panw_cortex.xdr.events.event_timestamp - formats: - - UNIX_MS - if: ctx.panw_cortex?.xdr?.events?.event_timestamp != null - - date: - field: panw_cortex.xdr.detection_timestamp - target_field: event.created - formats: - - UNIX_MS - if: ctx.panw_cortex?.xdr?.detection_timestamp != null - - date: - field: panw_cortex.xdr.end_match_attempt_ts - target_field: panw_cortex.xdr.end_match_attempt_ts - formats: - - UNIX_MS - if: ctx.panw_cortex?.xdr?.end_match_attempt_ts != null - - date: - field: panw_cortex.xdr.local_insert_ts - target_field: panw_cortex.xdr.local_insert_ts - formats: - - UNIX_MS - if: ctx.panw_cortex?.xdr?.local_insert_ts != null - - rename: - field: panw_cortex.xdr.name - target_field: message - ignore_missing: true - - set: - field: event.severity - value: 0 - if: ctx.panw_cortex?.xdr?.severity == "unknown" - - set: - field: event.severity - value: 1 - if: ctx.panw_cortex?.xdr?.severity == "informational" - - set: - field: event.severity - value: 2 - if: ctx.panw_cortex?.xdr?.severity == "low" - - set: - field: event.severity - value: 3 - if: ctx.panw_cortex?.xdr?.severity == "medium" - - set: - field: event.severity - value: 4 - if: ctx.panw_cortex?.xdr?.severity == "high" - - rename: - field: panw_cortex.xdr.external_id - target_field: event.id - ignore_missing: true - - rename: - field: panw_cortex.xdr.action - target_field: event.action - ignore_missing: true - - rename: - field: panw_cortex.xdr.description - target_field: event.reason - ignore_missing: true - if: "ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex.xdr.description instanceof String" - - rename: - field: panw_cortex.xdr.description - target_field: panw_cortex.xdr.bioc_description - ignore_missing: true - if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex?.xdr?.description instanceof List" - - set: - field: event.reason - value: Bioc Event - if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.bioc_description != null" - - rename: - field: panw_cortex.xdr.agent_device_domain - target_field: host.domain - ignore_missing: true - - rename: - field: panw_cortex.xdr.agent_fqdn - target_field: host.hostname - ignore_missing: true - - rename: - field: panw_cortex.xdr.host_name - target_field: host.hostname - ignore_missing: true - if: ctx.host?.hostname == null - - set: - field: host.name - copy_from: host.hostname - if: ctx.host?.hostname != null - - rename: - field: panw_cortex.xdr.agent_os_type - target_field: host.os.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.agent_os_sub_type - target_field: host.os.version - ignore_missing: true - - rename: - field: panw_cortex.xdr.mac_addresses - target_field: host.mac - ignore_missing: true - - rename: - field: panw_cortex.xdr.host_ip - target_field: host.ip - ignore_missing: true - - rename: - field: panw_cortex.xdr.endpoint_id - target_field: host.id - ignore_missing: true - - split: - field: panw_cortex.xdr.mac - target_field: host.mac - separator: "," - ignore_missing: true - if: ctx.host?.mac == null - - remove: - field: - - panw_cortex.xdr.mac - ignore_missing: true - if: ctx.host?.mac != null - - rename: - field: panw_cortex.xdr.events.dns_query_name - target_field: dns.question.name - ignore_missing: true - #The Action actor is an an activity that took place and was recorded by the agent. - - convert: - field: panw_cortex.xdr.events.action_remote_ip - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - - convert: - field: panw_cortex.xdr.events.action_remote_port - target_field: destination.port - type: long - ignore_missing: true - - convert: - field: panw_cortex.xdr.events.action_local_ip - target_field: source.ip - type: ip - ignore_missing: true - - convert: - field: panw_cortex.xdr.events.action_local_port - target_field: source.port - type: long - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_image_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_image_command_line - target_field: process.command_line - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_image_name - target_field: process.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_signature_vendor - target_field: process.code_signature.subject_name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_signature_status - target_field: process.code_signature.status - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_process_instance_id - target_field: process.entity_id - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_command_line - target_field: process.command_line - ignore_missing: true - if: ctx.process?.command_line == null - - rename: - field: panw_cortex.xdr.events.action_file_path - target_field: file.path - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_file_name - target_field: file.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_file_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_file_sha256 - target_field: file.hash.sha256 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_registry_key_name - target_field: registry.key - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_registry_value_name - target_field: registry.value - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_registry_full_key - target_field: registry.path - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.action_registry_data - target_field: registry.data.strings - ignore_missing: true - #The Actor actor is the process that performed the action. - - rename: - field: panw_cortex.xdr.events.actor_process_os_pid - target_field: process.pid - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_instance_id - target_field: process.entity_id - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_image_path - target_field: process.executable - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_command_line - target_field: process.command_line - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_image_name - target_field: process.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_signature_vendor - target_field: process.code_signature.subject_name - ignore_missing: true - if: ctx.process?.code_signature?.subject_name == null - - rename: - field: panw_cortex.xdr.events.actor_process_image_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_process_image_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.actor_thread_thread_id - target_field: process.thread.id - ignore_missing: true - #The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR agent identified as being responsible for initiating the process tree. - - rename: - field: panw_cortex.xdr.events.causality_actor_process_image_name - target_field: process.parent.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_image_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_image_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_image_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_causality_id - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_signature_vendor - target_field: process.parent.code_signature.subject_name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_signature_status - target_field: process.parent.code_signature.status - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_command_line - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.causality_actor_process_execution_time - target_field: process.parent.uptime - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.user_name - target_field: user.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.fw_rule - target_field: rule.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.fw_rule_id - target_field: rule.id - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.fw_interface_from - target_field: observer.ingress.interface.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.fw_interface_to - target_field: observer.egress.interface.name - ignore_missing: true - - rename: - field: panw_cortex.xdr.events.fw_serial_number - target_field: observer.serial_number - ignore_missing: true - - set: - field: email.subject - copy_from: panw_cortex.xdr.events.fw_email_subject - if: "ctx?.panw_cortex.xdr?.events?.fw_email_subject != null" - - append: - field: email.from.address - value: "{{{panw_cortex.xdr.events.fw_email_sender}}}" - if: "ctx?.panw_cortex.xdr?.events?.fw_email_sender != null" - - append: - field: email.to.address - value: "{{{panw_cortex.xdr.events.fw_email_recipient}}}" - if: "ctx?.panw_cortex.xdr?.events?.fw_email_recipient != null" - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hash - value: "{{{process.parent.hash.md5}}}" - allow_duplicates: false - if: ctx.process?.parent?.hash?.md5 != null - - append: - field: related.hash - value: "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - if: ctx.process?.parent?.hash?.sha256 != null - - append: - field: related.hash - value: "{{{process.hash.md5}}}" - allow_duplicates: false - if: ctx.process?.hash?.md5 != null - - append: - field: related.hash - value: "{{{process.hash.sha256}}}" - allow_duplicates: false - if: ctx.process?.hash?.sha256 != null - - append: - field: related.hash - value: "{{{file.hash.sha256}}}" - allow_duplicates: false - if: ctx.file?.hash?.sha256 != null - - append: - field: related.hash - value: "{{{file.hash.md5}}}" - allow_duplicates: false - if: ctx.file?.hash?.md5 != null - - append: - field: related.user - value: "{{{user.name}}}" - allow_duplicates: false - if: ctx.user?.name != null - - remove: - field: - - panw_cortex.xdr.host_name - - panw_cortex.xdr.detection_timestamp - - panw_cortex.xdr.events.event_timestamp - - panw_cortex.xdr.severity - - panw_cortex.xdr.events.action_remote_ip - - panw_cortex.xdr.events.action_remote_port - - panw_cortex.xdr.events.action_local_ip - - panw_cortex.xdr.events.action_local_port - - panw_cortex.xdr.events.action_country - - panw_cortex.xdr.bioc_indicator - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/agent.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/base-fields.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/base-fields.yml deleted file mode 100755 index 26897c3d3e..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: panw_cortex -- name: event.dataset - type: constant_keyword - description: Event dataset - value: panw_cortex_xdr.alerts -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/beats.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/ecs.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/ecs.yml deleted file mode 100755 index 5ace0265cc..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,326 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: destination.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Subject name of the code signer - name: process.code_signature.subject_name - type: keyword -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.code_signature.status - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: Thread ID. - name: process.thread.id - type: long -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Subject name of the code signer - name: process.parent.code_signature.subject_name - type: keyword -- description: |- - Additional information about the certificate status. - This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - name: process.parent.code_signature.status - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: Seconds the process has been up. - name: process.parent.uptime - type: long -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: Hive-relative path of keys. - name: registry.key - type: keyword -- description: Name of the value written. - name: registry.value - type: keyword -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: |- - Content when writing string types. - Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - name: registry.data.strings - type: wildcard -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/fields.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/fields.yml deleted file mode 100755 index 2d77754219..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/fields/fields.yml +++ /dev/null @@ -1,276 +0,0 @@ -- name: panw_cortex.xdr - type: group - fields: - - name: external_id - type: keyword - description: | - External ID related to the Alert itself. - - name: matching_status - type: keyword - description: | - Matching status of the endpoint group. - - name: end_match_attempt_ts - type: date - - name: local_insert_ts - type: date - - name: bioc_indicator - type: keyword - description: | - The Behavioral Indicator type matching to the event. - - name: description - type: keyword - description: | - A description of the related event. - - name: bioc_description - type: object - description: | - A description of the related bioc event. - - name: matching_service_rule_id - type: keyword - - name: attempt_counter - type: long - description: | - Attempts to block or stop the malicious process. - - name: bioc_category_enum_key - type: keyword - description: | - Behavior Indicator type key. - - name: is_whitelisted - type: boolean - description: | - If process is whitelisted. - - name: starred - type: boolean - description: | - If alert type is prioritized (starred). - - name: deduplicate_tokens - type: keyword - - name: filter_rule_id - type: keyword - description: | - ID of the filter rule. - - name: mitre_technique_id_and_name - type: keyword - - name: mitre_tactic_id_and_name - type: keyword - - name: agent_version - type: keyword - description: | - Version of the XDR Endpoint agent. - - name: agent_data_collection_status - type: boolean - description: | - Collection status of the agent. - - name: mac - type: keyword - description: | - Main MAC address of the agent. - - name: mac_address - type: keyword - description: | - Array of all the MAC addresses related to the agent. - - name: agent_is_vdi - type: keyword - description: | - If agent is running inside a Virtual Desktop. - - name: alert_id - type: keyword - description: | - The ID of the alert. - - name: category - type: keyword - description: | - The Alert category. - - name: endpoint_id - type: keyword - description: | - The unique ID of the endpoint. - - name: source - type: keyword - - name: action_pretty - type: keyword - description: | - Pretty description of the action type. - - name: events - type: group - fields: - - name: contains_featured_host - type: keyword - - name: contains_featured_user - type: keyword - - name: contains_featured_ip - type: keyword - - name: agent_install_type - type: keyword - description: | - Display name of the actor. - - name: agent_host_boot_time - type: keyword - description: | - Uptime of the host. - - name: event_sub_type - type: keyword - description: | - Sub type of the event related to the alert. - - name: module_id - type: keyword - description: | - The ID of the module that caught the event. - - name: association_strength - type: long - - name: dst_association_strength - type: long - - name: story_id - type: keyword - - name: event_id - type: keyword - description: | - The ID unique to the underlying event related to the alert. - - name: event_type - type: keyword - description: | - Event type - - name: actor_process_causality_id - type: keyword - description: | - The parent processor ID related to the actor. - - name: action_file_macro_sha256 - type: keyword - - name: action_external_hostname - type: keyword - description: | - Any external hostname related to the specific event action. - - name: action_country - type: keyword - - name: action_process_causality_id - type: keyword - description: | - The parent processor ID related to the action. - - name: os_actor_effective_username - type: keyword - description: | - Username related to the OS actor. - - name: os_actor_process_instance_id - type: keyword - description: | - The process ID related to the OS actor. - - name: os_actor_process_image_path - type: keyword - description: | - OS actor binary path. - - name: os_actor_process_image_name - type: keyword - description: | - OS actor binary name. - - name: os_actor_process_command_line - type: keyword - description: | - OS actor full command line example. - - name: os_actor_process_signature_status - type: keyword - description: | - Signature of the OS actor process. - - name: os_actor_process_signature_vendor - type: keyword - description: | - Signature vendor of the OS actor process. - - name: os_actor_process_image_sha256 - type: keyword - description: | - SHA256 hash indentifier of the OS actor process. - - name: os_actor_process_causality_id - type: keyword - description: | - The ID of the parent process related to the OS actor. - - name: os_actor_causality_id - type: keyword - description: | - The ID of the OS actor process - - name: os_actor_process_os_pid - type: keyword - description: | - The OS PID related to the related process. - - name: os_actor_thread_thread_id - type: keyword - description: | - The thread ID related to the related OS actor process. - - name: fw_app_id - type: keyword - description: | - The layer 7 application ID from the firewall event. - - name: fw_device_name - type: keyword - description: | - Related firewall device. - - name: fw_url_domain - type: keyword - description: | - Related domain to the firewall event. - - name: fw_email_subject - type: keyword - - name: fw_email_sender - type: keyword - - name: fw_email_recipient - type: keyword - - name: fw_app_subcategory - type: keyword - description: | - Layer 7 application subcategory related to the firewall event. - - name: fw_app_category - type: keyword - description: | - Layer 7 application category related to the firewall event. - - name: fw_app_technology - type: keyword - description: | - Layer 7 application type related to the firewall event. - - name: fw_vsys - type: keyword - description: | - The related VSYS name if applicable. - - name: fw_xff - type: keyword - - name: fw_misc - type: keyword - description: | - Additional information related to the firewall event. - - name: fw_is_phishing - type: keyword - description: | - If event is related to a phishing campaign. - - name: dst_agent_id - type: keyword - description: | - The endpoint ID of a destination agent. - - name: dst_causality_actor_process_execution_time - type: keyword - description: | - The process execution time of the destination process. - - name: dns_query_name - type: keyword - description: | - The related DNS query for the event. - - name: dst_action_external_hostname - type: keyword - description: | - The external hostname of the destination. - - name: dst_action_country - type: keyword - description: | - The country related to the destination. - - name: dst_action_external_port - type: keyword - description: | - The external (NAT) port of the destination. - - name: actor_causality_id - type: keyword - description: | - The parent process ID of the actor process. - - name: actor_process_signature_status - type: keyword - description: | - The signature of the actor process. - - name: actor_process_signature_vendor - type: keyword - description: | - The signature vendor of the actor process. diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/manifest.yml b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/manifest.yml deleted file mode 100755 index b49e4ad0ef..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -type: logs -title: Palo Alto Cortex XDR API -streams: - - input: httpjson - vars: - - name: url - type: text - title: Palo Alto Cortex XDR API Domain - multi: false - required: true - show_user: true - description: The URL hosting the API endpoint. - default: https://test.xdr.eu.paloaltonetworks.com - - name: api_token - type: text - title: Palo Alto Cortex XDR API Token - multi: false - required: true - show_user: true - description: API token from the XDR UI. - - name: token_id - type: text - title: Palo Alto Cortex XDR API Token ID - multi: false - required: true - show_user: true - default: 1 - description: The token ID related to the above API token - - name: request_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 30s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 5m - description: How often the API is polled for new alerts. - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - description: How far back in time to look for alerts the first time running. - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - panw_cortex_xdr - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Palo Alto Cortex XDR - description: Palo Alto Cortex XDR API diff --git a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/sample_event.json b/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/sample_event.json deleted file mode 100755 index b46ac99ed3..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/data_stream/alerts/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2020-10-21T11:31:28.980Z", - "agent": { - "ephemeral_id": "a7da9a06-658a-4f11-a037-4f3c5009996a", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "panw_cortex_xdr.alerts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "BLOCKED", - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2020-10-21T11:31:28.980Z", - "dataset": "panw_cortex_xdr.alerts", - "id": "800800", - "ingested": "2022-01-02T08:57:33Z", - "kind": "alert", - "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}", - "reason": "Local privilege escalation prevented", - "severity": 4, - "type": [ - "info" - ] - }, - "host": { - "hostname": "test", - "id": "12345678", - "ip": [ - "10.0.255.20" - ], - "name": "test", - "os": { - "name": "Windows", - "version": "XP" - } - }, - "input": { - "type": "httpjson" - }, - "message": "Kernel Privilege Escalation", - "panw_cortex": { - "xdr": { - "action_pretty": "Prevented (Blocked)", - "agent_data_collection_status": true, - "agent_version": "1.2.3.4", - "alert_id": "1001", - "attempt_counter": 55, - "category": "Exploit", - "end_match_attempt_ts": "2020-10-24T15:07:42.824Z", - "events": { - "actor_process_signature_status": "N/A", - "agent_install_type": "NA", - "event_type": "Process Execution", - "fw_is_phishing": "N/A", - "module_id": "Privilege Escalation Protection", - "os_actor_process_signature_status": "N/A" - }, - "is_whitelisted": false, - "local_insert_ts": "2020-10-21T11:32:47.500Z", - "mac_address": [ - "00:11:22:33:44:55" - ], - "matching_status": "FAILED", - "source": "XDR Agent", - "starred": false - } - }, - "process": { - "code_signature": { - "status": "N/A" - }, - "command_line": "c:\\tmp\\virus.exe", - "entity_id": "1234", - "executable": "c:\\tmp\\virus.exe", - "hash": { - "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44" - }, - "name": "virus.exe", - "parent": { - "code_signature": { - "status": "N/A" - } - }, - "pid": 1234 - }, - "related": { - "hash": [ - "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "panw_cortex_xdr" - ] -} \ No newline at end of file diff --git a/packages/panw_cortex_xdr/1.2.1/docs/README.md b/packages/panw_cortex_xdr/1.2.1/docs/README.md deleted file mode 100755 index 508e715fb3..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/docs/README.md +++ /dev/null @@ -1,333 +0,0 @@ -# Palo Alto Cortex XDR Integration - -The PANW XDR integration collects alerts with multiple events from the [Cortex XDR API,](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-apis/incident-management/get-alerts). - -## Logs - -### Alerts - -The Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch. - -The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: [Get Started with Cortex XDR API](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api/cortex-xdr-api-overview/get-started-with-cortex-xdr-apis.html) - -An example event for `alerts` looks as following: - -```json -{ - "@timestamp": "2020-10-21T11:31:28.980Z", - "agent": { - "ephemeral_id": "a7da9a06-658a-4f11-a037-4f3c5009996a", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "panw_cortex_xdr.alerts", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "BLOCKED", - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2020-10-21T11:31:28.980Z", - "dataset": "panw_cortex_xdr.alerts", - "id": "800800", - "ingested": "2022-01-02T08:57:33Z", - "kind": "alert", - "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}", - "reason": "Local privilege escalation prevented", - "severity": 4, - "type": [ - "info" - ] - }, - "host": { - "hostname": "test", - "id": "12345678", - "ip": [ - "10.0.255.20" - ], - "name": "test", - "os": { - "name": "Windows", - "version": "XP" - } - }, - "input": { - "type": "httpjson" - }, - "message": "Kernel Privilege Escalation", - "panw_cortex": { - "xdr": { - "action_pretty": "Prevented (Blocked)", - "agent_data_collection_status": true, - "agent_version": "1.2.3.4", - "alert_id": "1001", - "attempt_counter": 55, - "category": "Exploit", - "end_match_attempt_ts": "2020-10-24T15:07:42.824Z", - "events": { - "actor_process_signature_status": "N/A", - "agent_install_type": "NA", - "event_type": "Process Execution", - "fw_is_phishing": "N/A", - "module_id": "Privilege Escalation Protection", - "os_actor_process_signature_status": "N/A" - }, - "is_whitelisted": false, - "local_insert_ts": "2020-10-21T11:32:47.500Z", - "mac_address": [ - "00:11:22:33:44:55" - ], - "matching_status": "FAILED", - "source": "XDR Agent", - "starred": false - } - }, - "process": { - "code_signature": { - "status": "N/A" - }, - "command_line": "c:\\tmp\\virus.exe", - "entity_id": "1234", - "executable": "c:\\tmp\\virus.exe", - "hash": { - "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44" - }, - "name": "virus.exe", - "parent": { - "code_signature": { - "status": "N/A" - } - }, - "pid": 1234 - }, - "related": { - "hash": [ - "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "panw_cortex_xdr" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| panw_cortex.xdr.action_pretty | Pretty description of the action type. | keyword | -| panw_cortex.xdr.agent_data_collection_status | Collection status of the agent. | boolean | -| panw_cortex.xdr.agent_is_vdi | If agent is running inside a Virtual Desktop. | keyword | -| panw_cortex.xdr.agent_version | Version of the XDR Endpoint agent. | keyword | -| panw_cortex.xdr.alert_id | The ID of the alert. | keyword | -| panw_cortex.xdr.attempt_counter | Attempts to block or stop the malicious process. | long | -| panw_cortex.xdr.bioc_category_enum_key | Behavior Indicator type key. | keyword | -| panw_cortex.xdr.bioc_description | A description of the related bioc event. | object | -| panw_cortex.xdr.bioc_indicator | The Behavioral Indicator type matching to the event. | keyword | -| panw_cortex.xdr.category | The Alert category. | keyword | -| panw_cortex.xdr.deduplicate_tokens | | keyword | -| panw_cortex.xdr.description | A description of the related event. | keyword | -| panw_cortex.xdr.end_match_attempt_ts | | date | -| panw_cortex.xdr.endpoint_id | The unique ID of the endpoint. | keyword | -| panw_cortex.xdr.events.action_country | | keyword | -| panw_cortex.xdr.events.action_external_hostname | Any external hostname related to the specific event action. | keyword | -| panw_cortex.xdr.events.action_file_macro_sha256 | | keyword | -| panw_cortex.xdr.events.action_process_causality_id | The parent processor ID related to the action. | keyword | -| panw_cortex.xdr.events.actor_causality_id | The parent process ID of the actor process. | keyword | -| panw_cortex.xdr.events.actor_process_causality_id | The parent processor ID related to the actor. | keyword | -| panw_cortex.xdr.events.actor_process_signature_status | The signature of the actor process. | keyword | -| panw_cortex.xdr.events.actor_process_signature_vendor | The signature vendor of the actor process. | keyword | -| panw_cortex.xdr.events.agent_host_boot_time | Uptime of the host. | keyword | -| panw_cortex.xdr.events.agent_install_type | Display name of the actor. | keyword | -| panw_cortex.xdr.events.association_strength | | long | -| panw_cortex.xdr.events.contains_featured_host | | keyword | -| panw_cortex.xdr.events.contains_featured_ip | | keyword | -| panw_cortex.xdr.events.contains_featured_user | | keyword | -| panw_cortex.xdr.events.dns_query_name | The related DNS query for the event. | keyword | -| panw_cortex.xdr.events.dst_action_country | The country related to the destination. | keyword | -| panw_cortex.xdr.events.dst_action_external_hostname | The external hostname of the destination. | keyword | -| panw_cortex.xdr.events.dst_action_external_port | The external (NAT) port of the destination. | keyword | -| panw_cortex.xdr.events.dst_agent_id | The endpoint ID of a destination agent. | keyword | -| panw_cortex.xdr.events.dst_association_strength | | long | -| panw_cortex.xdr.events.dst_causality_actor_process_execution_time | The process execution time of the destination process. | keyword | -| panw_cortex.xdr.events.event_id | The ID unique to the underlying event related to the alert. | keyword | -| panw_cortex.xdr.events.event_sub_type | Sub type of the event related to the alert. | keyword | -| panw_cortex.xdr.events.event_type | Event type | keyword | -| panw_cortex.xdr.events.fw_app_category | Layer 7 application category related to the firewall event. | keyword | -| panw_cortex.xdr.events.fw_app_id | The layer 7 application ID from the firewall event. | keyword | -| panw_cortex.xdr.events.fw_app_subcategory | Layer 7 application subcategory related to the firewall event. | keyword | -| panw_cortex.xdr.events.fw_app_technology | Layer 7 application type related to the firewall event. | keyword | -| panw_cortex.xdr.events.fw_device_name | Related firewall device. | keyword | -| panw_cortex.xdr.events.fw_email_recipient | | keyword | -| panw_cortex.xdr.events.fw_email_sender | | keyword | -| panw_cortex.xdr.events.fw_email_subject | | keyword | -| panw_cortex.xdr.events.fw_is_phishing | If event is related to a phishing campaign. | keyword | -| panw_cortex.xdr.events.fw_misc | Additional information related to the firewall event. | keyword | -| panw_cortex.xdr.events.fw_url_domain | Related domain to the firewall event. | keyword | -| panw_cortex.xdr.events.fw_vsys | The related VSYS name if applicable. | keyword | -| panw_cortex.xdr.events.fw_xff | | keyword | -| panw_cortex.xdr.events.module_id | The ID of the module that caught the event. | keyword | -| panw_cortex.xdr.events.os_actor_causality_id | The ID of the OS actor process | keyword | -| panw_cortex.xdr.events.os_actor_effective_username | Username related to the OS actor. | keyword | -| panw_cortex.xdr.events.os_actor_process_causality_id | The ID of the parent process related to the OS actor. | keyword | -| panw_cortex.xdr.events.os_actor_process_command_line | OS actor full command line example. | keyword | -| panw_cortex.xdr.events.os_actor_process_image_name | OS actor binary name. | keyword | -| panw_cortex.xdr.events.os_actor_process_image_path | OS actor binary path. | keyword | -| panw_cortex.xdr.events.os_actor_process_image_sha256 | SHA256 hash indentifier of the OS actor process. | keyword | -| panw_cortex.xdr.events.os_actor_process_instance_id | The process ID related to the OS actor. | keyword | -| panw_cortex.xdr.events.os_actor_process_os_pid | The OS PID related to the related process. | keyword | -| panw_cortex.xdr.events.os_actor_process_signature_status | Signature of the OS actor process. | keyword | -| panw_cortex.xdr.events.os_actor_process_signature_vendor | Signature vendor of the OS actor process. | keyword | -| panw_cortex.xdr.events.os_actor_thread_thread_id | The thread ID related to the related OS actor process. | keyword | -| panw_cortex.xdr.events.story_id | | keyword | -| panw_cortex.xdr.external_id | External ID related to the Alert itself. | keyword | -| panw_cortex.xdr.filter_rule_id | ID of the filter rule. | keyword | -| panw_cortex.xdr.is_whitelisted | If process is whitelisted. | boolean | -| panw_cortex.xdr.local_insert_ts | | date | -| panw_cortex.xdr.mac | Main MAC address of the agent. | keyword | -| panw_cortex.xdr.mac_address | Array of all the MAC addresses related to the agent. | keyword | -| panw_cortex.xdr.matching_service_rule_id | | keyword | -| panw_cortex.xdr.matching_status | Matching status of the endpoint group. | keyword | -| panw_cortex.xdr.mitre_tactic_id_and_name | | keyword | -| panw_cortex.xdr.mitre_technique_id_and_name | | keyword | -| panw_cortex.xdr.source | | keyword | -| panw_cortex.xdr.starred | If alert type is prioritized (starred). | boolean | -| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.code_signature.subject_name | Subject name of the code signer | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | -| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.uptime | Seconds the process has been up. | long | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - diff --git a/packages/panw_cortex_xdr/1.2.1/img/icon-cortex.svg b/packages/panw_cortex_xdr/1.2.1/img/icon-cortex.svg deleted file mode 100755 index ff8819d77f..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/img/icon-cortex.svg +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/packages/panw_cortex_xdr/1.2.1/manifest.yml b/packages/panw_cortex_xdr/1.2.1/manifest.yml deleted file mode 100755 index a1ea8e995d..0000000000 --- a/packages/panw_cortex_xdr/1.2.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: panw_cortex_xdr -title: Palo Alto Cortex XDR Logs -version: 1.2.1 -release: ga -description: Collect and parse logs from Palo Alto Cortex XDR API with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^7.15.0 || ^8.0.0 -icons: - - src: /img/icon-cortex.svg - title: Palo Alto - size: 216x216 - type: image/svg+xml -policy_templates: - - name: alerts - title: Palo Alto Cortex XDR API - description: Collect logs from Palo Alto Cortex XDR API - inputs: - - type: httpjson - title: "Collect data from Palo Alto Cortex XDR" - description: "Collect data from Palo Alto Cortex XDR (input: httpjson)" -owner: - github: elastic/security-external-integrations diff --git a/packages/pfsense/1.0.2/changelog.yml b/packages/pfsense/1.0.2/changelog.yml deleted file mode 100755 index c8157b28cd..0000000000 --- a/packages/pfsense/1.0.2/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.0.2" - changes: - - description: Update HAProxy log parsing to handle non HTTPS and TCP logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3504 -- version: "1.0.1" - changes: - - description: Format client.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3303 -- version: "1.0.0" - changes: - - description: Add OPNsense support. Add PHP-FPM log parsing. - type: bugfix - link: https://github.com/elastic/integrations/pull/2413 -- version: "0.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2432 -- version: "0.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2257 -- version: "0.1.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2091 -- version: "0.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1981 -- version: "0.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1842 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1286 diff --git a/packages/pfsense/1.0.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pfsense/1.0.2/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9241b23255..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/pfsense/1.0.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/pfsense/1.0.2/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index ca515ab199..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if internal_networks.length}} - internal_networks: - {{#each internal_networks as |ntwrk i|}} - - {{ntwrk}} - {{/each}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e520c07032..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- -description: Pipeline for PFsense -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: observer.vendor - value: netgate - - set: - field: observer.type - value: firewall - - rename: - field: message - target_field: event.original - - set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx?._tmp?.tz_offset != null && ctx?._tmp?.tz_offset != 'local' - - grok: - description: Parse syslog header - field: event.original - patterns: - - '^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}' - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>(\d )?' - BSD_TIMESTAMP_FORMAT: '%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{OBSERVER})?%{SPACE}%{PROCESS}(\[%{POSINT:process.pid:long}\])?:' - SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - -' - TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - TIMESTAMP: '(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})' - OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' - PROCESS: '(\(%{DATA:process.name}\)|(%{UNIXPATH}/)?%{WORD:process.name})' - - date: - if: ctx?._tmp.timestamp8601 != null - field: _tmp.timestamp8601 - target_field: '@timestamp' - formats: - - ISO8601 - - date: - if: ctx?.event?.timezone != null && ctx?._tmp?.timestamp != null - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - description: Set Event Provider - field: process.name - patterns: - - '^%{WORD:event.provider}' - - pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: ctx.event.provider == 'filterlog' - - pipeline: - name: '{{ IngestPipeline "openvpn" }}' - if: ctx.event.provider == 'openvpn' - - pipeline: - name: '{{ IngestPipeline "ipsec" }}' - if: ctx.event.provider == 'charon' - - pipeline: - name: '{{ IngestPipeline "dhcp" }}' - if: ctx.event.provider == 'dhcpd' - - pipeline: - name: '{{ IngestPipeline "unbound" }}' - if: ctx.event.provider == 'unbound' - - pipeline: - name: '{{ IngestPipeline "haproxy" }}' - if: ctx.event.provider == 'haproxy' - - pipeline: - name: '{{ IngestPipeline "php-fpm" }}' - if: ctx.event.provider == 'php-fpm' - - pipeline: - name: '{{ IngestPipeline "squid" }}' - if: ctx.event.provider == 'squid' - - drop: - if: '!["filterlog", "openvpn", "charon", "dhcpd", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx?.event?.provider)' - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - ignore_missing: true - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: ctx?.source?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - if: "ctx?.destination?.domain != null" - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - - remove: - field: - - _tmp - ignore_failure: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || (v instanceof String && v == "-")); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml deleted file mode 100755 index f366964fba..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -description: Pipeline for PFsense DHCP logs -processors: - - grok: - field: message - patterns: - - '%{WORD:event.action} %{MIDDLE} via %{INTERFACE:observer.ingress.interface.name}' - - '%{GREEDYDATA}' - pattern_definitions: - INTERFACE: '[a-z0-9\.]+' - MAC_ADDRESS: '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})' - FROM: 'from %{MAC_ADDRESS:client.mac}' - ON: 'on %{IP:client.address} to %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - FOR: 'for %{IP:client.address} \(%{IP:server.address}\)? from %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - MIDDLE: '(?:%{FROM}|%{ON}|%{FOR})' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - - append: - field: event.type - value: protocol - allow_duplicates: false - - append: - field: event.type - value: info - allow_duplicates: false - - set: - field: network.protocol - value: dhcp - - set: - field: network.transport - value: udp - - set: - field: client.port - value: 68 - if: ctx?.client?.port == null - - set: - field: server.port - value: 67 - if: ctx?.server?.port == null - - set: - field: client.ip - value: "{{client.address}}" - ignore_empty_value: true - - set: - field: server.ip - value: "{{server.address}}" - ignore_empty_value: true - - uppercase: - field: client.mac - ignore_missing: true - - gsub: - field: client.mac - pattern: '[:]' - replacement: '-' - ignore_missing: true - - set: - field: source - copy_from: client - ignore_empty_value: true - - set: - field: destination - copy_from: server - ignore_empty_value: true - - community_id: - target_field: network.community_id - ignore_failure: true - - grok: - field: observer.ingress.interface.name - patterns: - - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null" - - append: - field: related.hosts - value: "{{pfsense.dhcp.hostname}}" - allow_duplicates: false - if: "ctx?.pfsense?.log?.dhcp?.hostname != null" -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index cea025397d..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -description: Pipeline for PFsense Firewall logs -processors: - - grok: - field: message - patterns: - - "%{PF_LOG_ENTRY}%{GREEDYDATA}" - pattern_definitions: - PF_LOG_ENTRY: "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?" - PF_LOG_DATA: "%{INT},%{INT}?,,%{INT:rule.id},%{DATA:observer.ingress.interface.name},%{PF_REASON:event.reason},%{WORD:event.action},%{WORD:network.direction}," - PF_REASON: '[a-zA-Z-]+' - PF_IP_DATA: "%{NONNEGINT:network.bytes:long},%{IP:source.address},%{IP:destination.address}," - PF_IP_SPECIFIC_DATA: "%{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}" - PF_IPv4_SPECIFIC_DATA: "(?(4)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.ecn}?,%{NONNEGINT:pfsense.ip.ttl:long},%{NONNEGINT:pfsense.ip.id:long},%{NONNEGINT:pfsense.ip.offset:long},(?:%{WORD:pfsense.ip.flags}|%{PF_SPEC:pfsense.ip.flags}),%{INT:network.iana_number},%{WORD:network.transport}," - PF_IPv6_SPECIFIC_DATA: "(?(6)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.flow_label},%{WORD:pfsense.ip.flags},%{WORD:network.transport},%{INT:network.iana_number}," - PF_PROTOCOL_DATA: "%{PF_TCP_DATA}|%{PF_UDP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}" - PF_IPv6_VAR: "%{GREEDYDATA}" - PF_IPv6_ICMP: '' - PF_TCP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.tcp.length:long},%{WORD:pfsense.tcp.flags}?,%{NONNEGINT:pfsense.tcp.seq:long}?:?%{NONNEGINT},%{NONNEGINT:pfsense.tcp.ack:long}?,%{NONNEGINT:pfsense.tcp.window:long}?,%{WORD:pfsense.tcp.urg}?,%{GREEDYDATA:pfsense.tcp.options}" - PF_UDP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.udp.length:long}$" - PF_IGMP_DATA: "datalength=%{NONNEGINT:network.packets:long}" - PF_ICMP_DATA: "%{PF_ICMP_TYPE}%{PF_ICMP_RESPONSE}" - PF_ICMP_TYPE: "(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," - PF_ICMP_RESPONSE: "%{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}|%{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}" - PF_ICMP_ECHO_REQ_REPLY: "%{NONNEGINT:pfsense.icmp.id:long},%{NONNEGINT:pfsense.icmp.seq:long}" - PF_ICMP_UNREACHPORT: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:pfsense.icmp.unreachable.iana_number},%{NONNEGINT:pfsense.icmp.unreachable.port:long}" - PF_ICMP_UNREACHPROTO: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:[pfsense.icmp.unreachable.iana_number]}" - PF_ICMP_UNREACHABLE: "%{GREEDYDATA:pfsense.icmp.unreachable.other}" - PF_ICMP_NEED_FLAG: "%{IP:pfsense.icmp.destination.ip},%{NONNEGINT:pfsense.icmp.mtu:long}" - PF_ICMP_TSTAMP: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq}" - PF_ICMP_TSTAMP_REPLY: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq},%{INT:pfsense.icmp.otime},%{INT:pfsense.icmp.rtime},%{INT:pfsense.icmp.ttime}" - PF_SPEC: "[+]" - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_empty_value: true - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.destination?.ip != null - - append: - field: event.type - value: denied - allow_duplicates: false - if: ctx?.event.action == 'block' - - append: - field: event.type - value: allowed - allow_duplicates: false - if: ctx?.event.action == 'pass' - - set: - field: network.type - value: ipv{{network.type}} - if: ctx?.network?.type == '4' || ctx?.network?.type == '6' - - lowercase: - field: network.transport - ignore_missing: true - - remove: - field: ack_number - ignore_missing: true - if: ctx?.ack_number == null || ctx?.ack_number == '' - - network_direction: - internal_networks_field: _tmp.internal_networks - - community_id: - target_field: network.community_id - ignore_failure: true - - grok: - field: observer.ingress.interface.name - patterns: - - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ignore_missing: true - ignore_failure: true - - split: - field: pfsense.tcp.options - separator: ';' - ignore_missing: true - ignore_failure: true - - date: - field: pfsense.icmp.otime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.rtime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.ttime - ignore_failure: true - formats: - - UNIX - - UNIX_MS -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml deleted file mode 100755 index 3ae2fb4c69..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml +++ /dev/null @@ -1,139 +0,0 @@ ---- -description: Pipeline for parsing PFsense HAProxy http, tcp and default logs. -processors: - - grok: - field: message - patterns: - - 'Connect from (%{IPORHOST:source.address}|-):%{POSINT:source.port:long} %{WORD} %{IPORHOST:destination.address}:%{POSINT:destination.port:long} \(%{NOTSPACE:haproxy.frontend_name}/%{WORD:haproxy.mode}\)' - # HTTP(S) - - '(%{IPORHOST:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.http.request.time_wait_ms:long}/%{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:haproxy.http.request.time_wait_without_data_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:http.response.status_code:long} %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} - %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long} - (\{%{DATA:haproxy.http.request.captured_headers}\} \{%{DATA:haproxy.http.response.captured_headers}\} |\{%{DATA}\} )?"%{GREEDYDATA:haproxy.http.request.raw_request_line}"' - # TCP - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] - %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} - %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long}' - # Error - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name}/%{BIND_NAME:haproxy.bind_name}:? %{GREEDYDATA:haproxy.error_message}' - ignore_missing: false - pattern_definitions: - HAPROXY_DATE: (%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP} - BIND_NAME: ((%{IP:destination.address})?(:%{POSINT:destination.port:long})?|%{NOTSPACE}) - on_failure: - - drop: - description: Drop if not a connection log - - date: - if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone == null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - - date: - if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone != null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - field: haproxy.http.request.raw_request_line - patterns: - - '%{WORD:http.request.method}%{SPACE}%{URIPATHPARAM:url.original}%{SPACE}HTTP/%{NUMBER:http.version}' - ignore_missing: true - if: 'ctx.haproxy?.http?.request?.raw_request_line != null && !ctx.haproxy?.http?.request?.raw_request_line.isEmpty() && ctx.haproxy?.http?.request?.raw_request_line != ""' - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - split: - field: haproxy.http.request.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - split: - field: haproxy.http.response.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - script: - lang: painless - source: ctx.event.duration = Math.round(ctx._temp.duration * params.scale) - params: - scale: 1000000 - if: ctx._temp?.duration != null - - convert: - field: haproxy.bytes_read - target_field: http.response.bytes - type: long - ignore_missing: true - if: ctx.containsKey('http') - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - if: "ctx?.haproxy?.mode == 'HTTP' || ctx?.haproxy?.http != null" - - append: - field: event.category - value: network - if: "ctx?.source.ip != null && ctx?.destination?.ip != null" - - append: - field: event.type - value: connection - if: "ctx?.source.ip != null && ctx?.destination?.ip != null" - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - - remove: - field: - - _temp - - haproxy.request_date - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml deleted file mode 100755 index 0ee5fae5ce..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -description: Pipeline for PFsense IPSEC logs -processors: - - grok: - field: message - patterns: - - '%{PREFIX}%{GREEDYDATA}%{SOURCE} to %{DEST} \(%{NONNEGINT:network.bytes:long} bytes\)' - - '%{GREEDYDATA}' - pattern_definitions: - PREFIX: '\d+\[%{WORD}\]' - SOURCE: '%{IP:source.address}\[%{NONNEGINT:source.port:long}\]' - DEST: '%{IP:destination.address}\[%{NONNEGINT:destination.port:long}\]' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('disconnected') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: ipsec -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml deleted file mode 100755 index 9afef3ba5d..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for PFsense OpenVPN logs -processors: - - grok: - field: message - patterns: - - '%{SOURCE}%{SPACE}peer%{SPACE}info:%{SPACE}%{GREEDYDATA:pfsense.openvpn.peer_info}' - - '%{SOURCE}%{SPACE}\[%{USERNAME:user.name}\]%{SPACE}%{GREEDYDATA}' - - "user%{SPACE}'%{USERNAME:user.name}'%{GREEDYDATA}" - - '%{USERNAME:user.name}/%{SOURCE}%{DATA}IPv4=(%{IP:source.nat.ip}|%{GREEDYDATA}),%{SPACE}IPv6=(%{IP:source.nat.ip}|%{GREEDYDATA})' - - '%{GREEDYDATA}%{SOURCE}' - - '%{GREEDYDATA}' - pattern_definitions: - SOURCE: '%{IP:source.address}:%{NONNEGINT:source.port:long}' - USERNAME: '[a-zA-Z0-9._-]+' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.category - value: authentication - allow_duplicates: false - if: ctx?.message.contains('auth') - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: error - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('error') || ctx?.message.toLowerCase().contains('not auth') - - append: - field: event.type - value: start - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('initiat') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: openvpn -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml deleted file mode 100755 index 7570a1da68..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -description: Pipeline for PFsense PHP-FPM logs -processors: - - grok: - field: message - patterns: - - '^%{DATA}: %{PF_APP_DATA}' - - '^%{GREEDYDATA}' - pattern_definitions: - PF_APP_DATA: '(%{PF_APP_LOGIN}|%{PF_APP_LOGOUT}|%{PF_APP_ERROR})' - PF_APP_LOGIN: "(%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address} \\(%{DATA}\\)" - PF_APP_LOGOUT: "User (%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address}" - PF_APP_ERROR: "webConfigurator %{DATA:_tmp.action} for user '%{DATA:user.name}' from: %{IP:source.address}" - - set: - field: event.kind - value: event - - append: - field: event.category - value: authentication - allow_duplicates: false - - set: - field: event.outcome - value: success - if: 'ctx._tmp?.action.toLowerCase().contains("success")' - - set: - field: event.outcome - value: failure - if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")' - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - - rename: - field: observer.ip - target_field: host.ip - ignore_missing: true - - rename: - field: observer.name - target_field: host.name - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml deleted file mode 100755 index 29e8bbee97..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/squid.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -description: Pipeline for parsing PFsense Squid logs. -processors: - - grok: - field: message - patterns: - - '%{IPORHOST:source.address} %{NOTSPACE:squid.request_status}/%{NUMBER:http.response.status_code:long} %{NUMBER:http.response.bytes:long} %{NOTSPACE:http.request.method} (%{URI:url.original})?%{SPACE}%{NOTSPACE:http.request.referrer}%{SPACE}%{NOTSPACE:squid.hierarchy_status}/%{IPORHOST:destination.address}%{SPACE}%{NOTSPACE:http.response.mime_type}' - ignore_missing: false - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# - split: -# field: haproxy.http.request.captured_headers -# separator: \| -# ignore_failure: true -# ignore_missing: true -# - split: -# field: haproxy.http.response.captured_headers -# separator: \| -# ignore_failure: true -# ignore_missing: true -# - script: -# lang: painless -# source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) -# params: -# scale: 1000000 -# if: ctx.temp?.duration != null -# - remove: -# field: temp.duration -# ignore_missing: true -# - convert: -# field: haproxy.bytes_read -# target_field: http.response.bytes -# type: long -# ignore_missing: true -# if: ctx.containsKey('http') - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - - append: - field: event.category - value: network - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml b/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml deleted file mode 100755 index 5bdbdb6d2e..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -description: Pipeline for PFsense Unbound DNS logs -processors: - - grok: - field: message - patterns: - - '%{LOGLEVEL:log.level}: %{IP:source.address} %{HOSTNAME:_tmp.question.name}(\.) %{WORD:_tmp.question.type} %{WORD:_tmp.question.class}' - on_failure: - - drop: - description: Drop if not a query log - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('disconnected') - - set: - field: network.protocol - value: dns - - set: - field: dns.type - value: question - if: ctx?._tmp?.question?.name != null - - registered_domain: - field: _tmp.question.name - target_field: dns.question - ignore_missing: true - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - - rename: - field: _tmp.question.type - target_field: dns.question.type - ignore_missing: true - - rename: - field: _tmp.question.class - target_field: dns.question.class - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - set: - field: client - copy_from: source - ignore_empty_value: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.2/data_stream/log/fields/agent.yml b/packages/pfsense/1.0.2/data_stream/log/fields/agent.yml deleted file mode 100755 index c961daeee1..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: hostname - type: keyword - description: Hostname from syslog header. -- name: log.source.address - type: keyword - description: Source address of the syslog message. -- name: process.program - type: keyword - description: Process from syslog header. diff --git a/packages/pfsense/1.0.2/data_stream/log/fields/base-fields.yml b/packages/pfsense/1.0.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 8007b1ad5b..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: pfsense -- name: event.dataset - type: constant_keyword - description: Event dataset - value: pfsense.log diff --git a/packages/pfsense/1.0.2/data_stream/log/fields/ecs.yml b/packages/pfsense/1.0.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 76d91edc71..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,565 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - ignore_above: 1024 - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.ingress.vlan.id - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/pfsense/1.0.2/data_stream/log/fields/fields.yml b/packages/pfsense/1.0.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 7a350eba17..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,256 +0,0 @@ -- name: pfsense.ip - type: group - fields: - - name: tos - type: keyword - description: | - IP Type of Service identification. - - name: ecn - type: keyword - description: | - Explicit Congestion Notification. - - name: ttl - type: long - description: | - Time To Live (TTL) of the packet - - name: id - type: long - description: | - ID of the packet - - name: offset - type: long - description: | - Fragment offset - - name: flags - type: keyword - description: | - IP flags. - - name: flow_label - type: keyword - description: | - Flow label -- name: pfsense.tcp - type: group - fields: - - name: flags - type: keyword - description: | - TCP flags. - - name: seq - type: long - description: | - TCP sequence number. - - name: ack - type: long - description: | - TCP Acknowledgment number. - - name: window - type: long - description: | - Advertised TCP window size. - - name: urg - type: keyword - description: | - Urgent pointer data. - - name: options - type: array - description: | - TCP Options. - - name: length - type: long - description: | - Length of the TCP header and payload. -- name: pfsense.udp - type: group - fields: - - name: length - type: long - description: | - Length of the UDP header and payload. -- name: pfsense.icmp - type: group - fields: - - name: type - type: keyword - description: | - ICMP type. - - name: id - type: long - description: | - ID of the echo request/reply - - name: destination.ip - type: ip - description: Original destination address of the connection that caused this notification - - name: mtu - type: long - description: MTU to use for subsequent data to this destination - - name: otime - type: date - description: Originate Timestamp - - name: rtime - type: date - description: Receive Timestamp - - name: ttime - type: date - description: Transmit Timestamp - - name: unreachable - type: group - fields: - - name: iana_number - type: long - description: | - Protocol ID number that was unreachable - - name: port - type: long - description: | - Port number that was unreachable - - name: other - type: keyword - description: | - Other unreachable information - - name: code - type: long - description: | - ICMP code. - - name: parameter - type: long - description: | - ICMP parameter. - - name: redirect - type: ip - description: | - ICMP redirect address. - - name: seq - type: long - description: | - ICMP sequence number. -- name: pfsense.dhcp.hostname - type: keyword - description: | - Hostname of DHCP client -- name: pfsense.openvpn.peer_info - type: keyword - description: |- - Information about the Open VPN client -- name: haproxy - type: group - fields: - - name: frontend_name - type: keyword - description: Name of the frontend (or listener) which received and processed the connection. - - name: backend_name - type: keyword - description: Name of the backend (or listener) which was selected to manage the connection to the server. - - name: server_name - type: keyword - description: Name of the last server to which the connection was sent. - - name: total_waiting_time_ms - type: long - description: Total time in milliseconds spent waiting in the various queues - - name: connection_wait_time_ms - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server - - name: bytes_read - type: long - description: Total number of bytes transmitted to the client when the log is emitted. - - name: time_queue - type: long - description: Total time in milliseconds spent waiting in the various queues. - - name: time_backend_connect - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. - - name: server_queue - type: long - description: Total number of requests which were processed before this one in the server queue. - - name: backend_queue - type: long - description: Total number of requests which were processed before this one in the backend's global queue. - - name: bind_name - type: keyword - description: Name of the listening address which received the connection. - - name: error_message - type: text - description: Error message logged by HAProxy in case of error. - - name: source - type: keyword - description: The HAProxy source of the log - - name: termination_state - type: keyword - description: Condition the session was in when the session ended. - - name: mode - type: keyword - description: mode that the frontend is operating (TCP or HTTP) - - name: connections - type: group - fields: - - name: active - type: long - description: Total number of concurrent connections on the process when the session was logged. - - name: frontend - type: long - description: Total number of concurrent connections on the frontend when the session was logged. - - name: backend - type: long - description: Total number of concurrent connections handled by the backend when the session was logged. - - name: server - type: long - description: Total number of concurrent connections still active on the server when the session was logged. - - name: retries - type: long - description: Number of connection retries experienced by this session when trying to connect to the server. - - name: client - type: group - - name: destination - type: group - - name: geoip - type: group -- name: haproxy.http - type: group - fields: - - name: response - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the client had this cookie in the response. - - name: captured_headers - type: keyword - description: | - List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - - name: request - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the server has returned a cookie with its request. - - name: captured_headers - type: keyword - description: | - List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - - name: raw_request_line - type: keyword - description: Complete HTTP request line, including the method, request and HTTP version string. - - name: time_wait_without_data_ms - type: long - description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. - - name: time_wait_ms - type: long - description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. -- name: haproxy.tcp - type: group - fields: - - name: connection_waiting_time_ms - type: long - description: Total time in milliseconds elapsed between the accept and the last close -- name: squid - type: group - fields: - - name: request_status - type: keyword - description: | - The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). - - name: hierarchy_status - type: keyword - description: The proxy hierarchy route; the route Content Gateway used to retrieve the object. diff --git a/packages/pfsense/1.0.2/data_stream/log/manifest.yml b/packages/pfsense/1.0.2/data_stream/log/manifest.yml deleted file mode 100755 index 1b65cbac0b..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,140 +0,0 @@ -type: logs -title: pfSense log logs -release: experimental -streams: - - input: udp - template_path: udp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - template_path: tcp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using tcp input - enabled: false - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to TCP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The TCP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/pfsense/1.0.2/data_stream/log/sample_event.json b/packages/pfsense/1.0.2/data_stream/log/sample_event.json deleted file mode 100755 index 6f70d5817e..0000000000 --- a/packages/pfsense/1.0.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-05-09T17:35:12Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.4:58663" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/docs/README.md b/packages/pfsense/1.0.2/docs/README.md deleted file mode 100755 index bcdfbd09f3..0000000000 --- a/packages/pfsense/1.0.2/docs/README.md +++ /dev/null @@ -1,430 +0,0 @@ -# pfSense Integration - -This is an integration to parse certain logs from PFsense and OPNsense firewalls. It parses logs -received over the network via syslog (UDP/TCP/TLS). pfSense natively only supports UDP. OPNsense supports all 3 transports. -Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, HAProxy, Squid, and PHP-FPM (Authentication) logs. All other events will be dropped. -The HAProxy logs are setup to be compatible with the dashboards from the HAProxy integration. Install the HAPrxoy integration assets to utilize them. - -**pfSense Setup** -1. Navigate to _Status -> System Logs_, then click on _Settings_ -2. At the bottom check _Enable Remote Logging_ -3. (Optional) Select a specific interface to use for forwarding -4. Input the agent IP address and port as set via the integration config into the field _Remote log servers_ (e.g. 192.168.100.50:5140) -5. Under _Remote Syslog Contents_ select what logs to forward to the agent - * Select _Everything_ to forward all logs to the agent or select the individual services to forward. Any log entry not in the list above will be dropped. This will cause additional data to be sent to the agent and Elasticsearch. The firewall, VPN, DHCP, DNS, and Authentication (PHP-FPM) logs are able to be individually selected. In order to collect HAProxy and Squid or other "package" logs, the _Everything_ option must be selected. - -**OPNsense Setup** -1. Navigate to _System -> Settings -> Logging/Targets_ -2. Add a new _Logging/Target_ (Click the plus icon) - - Transport = UDP or TCP or TLS - - Applications = Select a list of applications to send to remote syslog. Leave empty for all. - - Levels = Nothing Selected - - Facilities = Nothing Selected - - Hostname = IP of Elastic agent as configured in the integration config - - Port = Port of Elastic agent as configured in the integration config - - Certificate = Client certificate to use (when selecting a tls transport type) - - Description = Syslog to Elasticsearch - - Click Save - - The module is by default configured to run with the `udp` input on port `9001`. - -**Important** -The pfSense integration supports both the BSD logging format (used by pfSense by default and OPNsense) and the Syslog format (optional for pfSense). -However the syslog format is recommended. It will provide the firewall hostname and timestamps with timezone information. -When using the BSD format, the `Timezone Offset` config must be set when deploying the agent or else the timezone will default to the timezone of the agent. See `https:///status_logs_settings.php` and https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html for more information. - - -A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo which is the foundation for the majority of the grok patterns and dashboards in this integration. -## Logs - -### pfSense log - -This is the pfSense `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-05-09T17:35:12Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.4:58663" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| haproxy.backend_name | Name of the backend (or listener) which was selected to manage the connection to the server. | keyword | -| haproxy.backend_queue | Total number of requests which were processed before this one in the backend's global queue. | long | -| haproxy.bind_name | Name of the listening address which received the connection. | keyword | -| haproxy.bytes_read | Total number of bytes transmitted to the client when the log is emitted. | long | -| haproxy.connection_wait_time_ms | Total time in milliseconds spent waiting for the connection to establish to the final server | long | -| haproxy.connections.active | Total number of concurrent connections on the process when the session was logged. | long | -| haproxy.connections.backend | Total number of concurrent connections handled by the backend when the session was logged. | long | -| haproxy.connections.frontend | Total number of concurrent connections on the frontend when the session was logged. | long | -| haproxy.connections.retries | Number of connection retries experienced by this session when trying to connect to the server. | long | -| haproxy.connections.server | Total number of concurrent connections still active on the server when the session was logged. | long | -| haproxy.error_message | Error message logged by HAProxy in case of error. | text | -| haproxy.frontend_name | Name of the frontend (or listener) which received and processed the connection. | keyword | -| haproxy.http.request.captured_cookie | Optional "name=value" entry indicating that the server has returned a cookie with its request. | keyword | -| haproxy.http.request.captured_headers | List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. | keyword | -| haproxy.http.request.raw_request_line | Complete HTTP request line, including the method, request and HTTP version string. | keyword | -| haproxy.http.request.time_wait_ms | Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. | long | -| haproxy.http.request.time_wait_without_data_ms | Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. | long | -| haproxy.http.response.captured_cookie | Optional "name=value" entry indicating that the client had this cookie in the response. | keyword | -| haproxy.http.response.captured_headers | List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. | keyword | -| haproxy.mode | mode that the frontend is operating (TCP or HTTP) | keyword | -| haproxy.server_name | Name of the last server to which the connection was sent. | keyword | -| haproxy.server_queue | Total number of requests which were processed before this one in the server queue. | long | -| haproxy.source | The HAProxy source of the log | keyword | -| haproxy.tcp.connection_waiting_time_ms | Total time in milliseconds elapsed between the accept and the last close | long | -| haproxy.termination_state | Condition the session was in when the session ended. | keyword | -| haproxy.time_backend_connect | Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. | long | -| haproxy.time_queue | Total time in milliseconds spent waiting in the various queues. | long | -| haproxy.total_waiting_time_ms | Total time in milliseconds spent waiting in the various queues | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| hostname | Hostname from syslog header. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.source.address | Source address of the syslog message. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| pfsense.dhcp.hostname | Hostname of DHCP client | keyword | -| pfsense.icmp.code | ICMP code. | long | -| pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip | -| pfsense.icmp.id | ID of the echo request/reply | long | -| pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long | -| pfsense.icmp.otime | Originate Timestamp | date | -| pfsense.icmp.parameter | ICMP parameter. | long | -| pfsense.icmp.redirect | ICMP redirect address. | ip | -| pfsense.icmp.rtime | Receive Timestamp | date | -| pfsense.icmp.seq | ICMP sequence number. | long | -| pfsense.icmp.ttime | Transmit Timestamp | date | -| pfsense.icmp.type | ICMP type. | keyword | -| pfsense.icmp.unreachable.iana_number | Protocol ID number that was unreachable | long | -| pfsense.icmp.unreachable.other | Other unreachable information | keyword | -| pfsense.icmp.unreachable.port | Port number that was unreachable | long | -| pfsense.ip.ecn | Explicit Congestion Notification. | keyword | -| pfsense.ip.flags | IP flags. | keyword | -| pfsense.ip.flow_label | Flow label | keyword | -| pfsense.ip.id | ID of the packet | long | -| pfsense.ip.offset | Fragment offset | long | -| pfsense.ip.tos | IP Type of Service identification. | keyword | -| pfsense.ip.ttl | Time To Live (TTL) of the packet | long | -| pfsense.openvpn.peer_info | Information about the Open VPN client | keyword | -| pfsense.tcp.ack | TCP Acknowledgment number. | long | -| pfsense.tcp.flags | TCP flags. | keyword | -| pfsense.tcp.length | Length of the TCP header and payload. | long | -| pfsense.tcp.options | TCP Options. | array | -| pfsense.tcp.seq | TCP sequence number. | long | -| pfsense.tcp.urg | Urgent pointer data. | keyword | -| pfsense.tcp.window | Advertised TCP window size. | long | -| pfsense.udp.length | Length of the UDP header and payload. | long | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.program | Process from syslog header. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.port | Port of the source. | long | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| squid.hierarchy_status | The proxy hierarchy route; the route Content Gateway used to retrieve the object. | keyword | -| squid.request_status | The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/pfsense/1.0.2/img/dhcp.png b/packages/pfsense/1.0.2/img/dhcp.png deleted file mode 100755 index 3f73f8f3f4..0000000000 Binary files a/packages/pfsense/1.0.2/img/dhcp.png and /dev/null differ diff --git a/packages/pfsense/1.0.2/img/firewall.png b/packages/pfsense/1.0.2/img/firewall.png deleted file mode 100755 index c98b30b09d..0000000000 Binary files a/packages/pfsense/1.0.2/img/firewall.png and /dev/null differ diff --git a/packages/pfsense/1.0.2/img/pfsense.svg b/packages/pfsense/1.0.2/img/pfsense.svg deleted file mode 100755 index f63b99ab31..0000000000 --- a/packages/pfsense/1.0.2/img/pfsense.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - image/svg+xml - - pfSense Logo - - - - pfSense Logo - - - - - - - - - - diff --git a/packages/pfsense/1.0.2/img/unbound-1.png b/packages/pfsense/1.0.2/img/unbound-1.png deleted file mode 100755 index cc53e8aa49..0000000000 Binary files a/packages/pfsense/1.0.2/img/unbound-1.png and /dev/null differ diff --git a/packages/pfsense/1.0.2/img/unbound-2.png b/packages/pfsense/1.0.2/img/unbound-2.png deleted file mode 100755 index eaa51ee3df..0000000000 Binary files a/packages/pfsense/1.0.2/img/unbound-2.png and /dev/null differ diff --git a/packages/pfsense/1.0.2/img/unbound-3.png b/packages/pfsense/1.0.2/img/unbound-3.png deleted file mode 100755 index 838bfdc6bf..0000000000 Binary files a/packages/pfsense/1.0.2/img/unbound-3.png and /dev/null differ diff --git a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json deleted file mode 100755 index 47067b4828..0000000000 --- a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"panelRefName\":\"panel_73294aad-e475-4a63-97d1-fc214a83bb0a\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"panelRefName\":\"panel_46725bb5-e239-4fa2-8dfd-4de947863354\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"w\":14,\"x\":34,\"y\":6},\"panelIndex\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"panelRefName\":\"panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"panelRefName\":\"panel_a7662c6e-94d5-4062-85f4-0132897f3578\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"panelRefName\":\"panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"27569da9-7531-40cf-be93-8778738b68be\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"27569da9-7531-40cf-be93-8778738b68be\",\"panelRefName\":\"panel_27569da9-7531-40cf-be93-8778738b68be\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"columns\":[\"log.level\",\"client.ip\",\"dns.question.name\",\"dns.question.type\",\"dns.question.class\"],\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"w\":30,\"x\":0,\"y\":46},\"panelIndex\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"panelRefName\":\"panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"w\":18,\"x\":30,\"y\":46},\"panelIndex\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"panelRefName\":\"panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "Unbound - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-986061c0-3a9a-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "name": "73294aad-e475-4a63-97d1-fc214a83bb0a:panel_73294aad-e475-4a63-97d1-fc214a83bb0a", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "46725bb5-e239-4fa2-8dfd-4de947863354:panel_46725bb5-e239-4fa2-8dfd-4de947863354", - "type": "visualization" - }, - { - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "name": "f39b1b4c-b444-4d25-a8c5-a78b6285025f:panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f", - "type": "visualization" - }, - { - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "name": "a7662c6e-94d5-4062-85f4-0132897f3578:panel_a7662c6e-94d5-4062-85f4-0132897f3578", - "type": "visualization" - }, - { - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "name": "763610d2-c8aa-4ab9-9a63-112e2471dcfc:panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc", - "type": "visualization" - }, - { - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "name": "27569da9-7531-40cf-be93-8778738b68be:panel_27569da9-7531-40cf-be93-8778738b68be", - "type": "visualization" - }, - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "7ea4ebda-9d0c-4885-9c37-71cd0665497f:panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f", - "type": "search" - }, - { - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "name": "6a32114d-577c-488b-b1e9-b7b4fc8941ae:panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index 7bb13ddc75..0000000000 --- a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"w\":16,\"x\":0,\"y\":7},\"panelIndex\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"w\":17,\"x\":16,\"y\":0},\"panelIndex\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"w\":33,\"x\":0,\"y\":14},\"panelIndex\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"w\":33,\"x\":0,\"y\":28},\"panelIndex\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"w\":15,\"x\":33,\"y\":28},\"panelIndex\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"panelRefName\":\"panel_8\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.vlan.id\",\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"rule.id\",\"event.action\"],\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"panelRefName\":\"panel_9\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"panelRefName\":\"panel_10\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"panelRefName\":\"panel_11\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "Firewall - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_1", - "type": "lens" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "name": "panel_5", - "type": "lens" - }, - { - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "panel_9", - "type": "search" - }, - { - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 133ffa4a16..0000000000 --- a/packages/pfsense/1.0.2/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"w\":35,\"x\":0,\"y\":0},\"panelIndex\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"panelRefName\":\"panel_2b46d706-0288-4541-8880-ccb2efeeee92\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"panelRefName\":\"panel_6018121a-9303-4c73-9c96-d23362cdc74d\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"panelRefName\":\"panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"w\":13,\"x\":35,\"y\":14},\"panelIndex\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"panelRefName\":\"panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"w\":32,\"x\":0,\"y\":22},\"panelIndex\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"panelRefName\":\"panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"w\":16,\"x\":32,\"y\":22},\"panelIndex\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"panelRefName\":\"panel_5b500115-4722-432b-8d67-38b1a948c1d5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"w\":16,\"x\":0,\"y\":36},\"panelIndex\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"panelRefName\":\"panel_aa85065f-1b07-468c-b264-1231b59be97b\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"w\":32,\"x\":16,\"y\":36},\"panelIndex\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"panelRefName\":\"panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.interface.name\",\"event.action\",\"client.ip\",\"client.mac\",\"pfsense.dhcp.hostname\"],\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"panelRefName\":\"panel_73ea92c6-7373-4121-a255-1ed2e43010c1\",\"type\":\"search\",\"version\":\"7.10.0\"}]", - "timeRestore": false, - "title": "DHCP - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "name": "2b46d706-0288-4541-8880-ccb2efeeee92:panel_2b46d706-0288-4541-8880-ccb2efeeee92", - "type": "visualization" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "6018121a-9303-4c73-9c96-d23362cdc74d:panel_6018121a-9303-4c73-9c96-d23362cdc74d", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082:panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082", - "type": "visualization" - }, - { - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "name": "d9f98967-4e91-4eef-9a43-9caaeeebe6f8:panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8", - "type": "visualization" - }, - { - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "name": "20e8c75c-3e93-42ab-b5c5-6ad814b64151:panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151", - "type": "visualization" - }, - { - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "name": "5b500115-4722-432b-8d67-38b1a948c1d5:panel_5b500115-4722-432b-8d67-38b1a948c1d5", - "type": "visualization" - }, - { - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "name": "aa85065f-1b07-468c-b264-1231b59be97b:panel_aa85065f-1b07-468c-b264-1231b59be97b", - "type": "visualization" - }, - { - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "name": "22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5:panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5", - "type": "visualization" - }, - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "73ea92c6-7373-4121-a255-1ed2e43010c1:panel_73ea92c6-7373-4121-a255-1ed2e43010c1", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e6f2067c4..0000000000 --- a/packages/pfsense/1.0.2/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Treemap depicting the top 10 countries by destination ", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778": { - "columnOrder": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35", - "57fc4315-85f4-4449-a8bd-308ec2e81e68" - ], - "columns": { - "57fc4315-85f4-4449-a8bd-308ec2e81e68": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of destination.geo.country_name", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_name" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35" - ], - "layerId": "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "legendDisplay": "default", - "metric": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "nestedLegend": false, - "numberDisplay": "percent", - "percentDecimals": 0 - } - ], - "shape": "treemap" - } - }, - "title": "Firewall - Top Destination Countries/Treemap (Lens) [pfSense]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json deleted file mode 100755 index 02f2a08f36..0000000000 --- a/packages/pfsense/1.0.2/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "description": "Events over time line chart utilizing the LENS virtualization", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "25e5682a-0461-46dc-aa0a-7ad4cec0eade": { - "columnOrder": [ - "f718697e-acee-4bfd-99f4-3406e224ed7f", - "440112fe-405a-4b46-840e-2b9772961acc", - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "columns": { - "31549313-ebc1-427a-9913-3f6f78594221": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "440112fe-405a-4b46-840e-2b9772961acc": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f718697e-acee-4bfd-99f4-3406e224ed7f": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of event.action", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "31549313-ebc1-427a-9913-3f6f78594221", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "event.action" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "layerId": "25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f718697e-acee-4bfd-99f4-3406e224ed7f", - "xAccessor": "440112fe-405a-4b46-840e-2b9772961acc" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - } - } - }, - "title": "Firewall - Events/Time (Lens) [pfSense]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index a455496aa4..0000000000 --- a/packages/pfsense/1.0.2/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"filterlog\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"filterlog\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Firewall - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 2476202065..0000000000 --- a/packages/pfsense/1.0.2/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"dhcpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"dhcpd\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "DHCP - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json b/packages/pfsense/1.0.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json deleted file mode 100755 index 133d3caa85..0000000000 --- a/packages/pfsense/1.0.2/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"unbound\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"unbound\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Unbound - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index e672a59a66..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 75f6a89eae..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interface Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.ingress.interface.name\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Interface Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Interface Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index a3ebaa5ea7..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound dns question types", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Question Types [pfSense]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"top\",\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Unbound - Question Types [pfSense]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json deleted file mode 100755 index 7f73b1e962..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Firewall Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1613404486264\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Firewall Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Firewall Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index bfc06cc851..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Operation/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 985d72a2e0..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Transport Type [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"network.transport\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Network Transport Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Network Transport Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index cee6c25e13..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound client IP over time", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unbound - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 44a1d15c5a..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index e4a8a861bc..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 client IP unbound events", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Client IPs [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Client IPs\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b3c6b75a69..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Displays quantity of events based on action type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Event Action [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Firewall - Event Action\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e0841e17f..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 domain name question/queries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Queries [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.registered_domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Queried Domains \",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index ed42e0ac5c..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Client IP\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index e5404d633a..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of destination countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Destination/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Destination Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Destination/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0489e7a517..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - IP/MAC Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"client.mac\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"DHCP - IP/MAC Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 384f395db3..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Events over type based on network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport/Time\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Firewall - Network Transport/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 09a7a4ce7a..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of source countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Source/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Source Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Source/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 4ce6eca893..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Operation\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index bd1ab0a445..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Client IP \u003c-flow-\u003e dns question name", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - DNS Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"dns.question.name\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"Unbound - DNS Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b773f61c44..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Pie chart depicting events by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Events by Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Firewall - Events by Interface\",\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Firewall - Events by Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 137b895052..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound request heat map by IP address", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Request Rate [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Unbound - Request Rate\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 95dfc88834..0000000000 --- a/packages/pfsense/1.0.2/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Network transport pie chart", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"type\":\"pie\"},\"title\":\"Firewall - Network Transport \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.2/manifest.yml b/packages/pfsense/1.0.2/manifest.yml deleted file mode 100755 index f738f80256..0000000000 --- a/packages/pfsense/1.0.2/manifest.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: pfsense -title: pfSense Logs -version: "1.0.2" -release: ga -description: Collect and parse logs from pfSense and OPNsense devices with Elastic Agent. -type: integration -icons: - - src: /img/pfsense.svg - title: pfsense - size: 512x143 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^7.15.0 || ^8.0.0 -screenshots: - - src: /img/firewall.png - title: pfSense Firewall Dashboard - size: 2993x1646 - type: image/png - - src: /img/dhcp.png - title: pfSense DHCP Dashboard - size: 2999x1640 - type: image/png - - src: /img/unbound-1.png - title: pfSense Unbound Dashboard - size: 1680x763 - type: image/png - - src: /img/unbound-2.png - title: pfSense Unbound Dashboard - size: 1679x833 - type: image/png - - src: /img/unbound-3.png - title: pfSense Unbound Dashboard - size: 1679x904 - type: image/png -policy_templates: - - name: pfsense - title: pfSense logs - description: Collect logs from pfSense systems - inputs: - - type: udp - title: "Collect pfSense logs (input: udp)" - description: "Collecting logs from pfSense systems (input: udp)" - - type: tcp - title: "Collect pfSense logs (input: tcp)" - description: "Collecting logs from pfSense systems (input: tcp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/pfsense/1.0.3/changelog.yml b/packages/pfsense/1.0.3/changelog.yml deleted file mode 100755 index fdaa71884f..0000000000 --- a/packages/pfsense/1.0.3/changelog.yml +++ /dev/null @@ -1,71 +0,0 @@ -# newer versions go on top -- version: "1.0.3" - changes: - - description: updated links in the documentation to the vendor documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3145 -- version: "1.0.2" - changes: - - description: Update HAProxy log parsing to handle non HTTPS and TCP logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3504 -- version: "1.0.1" - changes: - - description: Format client.mac as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3303 -- version: "1.0.0" - changes: - - description: Add OPNsense support. Add PHP-FPM log parsing. - type: bugfix - link: https://github.com/elastic/integrations/pull/2413 -- version: "0.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2432 -- version: "0.2.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2257 -- version: "0.1.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2091 -- version: "0.1.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1981 -- version: "0.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1842 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1286 diff --git a/packages/pfsense/1.0.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pfsense/1.0.3/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9241b23255..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/pfsense/1.0.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/pfsense/1.0.3/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index ca515ab199..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,26 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -- add_locale: ~ -- add_fields: - target: _tmp - fields: - tz_offset: {{tz_offset}} -{{#if internal_networks.length}} - internal_networks: - {{#each internal_networks as |ntwrk i|}} - - {{ntwrk}} - {{/each}} -{{/if}} -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e520c07032..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- -description: Pipeline for PFsense -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: observer.vendor - value: netgate - - set: - field: observer.type - value: firewall - - rename: - field: message - target_field: event.original - - set: - field: event.timezone - value: "{{_tmp.tz_offset}}" - if: ctx?._tmp?.tz_offset != null && ctx?._tmp?.tz_offset != 'local' - - grok: - description: Parse syslog header - field: event.original - patterns: - - '^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}' - pattern_definitions: - ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>(\d )?' - BSD_TIMESTAMP_FORMAT: '%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{OBSERVER})?%{SPACE}%{PROCESS}(\[%{POSINT:process.pid:long}\])?:' - SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - -' - TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - TIMESTAMP: '(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})' - OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' - PROCESS: '(\(%{DATA:process.name}\)|(%{UNIXPATH}/)?%{WORD:process.name})' - - date: - if: ctx?._tmp.timestamp8601 != null - field: _tmp.timestamp8601 - target_field: '@timestamp' - formats: - - ISO8601 - - date: - if: ctx?.event?.timezone != null && ctx?._tmp?.timestamp != null - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - MMM d HH:mm:ss - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - description: Set Event Provider - field: process.name - patterns: - - '^%{WORD:event.provider}' - - pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: ctx.event.provider == 'filterlog' - - pipeline: - name: '{{ IngestPipeline "openvpn" }}' - if: ctx.event.provider == 'openvpn' - - pipeline: - name: '{{ IngestPipeline "ipsec" }}' - if: ctx.event.provider == 'charon' - - pipeline: - name: '{{ IngestPipeline "dhcp" }}' - if: ctx.event.provider == 'dhcpd' - - pipeline: - name: '{{ IngestPipeline "unbound" }}' - if: ctx.event.provider == 'unbound' - - pipeline: - name: '{{ IngestPipeline "haproxy" }}' - if: ctx.event.provider == 'haproxy' - - pipeline: - name: '{{ IngestPipeline "php-fpm" }}' - if: ctx.event.provider == 'php-fpm' - - pipeline: - name: '{{ IngestPipeline "squid" }}' - if: ctx.event.provider == 'squid' - - drop: - if: '!["filterlog", "openvpn", "charon", "dhcpd", "unbound", "haproxy", "php-fpm", "squid"].contains(ctx?.event?.provider)' - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - ignore_missing: true - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: ctx?.destination?.ip != null - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - allow_duplicates: false - if: ctx?.source?.nat?.ip != null - - append: - field: related.hosts - value: "{{destination.domain}}" - if: "ctx?.destination?.domain != null" - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - - remove: - field: - - _tmp - ignore_failure: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || (v instanceof String && v == "-")); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - remove: - field: - - _tmp - ignore_failure: true - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml deleted file mode 100755 index f366964fba..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -description: Pipeline for PFsense DHCP logs -processors: - - grok: - field: message - patterns: - - '%{WORD:event.action} %{MIDDLE} via %{INTERFACE:observer.ingress.interface.name}' - - '%{GREEDYDATA}' - pattern_definitions: - INTERFACE: '[a-z0-9\.]+' - MAC_ADDRESS: '([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})' - FROM: 'from %{MAC_ADDRESS:client.mac}' - ON: 'on %{IP:client.address} to %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - FOR: 'for %{IP:client.address} \(%{IP:server.address}\)? from %{MAC_ADDRESS:client.mac} \(%{HOSTNAME:pfsense.dhcp.hostname}\)' - MIDDLE: '(?:%{FROM}|%{ON}|%{FOR})' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - - append: - field: event.type - value: protocol - allow_duplicates: false - - append: - field: event.type - value: info - allow_duplicates: false - - set: - field: network.protocol - value: dhcp - - set: - field: network.transport - value: udp - - set: - field: client.port - value: 68 - if: ctx?.client?.port == null - - set: - field: server.port - value: 67 - if: ctx?.server?.port == null - - set: - field: client.ip - value: "{{client.address}}" - ignore_empty_value: true - - set: - field: server.ip - value: "{{server.address}}" - ignore_empty_value: true - - uppercase: - field: client.mac - ignore_missing: true - - gsub: - field: client.mac - pattern: '[:]' - replacement: '-' - ignore_missing: true - - set: - field: source - copy_from: client - ignore_empty_value: true - - set: - field: destination - copy_from: server - ignore_empty_value: true - - community_id: - target_field: network.community_id - ignore_failure: true - - grok: - field: observer.ingress.interface.name - patterns: - - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false - if: "ctx?.source?.ip != null" - - append: - field: related.ip - value: "{{destination.ip}}" - allow_duplicates: false - if: "ctx?.destination?.ip != null" - - append: - field: related.hosts - value: "{{pfsense.dhcp.hostname}}" - allow_duplicates: false - if: "ctx?.pfsense?.log?.dhcp?.hostname != null" -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index cea025397d..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -description: Pipeline for PFsense Firewall logs -processors: - - grok: - field: message - patterns: - - "%{PF_LOG_ENTRY}%{GREEDYDATA}" - pattern_definitions: - PF_LOG_ENTRY: "%{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?" - PF_LOG_DATA: "%{INT},%{INT}?,,%{INT:rule.id},%{DATA:observer.ingress.interface.name},%{PF_REASON:event.reason},%{WORD:event.action},%{WORD:network.direction}," - PF_REASON: '[a-zA-Z-]+' - PF_IP_DATA: "%{NONNEGINT:network.bytes:long},%{IP:source.address},%{IP:destination.address}," - PF_IP_SPECIFIC_DATA: "%{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}" - PF_IPv4_SPECIFIC_DATA: "(?(4)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.ecn}?,%{NONNEGINT:pfsense.ip.ttl:long},%{NONNEGINT:pfsense.ip.id:long},%{NONNEGINT:pfsense.ip.offset:long},(?:%{WORD:pfsense.ip.flags}|%{PF_SPEC:pfsense.ip.flags}),%{INT:network.iana_number},%{WORD:network.transport}," - PF_IPv6_SPECIFIC_DATA: "(?(6)),%{BASE16NUM:pfsense.ip.tos},%{WORD:pfsense.ip.flow_label},%{WORD:pfsense.ip.flags},%{WORD:network.transport},%{INT:network.iana_number}," - PF_PROTOCOL_DATA: "%{PF_TCP_DATA}|%{PF_UDP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}" - PF_IPv6_VAR: "%{GREEDYDATA}" - PF_IPv6_ICMP: '' - PF_TCP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.tcp.length:long},%{WORD:pfsense.tcp.flags}?,%{NONNEGINT:pfsense.tcp.seq:long}?:?%{NONNEGINT},%{NONNEGINT:pfsense.tcp.ack:long}?,%{NONNEGINT:pfsense.tcp.window:long}?,%{WORD:pfsense.tcp.urg}?,%{GREEDYDATA:pfsense.tcp.options}" - PF_UDP_DATA: "%{INT:source.port:long},%{INT:destination.port:long},%{NONNEGINT:pfsense.udp.length:long}$" - PF_IGMP_DATA: "datalength=%{NONNEGINT:network.packets:long}" - PF_ICMP_DATA: "%{PF_ICMP_TYPE}%{PF_ICMP_RESPONSE}" - PF_ICMP_TYPE: "(?(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply))," - PF_ICMP_RESPONSE: "%{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}|%{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}" - PF_ICMP_ECHO_REQ_REPLY: "%{NONNEGINT:pfsense.icmp.id:long},%{NONNEGINT:pfsense.icmp.seq:long}" - PF_ICMP_UNREACHPORT: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:pfsense.icmp.unreachable.iana_number},%{NONNEGINT:pfsense.icmp.unreachable.port:long}" - PF_ICMP_UNREACHPROTO: "%{IP:[pfsense.icmp.destination.ip]},%{WORD:[pfsense.icmp.unreachable.iana_number]}" - PF_ICMP_UNREACHABLE: "%{GREEDYDATA:pfsense.icmp.unreachable.other}" - PF_ICMP_NEED_FLAG: "%{IP:pfsense.icmp.destination.ip},%{NONNEGINT:pfsense.icmp.mtu:long}" - PF_ICMP_TSTAMP: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq}" - PF_ICMP_TSTAMP_REPLY: "%{INT:pfsense.icmp.id},%{INT:pfsense.icmp.seq},%{INT:pfsense.icmp.otime},%{INT:pfsense.icmp.rtime},%{INT:pfsense.icmp.ttime}" - PF_SPEC: "[+]" - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_empty_value: true - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.ip != null && ctx?.destination?.ip != null - - append: - field: event.type - value: denied - allow_duplicates: false - if: ctx?.event.action == 'block' - - append: - field: event.type - value: allowed - allow_duplicates: false - if: ctx?.event.action == 'pass' - - set: - field: network.type - value: ipv{{network.type}} - if: ctx?.network?.type == '4' || ctx?.network?.type == '6' - - lowercase: - field: network.transport - ignore_missing: true - - remove: - field: ack_number - ignore_missing: true - if: ctx?.ack_number == null || ctx?.ack_number == '' - - network_direction: - internal_networks_field: _tmp.internal_networks - - community_id: - target_field: network.community_id - ignore_failure: true - - grok: - field: observer.ingress.interface.name - patterns: - - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ignore_missing: true - ignore_failure: true - - split: - field: pfsense.tcp.options - separator: ';' - ignore_missing: true - ignore_failure: true - - date: - field: pfsense.icmp.otime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.rtime - ignore_failure: true - formats: - - UNIX - - UNIX_MS - - date: - field: pfsense.icmp.ttime - ignore_failure: true - formats: - - UNIX - - UNIX_MS -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml deleted file mode 100755 index 3ae2fb4c69..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/haproxy.yml +++ /dev/null @@ -1,139 +0,0 @@ ---- -description: Pipeline for parsing PFsense HAProxy http, tcp and default logs. -processors: - - grok: - field: message - patterns: - - 'Connect from (%{IPORHOST:source.address}|-):%{POSINT:source.port:long} %{WORD} %{IPORHOST:destination.address}:%{POSINT:destination.port:long} \(%{NOTSPACE:haproxy.frontend_name}/%{WORD:haproxy.mode}\)' - # HTTP(S) - - '(%{IPORHOST:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.http.request.time_wait_ms:long}/%{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:haproxy.http.request.time_wait_without_data_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:http.response.status_code:long} %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} - %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long} - (\{%{DATA:haproxy.http.request.captured_headers}\} \{%{DATA:haproxy.http.response.captured_headers}\} |\{%{DATA}\} )?"%{GREEDYDATA:haproxy.http.request.raw_request_line}"' - # TCP - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] - %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} - %{NUMBER:haproxy.total_waiting_time_ms:long}/%{NUMBER:haproxy.connection_wait_time_ms:long}/%{NUMBER:_temp.duration:long} - %{NUMBER:haproxy.bytes_read:long} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:long}/%{NUMBER:haproxy.connections.frontend:long}/%{NUMBER:haproxy.connections.backend:long}/%{NUMBER:haproxy.connections.server:long}/%{NUMBER:haproxy.connections.retries:long} - %{NUMBER:haproxy.server_queue:long}/%{NUMBER:haproxy.backend_queue:long}' - # Error - - '(%{IP:source.address}|-):%{POSINT:source.port:long} \[%{NOTSPACE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name}/%{BIND_NAME:haproxy.bind_name}:? %{GREEDYDATA:haproxy.error_message}' - ignore_missing: false - pattern_definitions: - HAPROXY_DATE: (%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP} - BIND_NAME: ((%{IP:destination.address})?(:%{POSINT:destination.port:long})?|%{NOTSPACE}) - on_failure: - - drop: - description: Drop if not a connection log - - date: - if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone == null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - - date: - if: ctx?.haproxy?.request_date != null && ctx?.event?.timezone != null - field: haproxy.request_date - target_field: '@timestamp' - formats: - - dd/MMM/yyyy:HH:mm:ss.SSS - - MMM dd HH:mm:ss - timezone: '{{ event.timezone }}' - - grok: - field: haproxy.http.request.raw_request_line - patterns: - - '%{WORD:http.request.method}%{SPACE}%{URIPATHPARAM:url.original}%{SPACE}HTTP/%{NUMBER:http.version}' - ignore_missing: true - if: 'ctx.haproxy?.http?.request?.raw_request_line != null && !ctx.haproxy?.http?.request?.raw_request_line.isEmpty() && ctx.haproxy?.http?.request?.raw_request_line != ""' - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - split: - field: haproxy.http.request.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - split: - field: haproxy.http.response.captured_headers - separator: \| - ignore_failure: true - ignore_missing: true - - script: - lang: painless - source: ctx.event.duration = Math.round(ctx._temp.duration * params.scale) - params: - scale: 1000000 - if: ctx._temp?.duration != null - - convert: - field: haproxy.bytes_read - target_field: http.response.bytes - type: long - ignore_missing: true - if: ctx.containsKey('http') - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - if: "ctx?.haproxy?.mode == 'HTTP' || ctx?.haproxy?.http != null" - - append: - field: event.category - value: network - if: "ctx?.source.ip != null && ctx?.destination?.ip != null" - - append: - field: event.type - value: connection - if: "ctx?.source.ip != null && ctx?.destination?.ip != null" - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - - remove: - field: - - _temp - - haproxy.request_date - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml deleted file mode 100755 index 0ee5fae5ce..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/ipsec.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -description: Pipeline for PFsense IPSEC logs -processors: - - grok: - field: message - patterns: - - '%{PREFIX}%{GREEDYDATA}%{SOURCE} to %{DEST} \(%{NONNEGINT:network.bytes:long} bytes\)' - - '%{GREEDYDATA}' - pattern_definitions: - PREFIX: '\d+\[%{WORD}\]' - SOURCE: '%{IP:source.address}\[%{NONNEGINT:source.port:long}\]' - DEST: '%{IP:destination.address}\[%{NONNEGINT:destination.port:long}\]' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('disconnected') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: destination.ip - value: "{{destination.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: ipsec -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml deleted file mode 100755 index 9afef3ba5d..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/openvpn.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -description: Pipeline for PFsense OpenVPN logs -processors: - - grok: - field: message - patterns: - - '%{SOURCE}%{SPACE}peer%{SPACE}info:%{SPACE}%{GREEDYDATA:pfsense.openvpn.peer_info}' - - '%{SOURCE}%{SPACE}\[%{USERNAME:user.name}\]%{SPACE}%{GREEDYDATA}' - - "user%{SPACE}'%{USERNAME:user.name}'%{GREEDYDATA}" - - '%{USERNAME:user.name}/%{SOURCE}%{DATA}IPv4=(%{IP:source.nat.ip}|%{GREEDYDATA}),%{SPACE}IPv6=(%{IP:source.nat.ip}|%{GREEDYDATA})' - - '%{GREEDYDATA}%{SOURCE}' - - '%{GREEDYDATA}' - pattern_definitions: - SOURCE: '%{IP:source.address}:%{NONNEGINT:source.port:long}' - USERNAME: '[a-zA-Z0-9._-]+' - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.category - value: authentication - allow_duplicates: false - if: ctx?.message.contains('auth') - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: error - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('error') || ctx?.message.toLowerCase().contains('not auth') - - append: - field: event.type - value: start - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('initiat') - - set: - field: source.ip - value: "{{source.address}}" - ignore_empty_value: true - - set: - field: network.protocol - value: openvpn -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml deleted file mode 100755 index 7570a1da68..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -description: Pipeline for PFsense PHP-FPM logs -processors: - - grok: - field: message - patterns: - - '^%{DATA}: %{PF_APP_DATA}' - - '^%{GREEDYDATA}' - pattern_definitions: - PF_APP_DATA: '(%{PF_APP_LOGIN}|%{PF_APP_LOGOUT}|%{PF_APP_ERROR})' - PF_APP_LOGIN: "(%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address} \\(%{DATA}\\)" - PF_APP_LOGOUT: "User (%{DATA:_tmp.action}) for user '%{USER:user.name}' from: %{IP:source.address}" - PF_APP_ERROR: "webConfigurator %{DATA:_tmp.action} for user '%{DATA:user.name}' from: %{IP:source.address}" - - set: - field: event.kind - value: event - - append: - field: event.category - value: authentication - allow_duplicates: false - - set: - field: event.outcome - value: success - if: 'ctx._tmp?.action.toLowerCase().contains("success")' - - set: - field: event.outcome - value: failure - if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")' - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - - rename: - field: observer.ip - target_field: host.ip - ignore_missing: true - - rename: - field: observer.name - target_field: host.name - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/squid.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/squid.yml deleted file mode 100755 index 29e8bbee97..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/squid.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -description: Pipeline for parsing PFsense Squid logs. -processors: - - grok: - field: message - patterns: - - '%{IPORHOST:source.address} %{NOTSPACE:squid.request_status}/%{NUMBER:http.response.status_code:long} %{NUMBER:http.response.bytes:long} %{NOTSPACE:http.request.method} (%{URI:url.original})?%{SPACE}%{NOTSPACE:http.request.referrer}%{SPACE}%{NOTSPACE:squid.hierarchy_status}/%{IPORHOST:destination.address}%{SPACE}%{NOTSPACE:http.response.mime_type}' - ignore_missing: false - - uri_parts: - field: url.original - ignore_failure: true - if: ctx?.url?.original != null - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -# - split: -# field: haproxy.http.request.captured_headers -# separator: \| -# ignore_failure: true -# ignore_missing: true -# - split: -# field: haproxy.http.response.captured_headers -# separator: \| -# ignore_failure: true -# ignore_missing: true -# - script: -# lang: painless -# source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) -# params: -# scale: 1000000 -# if: ctx.temp?.duration != null -# - remove: -# field: temp.duration -# ignore_missing: true -# - convert: -# field: haproxy.bytes_read -# target_field: http.response.bytes -# type: long -# ignore_missing: true -# if: ctx.containsKey('http') - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - - append: - field: event.category - value: network - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml b/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml deleted file mode 100755 index 5bdbdb6d2e..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/elasticsearch/ingest_pipeline/unbound.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -description: Pipeline for PFsense Unbound DNS logs -processors: - - grok: - field: message - patterns: - - '%{LOGLEVEL:log.level}: %{IP:source.address} %{HOSTNAME:_tmp.question.name}(\.) %{WORD:_tmp.question.type} %{WORD:_tmp.question.class}' - on_failure: - - drop: - description: Drop if not a query log - - set: - field: event.kind - value: event - - append: - field: event.category - value: network - allow_duplicates: false - - append: - field: event.type - value: connection - allow_duplicates: false - if: ctx?.source?.address != null - - append: - field: event.type - value: end - allow_duplicates: false - if: ctx?.message.toLowerCase().contains('disconnected') - - set: - field: network.protocol - value: dns - - set: - field: dns.type - value: question - if: ctx?._tmp?.question?.name != null - - registered_domain: - field: _tmp.question.name - target_field: dns.question - ignore_missing: true - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - - rename: - field: _tmp.question.type - target_field: dns.question.type - ignore_missing: true - - rename: - field: _tmp.question.class - target_field: dns.question.class - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - ignore_missing: true - - set: - field: client - copy_from: source - ignore_empty_value: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/pfsense/1.0.3/data_stream/log/fields/agent.yml b/packages/pfsense/1.0.3/data_stream/log/fields/agent.yml deleted file mode 100755 index c961daeee1..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: hostname - type: keyword - description: Hostname from syslog header. -- name: log.source.address - type: keyword - description: Source address of the syslog message. -- name: process.program - type: keyword - description: Process from syslog header. diff --git a/packages/pfsense/1.0.3/data_stream/log/fields/base-fields.yml b/packages/pfsense/1.0.3/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 8007b1ad5b..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: pfsense -- name: event.dataset - type: constant_keyword - description: Event dataset - value: pfsense.log diff --git a/packages/pfsense/1.0.3/data_stream/log/fields/ecs.yml b/packages/pfsense/1.0.3/data_stream/log/fields/ecs.yml deleted file mode 100755 index 76d91edc71..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,565 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - ignore_above: 1024 - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: client.geo.location - type: geo_point -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - MAC address of the client. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: client.mac - type: keyword -- description: Port of the client. - name: client.port - type: long -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: VLAN ID as reported by the observer. - name: observer.ingress.vlan.id - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: source.user.full_name - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/pfsense/1.0.3/data_stream/log/fields/fields.yml b/packages/pfsense/1.0.3/data_stream/log/fields/fields.yml deleted file mode 100755 index 7a350eba17..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,256 +0,0 @@ -- name: pfsense.ip - type: group - fields: - - name: tos - type: keyword - description: | - IP Type of Service identification. - - name: ecn - type: keyword - description: | - Explicit Congestion Notification. - - name: ttl - type: long - description: | - Time To Live (TTL) of the packet - - name: id - type: long - description: | - ID of the packet - - name: offset - type: long - description: | - Fragment offset - - name: flags - type: keyword - description: | - IP flags. - - name: flow_label - type: keyword - description: | - Flow label -- name: pfsense.tcp - type: group - fields: - - name: flags - type: keyword - description: | - TCP flags. - - name: seq - type: long - description: | - TCP sequence number. - - name: ack - type: long - description: | - TCP Acknowledgment number. - - name: window - type: long - description: | - Advertised TCP window size. - - name: urg - type: keyword - description: | - Urgent pointer data. - - name: options - type: array - description: | - TCP Options. - - name: length - type: long - description: | - Length of the TCP header and payload. -- name: pfsense.udp - type: group - fields: - - name: length - type: long - description: | - Length of the UDP header and payload. -- name: pfsense.icmp - type: group - fields: - - name: type - type: keyword - description: | - ICMP type. - - name: id - type: long - description: | - ID of the echo request/reply - - name: destination.ip - type: ip - description: Original destination address of the connection that caused this notification - - name: mtu - type: long - description: MTU to use for subsequent data to this destination - - name: otime - type: date - description: Originate Timestamp - - name: rtime - type: date - description: Receive Timestamp - - name: ttime - type: date - description: Transmit Timestamp - - name: unreachable - type: group - fields: - - name: iana_number - type: long - description: | - Protocol ID number that was unreachable - - name: port - type: long - description: | - Port number that was unreachable - - name: other - type: keyword - description: | - Other unreachable information - - name: code - type: long - description: | - ICMP code. - - name: parameter - type: long - description: | - ICMP parameter. - - name: redirect - type: ip - description: | - ICMP redirect address. - - name: seq - type: long - description: | - ICMP sequence number. -- name: pfsense.dhcp.hostname - type: keyword - description: | - Hostname of DHCP client -- name: pfsense.openvpn.peer_info - type: keyword - description: |- - Information about the Open VPN client -- name: haproxy - type: group - fields: - - name: frontend_name - type: keyword - description: Name of the frontend (or listener) which received and processed the connection. - - name: backend_name - type: keyword - description: Name of the backend (or listener) which was selected to manage the connection to the server. - - name: server_name - type: keyword - description: Name of the last server to which the connection was sent. - - name: total_waiting_time_ms - type: long - description: Total time in milliseconds spent waiting in the various queues - - name: connection_wait_time_ms - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server - - name: bytes_read - type: long - description: Total number of bytes transmitted to the client when the log is emitted. - - name: time_queue - type: long - description: Total time in milliseconds spent waiting in the various queues. - - name: time_backend_connect - type: long - description: Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. - - name: server_queue - type: long - description: Total number of requests which were processed before this one in the server queue. - - name: backend_queue - type: long - description: Total number of requests which were processed before this one in the backend's global queue. - - name: bind_name - type: keyword - description: Name of the listening address which received the connection. - - name: error_message - type: text - description: Error message logged by HAProxy in case of error. - - name: source - type: keyword - description: The HAProxy source of the log - - name: termination_state - type: keyword - description: Condition the session was in when the session ended. - - name: mode - type: keyword - description: mode that the frontend is operating (TCP or HTTP) - - name: connections - type: group - fields: - - name: active - type: long - description: Total number of concurrent connections on the process when the session was logged. - - name: frontend - type: long - description: Total number of concurrent connections on the frontend when the session was logged. - - name: backend - type: long - description: Total number of concurrent connections handled by the backend when the session was logged. - - name: server - type: long - description: Total number of concurrent connections still active on the server when the session was logged. - - name: retries - type: long - description: Number of connection retries experienced by this session when trying to connect to the server. - - name: client - type: group - - name: destination - type: group - - name: geoip - type: group -- name: haproxy.http - type: group - fields: - - name: response - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the client had this cookie in the response. - - name: captured_headers - type: keyword - description: | - List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - - name: request - type: group - fields: - - name: captured_cookie - type: keyword - description: | - Optional "name=value" entry indicating that the server has returned a cookie with its request. - - name: captured_headers - type: keyword - description: | - List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - - name: raw_request_line - type: keyword - description: Complete HTTP request line, including the method, request and HTTP version string. - - name: time_wait_without_data_ms - type: long - description: Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. - - name: time_wait_ms - type: long - description: Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. -- name: haproxy.tcp - type: group - fields: - - name: connection_waiting_time_ms - type: long - description: Total time in milliseconds elapsed between the accept and the last close -- name: squid - type: group - fields: - - name: request_status - type: keyword - description: | - The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). - - name: hierarchy_status - type: keyword - description: The proxy hierarchy route; the route Content Gateway used to retrieve the object. diff --git a/packages/pfsense/1.0.3/data_stream/log/manifest.yml b/packages/pfsense/1.0.3/data_stream/log/manifest.yml deleted file mode 100755 index 1b65cbac0b..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/manifest.yml +++ /dev/null @@ -1,140 +0,0 @@ -type: logs -title: pfSense log logs -release: experimental -streams: - - input: udp - template_path: udp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using udp input - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The UDP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - template_path: tcp.yml.hbs - title: pfSense syslog logs - description: Collect pfsense logs using tcp input - enabled: false - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen to TCP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The TCP port to listen for syslog traffic. Ports below 1024 require Filebeat to run as root. - multi: false - required: true - show_user: true - default: 9001 - - name: internal_networks - type: text - title: Internal Networks - multi: true - required: false - show_user: true - default: - - private - description: The internal IP subnet(s) of the network. - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes (with no timezone) in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - pfsense - - forwarded - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/pfsense/1.0.3/data_stream/log/sample_event.json b/packages/pfsense/1.0.3/data_stream/log/sample_event.json deleted file mode 100755 index 6f70d5817e..0000000000 --- a/packages/pfsense/1.0.3/data_stream/log/sample_event.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-05-09T17:35:12Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.4:58663" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/docs/README.md b/packages/pfsense/1.0.3/docs/README.md deleted file mode 100755 index 07f30b6ccd..0000000000 --- a/packages/pfsense/1.0.3/docs/README.md +++ /dev/null @@ -1,431 +0,0 @@ -# pfSense Integration - -This is an integration to parse certain logs from [pfSense and OPNsense firewalls](https://docs.netgate.com/pfsense/en/latest/). It parses logs received over the network via syslog (UDP/TCP/TLS). pfSense natively only supports UDP. OPNsense supports all 3 transports. - -Currently the integration supports parsing the Firewall, Unbound, DHCP Daemon, OpenVPN, IPsec, HAProxy, Squid, and PHP-FPM (Authentication) logs. -All other events will be dropped. -The HAProxy logs are setup to be compatible with the dashboards from the HAProxy integration. Install the HAPrxoy integration assets to use them. - -## pfSense Setup -1. Navigate to _Status -> System Logs_, then click on _Settings_ -2. At the bottom check _Enable Remote Logging_ -3. (Optional) Select a specific interface to use for forwarding -4. Input the agent IP address and port as set via the integration config into the field _Remote log servers_ (e.g. 192.168.100.50:5140) -5. Under _Remote Syslog Contents_ select what logs to forward to the agent - * Select _Everything_ to forward all logs to the agent or select the individual services to forward. Any log entry not in the list above will be dropped. This will cause additional data to be sent to the agent and Elasticsearch. The firewall, VPN, DHCP, DNS, and Authentication (PHP-FPM) logs are able to be individually selected. In order to collect HAProxy and Squid or other "package" logs, the _Everything_ option must be selected. - -## OPNsense Setup -1. Navigate to _System -> Settings -> Logging/Targets_ -2. Add a new _Logging/Target_ (Click the plus icon) - - Transport = UDP or TCP or TLS - - Applications = Select a list of applications to send to remote syslog. Leave empty for all. - - Levels = Nothing Selected - - Facilities = Nothing Selected - - Hostname = IP of Elastic agent as configured in the integration config - - Port = Port of Elastic agent as configured in the integration config - - Certificate = Client certificate to use (when selecting a tls transport type) - - Description = Syslog to Elasticsearch - - Click Save - - The module is by default configured to run with the `udp` input on port `9001`. - -**Important** -The pfSense integration supports both the BSD logging format (used by pfSense by default and OPNsense) and the Syslog format (optional for pfSense). -However the syslog format is recommended. It will provide the firewall hostname and timestamps with timezone information. -When using the BSD format, the `Timezone Offset` config must be set when deploying the agent or else the timezone will default to the timezone of the agent. See `https:///status_logs_settings.php` and https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html for more information. - -A huge thanks to [a3ilson](https://github.com/a3ilson) for the https://github.com/pfelk/pfelk repo, which is the foundation for the majority of the grok patterns and dashboards in this integration. - -## Logs - -### pfSense log - -This is the pfSense `log` dataset. - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-07-04T00:10:14.578Z", - "agent": { - "ephemeral_id": "238d98ab-083f-4ff7-990f-1651450ce860", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "pfsense.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "175.16.199.1", - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1", - "port": 853 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "block", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "pfsense.log", - "ingested": "2022-05-09T17:35:12Z", - "kind": "event", - "original": "\u003c134\u003e1 2021-07-03T19:10:14.578288-05:00 pfSense.example.com filterlog 72237 - - 146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale\n", - "provider": "filterlog", - "reason": "match", - "timezone": "-05:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.18.0.4:58663" - }, - "syslog": { - "priority": 134 - } - }, - "message": "146,,,1535324496,igb1.12,match,block,in,4,0x0,,63,32989,0,DF,6,tcp,60,10.170.12.50,175.16.199.1,49652,853,0,S,1818117648,,64240,,mss;sackOK;TS;nop;wscale", - "network": { - "bytes": 60, - "community_id": "1:pOXVyPJTFJI5seusI/UD6SwvBjg=", - "direction": "outbound", - "iana_number": "6", - "transport": "tcp", - "type": "ipv4" - }, - "observer": { - "ingress": { - "interface": { - "name": "igb1.12" - }, - "vlan": { - "id": "12" - } - }, - "name": "pfSense.example.com", - "type": "firewall", - "vendor": "netgate" - }, - "pfsense": { - "ip": { - "flags": "DF", - "id": 32989, - "offset": 0, - "tos": "0x0", - "ttl": 63 - }, - "tcp": { - "flags": "S", - "length": 0, - "options": [ - "mss", - "sackOK", - "TS", - "nop", - "wscale" - ], - "window": 64240 - } - }, - "process": { - "name": "filterlog", - "pid": 72237 - }, - "related": { - "ip": [ - "175.16.199.1", - "10.170.12.50" - ] - }, - "rule": { - "id": "1535324496" - }, - "source": { - "address": "10.170.12.50", - "ip": "10.170.12.50", - "port": 49652 - }, - "tags": [ - "preserve_original_event", - "pfsense", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| haproxy.backend_name | Name of the backend (or listener) which was selected to manage the connection to the server. | keyword | -| haproxy.backend_queue | Total number of requests which were processed before this one in the backend's global queue. | long | -| haproxy.bind_name | Name of the listening address which received the connection. | keyword | -| haproxy.bytes_read | Total number of bytes transmitted to the client when the log is emitted. | long | -| haproxy.connection_wait_time_ms | Total time in milliseconds spent waiting for the connection to establish to the final server | long | -| haproxy.connections.active | Total number of concurrent connections on the process when the session was logged. | long | -| haproxy.connections.backend | Total number of concurrent connections handled by the backend when the session was logged. | long | -| haproxy.connections.frontend | Total number of concurrent connections on the frontend when the session was logged. | long | -| haproxy.connections.retries | Number of connection retries experienced by this session when trying to connect to the server. | long | -| haproxy.connections.server | Total number of concurrent connections still active on the server when the session was logged. | long | -| haproxy.error_message | Error message logged by HAProxy in case of error. | text | -| haproxy.frontend_name | Name of the frontend (or listener) which received and processed the connection. | keyword | -| haproxy.http.request.captured_cookie | Optional "name=value" entry indicating that the server has returned a cookie with its request. | keyword | -| haproxy.http.request.captured_headers | List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. | keyword | -| haproxy.http.request.raw_request_line | Complete HTTP request line, including the method, request and HTTP version string. | keyword | -| haproxy.http.request.time_wait_ms | Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. | long | -| haproxy.http.request.time_wait_without_data_ms | Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. | long | -| haproxy.http.response.captured_cookie | Optional "name=value" entry indicating that the client had this cookie in the response. | keyword | -| haproxy.http.response.captured_headers | List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. | keyword | -| haproxy.mode | mode that the frontend is operating (TCP or HTTP) | keyword | -| haproxy.server_name | Name of the last server to which the connection was sent. | keyword | -| haproxy.server_queue | Total number of requests which were processed before this one in the server queue. | long | -| haproxy.source | The HAProxy source of the log | keyword | -| haproxy.tcp.connection_waiting_time_ms | Total time in milliseconds elapsed between the accept and the last close | long | -| haproxy.termination_state | Condition the session was in when the session ended. | keyword | -| haproxy.time_backend_connect | Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. | long | -| haproxy.time_queue | Total time in milliseconds spent waiting in the various queues. | long | -| haproxy.total_waiting_time_ms | Total time in milliseconds spent waiting in the various queues | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| hostname | Hostname from syslog header. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.source.address | Source address of the syslog message. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| pfsense.dhcp.hostname | Hostname of DHCP client | keyword | -| pfsense.icmp.code | ICMP code. | long | -| pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip | -| pfsense.icmp.id | ID of the echo request/reply | long | -| pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long | -| pfsense.icmp.otime | Originate Timestamp | date | -| pfsense.icmp.parameter | ICMP parameter. | long | -| pfsense.icmp.redirect | ICMP redirect address. | ip | -| pfsense.icmp.rtime | Receive Timestamp | date | -| pfsense.icmp.seq | ICMP sequence number. | long | -| pfsense.icmp.ttime | Transmit Timestamp | date | -| pfsense.icmp.type | ICMP type. | keyword | -| pfsense.icmp.unreachable.iana_number | Protocol ID number that was unreachable | long | -| pfsense.icmp.unreachable.other | Other unreachable information | keyword | -| pfsense.icmp.unreachable.port | Port number that was unreachable | long | -| pfsense.ip.ecn | Explicit Congestion Notification. | keyword | -| pfsense.ip.flags | IP flags. | keyword | -| pfsense.ip.flow_label | Flow label | keyword | -| pfsense.ip.id | ID of the packet | long | -| pfsense.ip.offset | Fragment offset | long | -| pfsense.ip.tos | IP Type of Service identification. | keyword | -| pfsense.ip.ttl | Time To Live (TTL) of the packet | long | -| pfsense.openvpn.peer_info | Information about the Open VPN client | keyword | -| pfsense.tcp.ack | TCP Acknowledgment number. | long | -| pfsense.tcp.flags | TCP flags. | keyword | -| pfsense.tcp.length | Length of the TCP header and payload. | long | -| pfsense.tcp.options | TCP Options. | array | -| pfsense.tcp.seq | TCP sequence number. | long | -| pfsense.tcp.urg | Urgent pointer data. | keyword | -| pfsense.tcp.window | Advertised TCP window size. | long | -| pfsense.udp.length | Length of the UDP header and payload. | long | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.program | Process from syslog header. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.port | Port of the source. | long | -| source.user.full_name | User's full name, if available. | keyword | -| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | -| source.user.id | Unique identifier of the user. | keyword | -| squid.hierarchy_status | The proxy hierarchy route; the route Content Gateway used to retrieve the object. | keyword | -| squid.request_status | The cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described [here](https://www.websense.com/content/support/library/web/v773/wcg_help/cachrslt.aspx#596301). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/pfsense/1.0.3/img/dhcp.png b/packages/pfsense/1.0.3/img/dhcp.png deleted file mode 100755 index 3f73f8f3f4..0000000000 Binary files a/packages/pfsense/1.0.3/img/dhcp.png and /dev/null differ diff --git a/packages/pfsense/1.0.3/img/firewall.png b/packages/pfsense/1.0.3/img/firewall.png deleted file mode 100755 index c98b30b09d..0000000000 Binary files a/packages/pfsense/1.0.3/img/firewall.png and /dev/null differ diff --git a/packages/pfsense/1.0.3/img/pfsense.svg b/packages/pfsense/1.0.3/img/pfsense.svg deleted file mode 100755 index f63b99ab31..0000000000 --- a/packages/pfsense/1.0.3/img/pfsense.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - image/svg+xml - - pfSense Logo - - - - pfSense Logo - - - - - - - - - - diff --git a/packages/pfsense/1.0.3/img/unbound-1.png b/packages/pfsense/1.0.3/img/unbound-1.png deleted file mode 100755 index cc53e8aa49..0000000000 Binary files a/packages/pfsense/1.0.3/img/unbound-1.png and /dev/null differ diff --git a/packages/pfsense/1.0.3/img/unbound-2.png b/packages/pfsense/1.0.3/img/unbound-2.png deleted file mode 100755 index eaa51ee3df..0000000000 Binary files a/packages/pfsense/1.0.3/img/unbound-2.png and /dev/null differ diff --git a/packages/pfsense/1.0.3/img/unbound-3.png b/packages/pfsense/1.0.3/img/unbound-3.png deleted file mode 100755 index 838bfdc6bf..0000000000 Binary files a/packages/pfsense/1.0.3/img/unbound-3.png and /dev/null differ diff --git a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json deleted file mode 100755 index 47067b4828..0000000000 --- a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-986061c0-3a9a-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"73294aad-e475-4a63-97d1-fc214a83bb0a\",\"panelRefName\":\"panel_73294aad-e475-4a63-97d1-fc214a83bb0a\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"46725bb5-e239-4fa2-8dfd-4de947863354\",\"panelRefName\":\"panel_46725bb5-e239-4fa2-8dfd-4de947863354\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"w\":14,\"x\":34,\"y\":6},\"panelIndex\":\"f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"panelRefName\":\"panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"a7662c6e-94d5-4062-85f4-0132897f3578\",\"panelRefName\":\"panel_a7662c6e-94d5-4062-85f4-0132897f3578\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"panelRefName\":\"panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"27569da9-7531-40cf-be93-8778738b68be\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"27569da9-7531-40cf-be93-8778738b68be\",\"panelRefName\":\"panel_27569da9-7531-40cf-be93-8778738b68be\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"columns\":[\"log.level\",\"client.ip\",\"dns.question.name\",\"dns.question.type\",\"dns.question.class\"],\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"w\":30,\"x\":0,\"y\":46},\"panelIndex\":\"7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"panelRefName\":\"panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f\",\"type\":\"search\",\"version\":\"7.15.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"w\":18,\"x\":30,\"y\":46},\"panelIndex\":\"6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"panelRefName\":\"panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae\",\"type\":\"visualization\",\"version\":\"7.15.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "Unbound - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-986061c0-3a9a-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "name": "73294aad-e475-4a63-97d1-fc214a83bb0a:panel_73294aad-e475-4a63-97d1-fc214a83bb0a", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "46725bb5-e239-4fa2-8dfd-4de947863354:panel_46725bb5-e239-4fa2-8dfd-4de947863354", - "type": "visualization" - }, - { - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "name": "f39b1b4c-b444-4d25-a8c5-a78b6285025f:panel_f39b1b4c-b444-4d25-a8c5-a78b6285025f", - "type": "visualization" - }, - { - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "name": "a7662c6e-94d5-4062-85f4-0132897f3578:panel_a7662c6e-94d5-4062-85f4-0132897f3578", - "type": "visualization" - }, - { - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "name": "763610d2-c8aa-4ab9-9a63-112e2471dcfc:panel_763610d2-c8aa-4ab9-9a63-112e2471dcfc", - "type": "visualization" - }, - { - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "name": "27569da9-7531-40cf-be93-8778738b68be:panel_27569da9-7531-40cf-be93-8778738b68be", - "type": "visualization" - }, - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "7ea4ebda-9d0c-4885-9c37-71cd0665497f:panel_7ea4ebda-9d0c-4885-9c37-71cd0665497f", - "type": "search" - }, - { - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "name": "6a32114d-577c-488b-b1e9-b7b4fc8941ae:panel_6a32114d-577c-488b-b1e9-b7b4fc8941ae", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index 7bb13ddc75..0000000000 --- a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"w\":16,\"x\":0,\"y\":7},\"panelIndex\":\"e0fb8e49-4af8-4958-9d55-8db1ed6cad2b\",\"panelRefName\":\"panel_0\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"w\":17,\"x\":16,\"y\":0},\"panelIndex\":\"82ed451e-8ee1-41a5-9aea-ffbd723c86cc\",\"panelRefName\":\"panel_1\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"d2c26a96-ad50-4155-a67e-b6559246c302\",\"panelRefName\":\"panel_2\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"9db410fe-e1b3-46d1-9e9b-828f3cec05dd\",\"panelRefName\":\"panel_3\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"w\":15,\"x\":33,\"y\":7},\"panelIndex\":\"20a6aca9-2a7c-4b4a-8bd4-f2e9ae5d6249\",\"panelRefName\":\"panel_4\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"w\":33,\"x\":0,\"y\":14},\"panelIndex\":\"c2fbea99-8684-446a-a570-48bcbb9f1c39\",\"panelRefName\":\"panel_5\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"w\":15,\"x\":33,\"y\":14},\"panelIndex\":\"f4ceeef3-255f-4a1d-85f3-0635aa6a0772\",\"panelRefName\":\"panel_6\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"w\":33,\"x\":0,\"y\":28},\"panelIndex\":\"a49d8775-3fc1-4b7b-8e8b-26c9e8705b6a\",\"panelRefName\":\"panel_7\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"w\":15,\"x\":33,\"y\":28},\"panelIndex\":\"60b4467b-8227-41de-b5ec-00c860793819\",\"panelRefName\":\"panel_8\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.vlan.id\",\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"rule.id\",\"event.action\"],\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"290350f0-e295-4441-8228-2f7c74fc8a0c\",\"panelRefName\":\"panel_9\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"b5d79638-384f-411b-a5c9-0d5aea67c08f\",\"panelRefName\":\"panel_10\",\"version\":\"7.11.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"gridData\":{\"h\":21,\"i\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"20537b1f-8d42-4522-8f9e-8e6fbccca58a\",\"panelRefName\":\"panel_11\",\"version\":\"7.11.0\"}]", - "timeRestore": false, - "title": "Firewall - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bdb33ee0-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_1", - "type": "lens" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "name": "panel_5", - "type": "lens" - }, - { - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "panel_9", - "type": "search" - }, - { - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "name": "panel_11", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 133ffa4a16..0000000000 --- a/packages/pfsense/1.0.3/kibana/dashboard/pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"w\":35,\"x\":0,\"y\":0},\"panelIndex\":\"2b46d706-0288-4541-8880-ccb2efeeee92\",\"panelRefName\":\"panel_2b46d706-0288-4541-8880-ccb2efeeee92\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"6018121a-9303-4c73-9c96-d23362cdc74d\",\"panelRefName\":\"panel_6018121a-9303-4c73-9c96-d23362cdc74d\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"w\":13,\"x\":35,\"y\":7},\"panelIndex\":\"b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"panelRefName\":\"panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"w\":13,\"x\":35,\"y\":14},\"panelIndex\":\"d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"panelRefName\":\"panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"w\":32,\"x\":0,\"y\":22},\"panelIndex\":\"20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"panelRefName\":\"panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"w\":16,\"x\":32,\"y\":22},\"panelIndex\":\"5b500115-4722-432b-8d67-38b1a948c1d5\",\"panelRefName\":\"panel_5b500115-4722-432b-8d67-38b1a948c1d5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"w\":16,\"x\":0,\"y\":36},\"panelIndex\":\"aa85065f-1b07-468c-b264-1231b59be97b\",\"panelRefName\":\"panel_aa85065f-1b07-468c-b264-1231b59be97b\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"w\":32,\"x\":16,\"y\":36},\"panelIndex\":\"22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"panelRefName\":\"panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5\",\"type\":\"visualization\",\"version\":\"7.10.0\"},{\"embeddableConfig\":{\"columns\":[\"observer.name\",\"observer.ingress.interface.name\",\"event.action\",\"client.ip\",\"client.mac\",\"pfsense.dhcp.hostname\"],\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"73ea92c6-7373-4121-a255-1ed2e43010c1\",\"panelRefName\":\"panel_73ea92c6-7373-4121-a255-1ed2e43010c1\",\"type\":\"search\",\"version\":\"7.10.0\"}]", - "timeRestore": false, - "title": "DHCP - Dashboard [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8b42350-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "dashboard": "7.14.0" - }, - "references": [ - { - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "name": "2b46d706-0288-4541-8880-ccb2efeeee92:panel_2b46d706-0288-4541-8880-ccb2efeeee92", - "type": "visualization" - }, - { - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "name": "6018121a-9303-4c73-9c96-d23362cdc74d:panel_6018121a-9303-4c73-9c96-d23362cdc74d", - "type": "visualization" - }, - { - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "name": "b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082:panel_b7f79d47-95a2-4bfd-8f8f-4d6dc56ac082", - "type": "visualization" - }, - { - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "name": "d9f98967-4e91-4eef-9a43-9caaeeebe6f8:panel_d9f98967-4e91-4eef-9a43-9caaeeebe6f8", - "type": "visualization" - }, - { - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "name": "20e8c75c-3e93-42ab-b5c5-6ad814b64151:panel_20e8c75c-3e93-42ab-b5c5-6ad814b64151", - "type": "visualization" - }, - { - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "name": "5b500115-4722-432b-8d67-38b1a948c1d5:panel_5b500115-4722-432b-8d67-38b1a948c1d5", - "type": "visualization" - }, - { - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "name": "aa85065f-1b07-468c-b264-1231b59be97b:panel_aa85065f-1b07-468c-b264-1231b59be97b", - "type": "visualization" - }, - { - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "name": "22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5:panel_22ea957e-7ba8-4ce0-b5d5-ccd92cb4deb5", - "type": "visualization" - }, - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "73ea92c6-7373-4121-a255-1ed2e43010c1:panel_73ea92c6-7373-4121-a255-1ed2e43010c1", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e6f2067c4..0000000000 --- a/packages/pfsense/1.0.3/kibana/lens/pfsense-274304d0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Treemap depicting the top 10 countries by destination ", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778": { - "columnOrder": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35", - "57fc4315-85f4-4449-a8bd-308ec2e81e68" - ], - "columns": { - "57fc4315-85f4-4449-a8bd-308ec2e81e68": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of destination.geo.country_name", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_name" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "9d13ff42-0a6d-4cb4-bff4-bbd64836de35" - ], - "layerId": "d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "legendDisplay": "default", - "metric": "57fc4315-85f4-4449-a8bd-308ec2e81e68", - "nestedLegend": false, - "numberDisplay": "percent", - "percentDecimals": 0 - } - ], - "shape": "treemap" - } - }, - "title": "Firewall - Top Destination Countries/Treemap (Lens) [pfSense]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-274304d0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d77ab0e4-c2c2-4fb4-bd98-63c13ade7778", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json deleted file mode 100755 index 02f2a08f36..0000000000 --- a/packages/pfsense/1.0.3/kibana/lens/pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "description": "Events over time line chart utilizing the LENS virtualization", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "25e5682a-0461-46dc-aa0a-7ad4cec0eade": { - "columnOrder": [ - "f718697e-acee-4bfd-99f4-3406e224ed7f", - "440112fe-405a-4b46-840e-2b9772961acc", - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "columns": { - "31549313-ebc1-427a-9913-3f6f78594221": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "440112fe-405a-4b46-840e-2b9772961acc": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f718697e-acee-4bfd-99f4-3406e224ed7f": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of event.action", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "31549313-ebc1-427a-9913-3f6f78594221", - "type": "column" - }, - "orderDirection": "desc", - "size": 5 - }, - "scale": "ordinal", - "sourceField": "event.action" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "31549313-ebc1-427a-9913-3f6f78594221" - ], - "layerId": "25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f718697e-acee-4bfd-99f4-3406e224ed7f", - "xAccessor": "440112fe-405a-4b46-840e-2b9772961acc" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - } - } - }, - "title": "Firewall - Events/Time (Lens) [pfSense]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b3edd4c0-3a8d-11eb-96b2-e765737b7534", - "migrationVersion": { - "lens": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-25e5682a-0461-46dc-aa0a-7ad4cec0eade", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json deleted file mode 100755 index a455496aa4..0000000000 --- a/packages/pfsense/1.0.3/kibana/search/pfsense-22edf800-3a8e-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"filterlog\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"filterlog\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Firewall - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 2476202065..0000000000 --- a/packages/pfsense/1.0.3/kibana/search/pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"dhcpd\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"dhcpd\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "DHCP - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json b/packages/pfsense/1.0.3/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json deleted file mode 100755 index 133d3caa85..0000000000 --- a/packages/pfsense/1.0.3/kibana/search/pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.provider\",\"negate\":false,\"params\":{\"query\":\"unbound\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.provider\":\"unbound\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [], - "title": "Unbound - Discover [pfSense]", - "version": 1 - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index e672a59a66..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-072449e0-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-072449e0-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 75f6a89eae..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Interface Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.ingress.interface.name\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Interface Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Interface Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-12e2d4a0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index a3ebaa5ea7..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound dns question types", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Question Types [pfSense]", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"top\",\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Unbound - Question Types [pfSense]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-2fed9a00-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json deleted file mode 100755 index 7f73b1e962..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Firewall Selector [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1613404486264\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Firewall Selector\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Firewall Selector\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-3c2082f0-6fa6-11eb-bc1e-ffcd90393e56", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index bfc06cc851..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-457371f0-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"DHCP - Operation/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-457371f0-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 985d72a2e0..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "Select by network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"pfsense.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"pfsense.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Network Transport Type [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"network.transport\",\"id\":\"1607565832669\",\"indexPatternRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"label\":\"Network Transport Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Network Transport Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-46e88c90-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index cee6c25e13..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-5b553450-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound client IP over time", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Client IP/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Unbound - Client IP/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-5b553450-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 44a1d15c5a..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-6f94bd20-3a9c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index e4a8a861bc..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-77eaf920-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 client IP unbound events", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Client IPs [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Client IPs\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-77eaf920-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b3c6b75a69..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Displays quantity of events based on action type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Event Action [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Event Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Firewall - Event Action\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-88b2daa0-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0e0841e17f..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-98775710-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Top 10 domain name question/queries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Top Queries [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.registered_domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Unbound - Top Queried Domains \",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-98775710-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json deleted file mode 100755 index ed42e0ac5c..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-9990cd00-3afe-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Client IP [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Client IP\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-9990cd00-3afe-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index e5404d633a..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-b1545340-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of destination countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Destination/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Destination Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Destination/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-b1545340-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 0489e7a517..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - IP/MAC Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"client.mac\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"DHCP - IP/MAC Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-bf8b2040-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 384f395db3..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Events over type based on network transport type", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport/Time [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport/Time\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Firewall - Network Transport/Time\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-c8a34db0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json deleted file mode 100755 index 09a7a4ce7a..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Heatmap of source countries", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Country Source/Heatmap [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Source Heatmap\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-90m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Firewall - Country Source/Heatmap\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dc86acc0-3a8f-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json deleted file mode 100755 index 4ce6eca893..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "DHCP - Operation [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"DHCP - Operation\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-dffb6ab0-3a9b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-ec91cf20-3a9c-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json deleted file mode 100755 index bd1ab0a445..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Client IP \u003c-flow-\u003e dns question name", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - DNS Flow [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"spec\":\"{\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\n data: [\\n {\\n // query ES based on the currently selected time range and filter string\\n name: rawData\\n url: {\\n %context%: true\\n %timefield%: @timestamp\\n index: logs-*\\n body: {\\n size: 0\\n aggs: {\\n table: {\\n composite: {\\n size: 10000\\n sources: [\\n {\\n stk1: {\\n terms: {field: \\\"client.ip\\\"}\\n }\\n }\\n {\\n stk2: {\\n terms: {field: \\\"dns.question.name\\\"}\\n }\\n }\\n ]\\n }\\n }\\n }\\n }\\n }\\n // From the result, take just the data we are interested in\\n format: {property: \\\"aggregations.table.buckets\\\"}\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\n transform: [\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\n ]\\n }\\n {\\n name: nodes\\n source: rawData\\n transform: [\\n // when a country is selected, filter out unrelated data\\n {\\n type: filter\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\n }\\n // Set new key for later lookups - identifies each node\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\n // instead of each table row, create two new rows,\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\n {\\n type: fold\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\n }\\n // Create a sortkey, different for stk1 and stk2 stacks.\\n // Space separator ensures proper sort order in some corner cases.\\n {\\n type: formula\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\n as: sortField\\n }\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\n // independently for each stack, and ensuring they are in the proper order,\\n // alphabetical from the top (reversed on the y axis)\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\n field: size\\n }\\n // calculate vertical center point for each node, used to draw edges\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\n ]\\n }\\n {\\n name: groups\\n source: nodes\\n transform: [\\n // combine all nodes into country groups, summing up the doc counts\\n {\\n type: aggregate\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\n fields: [\\\"size\\\"]\\n ops: [\\\"sum\\\"]\\n as: [\\\"total\\\"]\\n }\\n // re-calculate the stacking y0,y1 values\\n {\\n type: stack\\n groupby: [\\\"stack\\\"]\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\n field: total\\n }\\n // project y0 and y1 values to screen coordinates\\n // doing it once here instead of doing it several times in marks\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\n // boolean flag if the label should be on the right of the stack\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\n // domain upper bound, which represents the total traffic\\n {\\n type: formula\\n expr: datum.total/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n {\\n // This is a temp lookup table with all the 'stk2' stack nodes\\n name: destinationNodes\\n source: nodes\\n transform: [\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\n ]\\n }\\n {\\n name: edges\\n source: nodes\\n transform: [\\n // we only want nodes from the left stack\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\n {\\n type: lookup\\n from: destinationNodes\\n key: key\\n fields: [\\\"key\\\"]\\n as: [\\\"target\\\"]\\n }\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\n {\\n type: linkpath\\n orient: horizontal\\n shape: diagonal\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\n }\\n // A little trick to calculate the thickness of the line.\\n // The value needs to be the same as the hight of the node, but scaling\\n // size to screen's height gives inversed value because screen's Y\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\n // is at the bottom. So subtracting scaled doc count from screen height\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\n {\\n type: formula\\n expr: range('y')[0]-scale('y', datum.size)\\n as: strokeWidth\\n }\\n // Tooltip needs individual link's percentage of all traffic\\n {\\n type: formula\\n expr: datum.size/domain('y')[1]\\n as: percentage\\n }\\n ]\\n }\\n ]\\n scales: [\\n {\\n // calculates horizontal stack positioning\\n name: x\\n type: band\\n range: width\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n paddingOuter: 0.05\\n paddingInner: 0.95\\n }\\n {\\n // this scale goes up as high as the highest y1 value of all nodes\\n name: y\\n type: linear\\n range: height\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\n }\\n {\\n // use rawData to ensure the colors stay the same when clicking.\\n name: color\\n type: ordinal\\n range: category\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\n }\\n {\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\n name: stackNames\\n type: ordinal\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\n }\\n ]\\n axes: [\\n {\\n // x axis should use custom label formatting to print proper stack names\\n orient: bottom\\n scale: x\\n encode: {\\n labels: {\\n update: {\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\n }\\n }\\n }\\n }\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\n ]\\n marks: [\\n {\\n // draw the connecting line between stacks\\n type: path\\n name: edgeMark\\n from: {data: \\\"edges\\\"}\\n // this prevents some autosizing issues with large strokeWidth for paths\\n clip: true\\n encode: {\\n update: {\\n // By default use color of the left node, except when showing traffic\\n // from just one country, in which case use destination color.\\n stroke: [\\n {\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\n scale: color\\n field: stk2\\n }\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\n ]\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\n path: {field: \\\"path\\\"}\\n // when showing all traffic, and hovering over a country,\\n // highlight the traffic from that country.\\n strokeOpacity: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\n }\\n // Ensure that the hover-selected edges show on top\\n zindex: {\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\n }\\n // format tooltip string\\n tooltip: {\\n signal: datum.stk1 + ' → ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n // Simple mouseover highlighting of a single line\\n hover: {\\n strokeOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw stack groups (countries)\\n type: rect\\n name: groupMark\\n from: {data: \\\"groups\\\"}\\n encode: {\\n enter: {\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\n width: {scale: \\\"x\\\", band: 1}\\n }\\n update: {\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\n y: {field: \\\"scaledY0\\\"}\\n y2: {field: \\\"scaledY1\\\"}\\n fillOpacity: {value: 0.6}\\n tooltip: {\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\n }\\n }\\n hover: {\\n fillOpacity: {value: 1}\\n }\\n }\\n }\\n {\\n // draw country code labels on the inner side of the stack\\n type: text\\n from: {data: \\\"groups\\\"}\\n // don't process events for the labels - otherwise line mouseover is unclean\\n interactive: false\\n encode: {\\n update: {\\n // depending on which stack it is, position x with some padding\\n x: {\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\n }\\n // middle of the group\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n // only show text label if the group's height is large enough\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\n }\\n }\\n }\\n {\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\n type: group\\n data: [\\n // We need to make the button show only when groupSelector signal is true.\\n // Each mark is drawn as many times as there are elements in the backing data.\\n // Which means that if values list is empty, it will not be drawn.\\n // Here I create a data source with one empty object, and filter that list\\n // based on the signal value. This can only be done in a group.\\n {\\n name: dataForShowAll\\n values: [{}]\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\n }\\n ]\\n // Set button size and positioning\\n encode: {\\n enter: {\\n xc: {signal: \\\"width/2\\\"}\\n y: {value: 30}\\n width: {value: 80}\\n height: {value: 30}\\n }\\n }\\n marks: [\\n {\\n // This group is shown as a button with rounded corners.\\n type: group\\n // mark name allows signal capturing\\n name: groupReset\\n // Only shows button if dataForShowAll has values.\\n from: {data: \\\"dataForShowAll\\\"}\\n encode: {\\n enter: {\\n cornerRadius: {value: 6}\\n fill: {value: \\\"#f5f5f5\\\"}\\n stroke: {value: \\\"#c1c1c1\\\"}\\n strokeWidth: {value: 2}\\n // use parent group's size\\n height: {\\n field: {group: \\\"height\\\"}\\n }\\n width: {\\n field: {group: \\\"width\\\"}\\n }\\n }\\n update: {\\n // groups are transparent by default\\n opacity: {value: 1}\\n }\\n hover: {\\n opacity: {value: 0.7}\\n }\\n }\\n marks: [\\n {\\n type: text\\n // if true, it will prevent clicking on the button when over text.\\n interactive: false\\n encode: {\\n enter: {\\n // center text in the paren group\\n xc: {\\n field: {group: \\\"width\\\"}\\n mult: 0.5\\n }\\n yc: {\\n field: {group: \\\"height\\\"}\\n mult: 0.5\\n offset: 2\\n }\\n align: {value: \\\"center\\\"}\\n baseline: {value: \\\"middle\\\"}\\n fontWeight: {value: \\\"bold\\\"}\\n text: {value: \\\"Show All\\\"}\\n }\\n }\\n }\\n ]\\n }\\n ]\\n }\\n ]\\n signals: [\\n {\\n // used to highlight traffic to/from the same country\\n name: groupHover\\n value: {}\\n on: [\\n {\\n events: @groupMark:mouseover\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\n ]\\n }\\n // used to filter only the data related to the selected country\\n {\\n name: groupSelector\\n value: false\\n on: [\\n {\\n // Clicking groupMark sets this signal to the filter values\\n events: @groupMark:click!\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\n }\\n {\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\n events: [\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\n {type: \\\"dblclick\\\"}\\n ]\\n update: \\\"false\\\"\\n }\\n ]\\n }\\n ]\\n}\"},\"title\":\"Unbound - DNS Flow\",\"type\":\"vega\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-e895c9b0-3a99-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json deleted file mode 100755 index b773f61c44..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Pie chart depicting events by interface alias", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Events by Interface [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Firewall - Events by Interface\",\"field\":\"observer.ingress.interface.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Firewall - Events by Interface\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-eadb2e30-3a8b-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json deleted file mode 100755 index 137b895052..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-f554afa0-3a98-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Unbound request heat map by IP address", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Unbound - Request Rate [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-7h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":false,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"type\":\"heatmap\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"black\",\"overwriteColor\":false,\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Unbound - Request Rate\",\"type\":\"heatmap\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-f554afa0-3a98-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-f9ed8947-6d26-4497-905f-57d08ee304f4", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json b/packages/pfsense/1.0.3/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json deleted file mode 100755 index 95dfc88834..0000000000 --- a/packages/pfsense/1.0.3/kibana/visualization/pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "Network transport pie chart", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Firewall - Network Transport [pfSense]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall - Network Transport\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":true,\"type\":\"pie\"},\"title\":\"Firewall - Network Transport \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.15.0", - "id": "pfsense-feb1a6e0-3a8c-11eb-96b2-e765737b7534", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "pfsense-22edf800-3a8e-11eb-96b2-e765737b7534", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/pfsense/1.0.3/manifest.yml b/packages/pfsense/1.0.3/manifest.yml deleted file mode 100755 index 6889f59e3d..0000000000 --- a/packages/pfsense/1.0.3/manifest.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: pfsense -title: pfSense Logs -version: "1.0.3" -release: ga -description: Collect and parse logs from pfSense and OPNsense devices with Elastic Agent. -type: integration -icons: - - src: /img/pfsense.svg - title: pfsense - size: 512x143 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: - - network - - security -conditions: - kibana.version: ^7.15.0 || ^8.0.0 -screenshots: - - src: /img/firewall.png - title: pfSense Firewall Dashboard - size: 2993x1646 - type: image/png - - src: /img/dhcp.png - title: pfSense DHCP Dashboard - size: 2999x1640 - type: image/png - - src: /img/unbound-1.png - title: pfSense Unbound Dashboard - size: 1680x763 - type: image/png - - src: /img/unbound-2.png - title: pfSense Unbound Dashboard - size: 1679x833 - type: image/png - - src: /img/unbound-3.png - title: pfSense Unbound Dashboard - size: 1679x904 - type: image/png -policy_templates: - - name: pfsense - title: pfSense logs - description: Collect logs from pfSense systems - inputs: - - type: udp - title: "Collect pfSense logs (input: udp)" - description: "Collecting logs from pfSense systems (input: udp)" - - type: tcp - title: "Collect pfSense logs (input: tcp)" - description: "Collecting logs from pfSense systems (input: tcp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/pulse_connect_secure/1.0.1/changelog.yml b/packages/pulse_connect_secure/1.0.1/changelog.yml deleted file mode 100755 index dbb2255406..0000000000 --- a/packages/pulse_connect_secure/1.0.1/changelog.yml +++ /dev/null @@ -1,41 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Add mapping for `event.create` - type: bugfix - link: https://github.com/elastic/integrations/pull/3544 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.2.0" - changes: - - description: Add support for parsing syslog priority values - type: enhancement - link: https://github.com/elastic/integrations/pull/2552 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2434 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1998 diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 7dd7052361..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index dfe707f6ab..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 57cbefc730..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,134 +0,0 @@ ---- -description: Pipeline for parsing Pulse Connect Secure logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - - set: - field: observer.vendor - value: Pulse Secure - - set: - field: observer.product - value: Pulse Secure Connect - - set: - field: observer.type - value: vpn - - grok: - field: event.original - patterns: - - '^(<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER}?|%{SYSLOGTIMESTAMP} %{SYSLOGHOST:host.hostname} %{INT}) %{TIMESTAMP_ISO8601:_tmp.timestamp} %{IP:observer.ip} PulseSecure: - - - %{DATE2} - %{SYSLOGHOST:observer.name} - \[%{IPORHOST:client.address}\] %{USERNAME:user.name}?\(%{DATA:pulse_secure.realm}?\)\[%{DATA:pulse_secure.role}\] - %{GREEDYDATA:message}' - pattern_definitions: - TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - DATE2: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})?' - - date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - ISO8601 - if: ctx.event?.timezone != null - - date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - ISO8601 - if: ctx.event?.timezone == null - - set: - field: event.created - copy_from: '@timestamp' - - convert: - field: client.address - target_field: client.ip - type: ip - ignore_missing: true - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - grok: - field: message - patterns: - - 'Agent login %{WORD:_tmp.outcome} for %{DATA}%{SESSION} from %{IP} with %{GREEDYDATA:user_agent.original}.' - - 'VPN Tunneling: Session %{WORD:_tmp.type} for user %{SESSION} with %{NOTSPACE:network.type} address %{IP:client.nat.ip}(, hostname %{HOSTNAME:host.name})?' - - "Session %{WORD} from user agent '%{GREEDYDATA:user_agent.original}' %{SESSION}." - - 'Login %{WORD:_tmp.outcome}( %{GREEDYDATA})?. Reason: %{GREEDYDATA:event.reason}' - - '^Primary authentication %{WORD_tmp.outcome}' - - '%{SESSION}' - pattern_definitions: - SESSION: \(session:%{SPACE}?%{NOTSPACE:pulse_secure.session.id}\) - ignore_failure: true - - lowercase: - field: network.type - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_failure: true - ignore_missing: true - - set: - field: event.outcome - value: failure - if: 'ctx._tmp?.outcome != null && ["failed"].contains(ctx._tmp?.outcome)' - - set: - field: event.outcome - value: success - if: 'ctx._tmp?.outcome != null && ["successful", "succeeded"].contains(ctx._tmp?.outcome)' - - append: - field: event.type - value: - - connection - - session - - start - if: ctx._tmp?.type != null && ctx._tmp?.type == "started" - - append: - field: event.type - value: - - connection - - session - - end - if: ctx._tmp?.type != null && ctx._tmp?.type == "ended" - # IP Geolocation Lookup - - geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true - - rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true - - set: - field: source - copy_from: client - - - - - remove: - field: - - _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/agent.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/base-fields.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 6ced01af01..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: pulse_connect_secure -- name: event.dataset - type: constant_keyword - description: Event dataset - value: pulse_connect_secure.log -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - type: long - description: Log offset -- name: input.type - type: keyword - description: Input type diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 964cd6263f..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,209 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/fields.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 865977f758..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: pulse_secure.session.id - type: keyword - description: > - test - -- name: pulse_secure.realm - type: keyword - description: > - test - -- name: pulse_secure.role - type: keyword - description: >- - test diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/manifest.yml b/packages/pulse_connect_secure/1.0.1/data_stream/log/manifest.yml deleted file mode 100755 index d6c7538634..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,100 +0,0 @@ -type: logs -title: Pulse Connect Secure -streams: - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: text - title: Syslog Port - multi: false - required: true - show_user: true - default: 9514 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - pulse_connect_secure-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Pulse Connect Secure logs (udp) - description: Collect Pulse Connect Secure logs using udp input - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: text - title: Syslog Port - multi: false - required: true - show_user: true - default: 9514 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - pulse_connect_secure-log - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: tcp.yml.hbs - title: Pulse Connect Secure logs (tcp) - description: Collect Pulse Connect Secure logs using tcp input diff --git a/packages/pulse_connect_secure/1.0.1/data_stream/log/sample_event.json b/packages/pulse_connect_secure/1.0.1/data_stream/log/sample_event.json deleted file mode 100755 index 507cf48f59..0000000000 --- a/packages/pulse_connect_secure/1.0.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "@timestamp": "2021-10-19T09:10:35.000+02:00", - "agent": { - "ephemeral_id": "48b94170-8de9-42a4-8608-50484a347a6a", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "pulse_connect_secure.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-10-19T09:10:35.000+02:00", - "dataset": "pulse_connect_secure.log", - "ingested": "2022-02-03T09:39:02Z", - "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.\n", - "outcome": "success", - "timezone": "+02:00" - }, - "host": { - "hostname": "pcs-node1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:51695" - } - }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", - "observer": { - "ip": "10.5.2.3", - "name": "pcs-node1", - "product": "Pulse Secure Connect", - "type": "vpn", - "vendor": "Pulse Secure" - }, - "pulse_secure": { - "realm": "REALM", - "role": "REALM_ROLES", - "session": { - "id": "sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75" - } - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "pulse_connect_secure-log" - ], - "user": { - "name": "user.name" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - } -} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.1/docs/README.md b/packages/pulse_connect_secure/1.0.1/docs/README.md deleted file mode 100755 index 5949b8dd00..0000000000 --- a/packages/pulse_connect_secure/1.0.1/docs/README.md +++ /dev/null @@ -1,232 +0,0 @@ -# Pulse Connect Secure Integration - -This integration is for [Pulse Connect Secure](https://www.pulsesecure.net/products/remote-access-overview/). - -## Log - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-10-19T09:10:35.000+02:00", - "agent": { - "ephemeral_id": "48b94170-8de9-42a4-8608-50484a347a6a", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "pulse_connect_secure.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-10-19T09:10:35.000+02:00", - "dataset": "pulse_connect_secure.log", - "ingested": "2022-02-03T09:39:02Z", - "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.\n", - "outcome": "success", - "timezone": "+02:00" - }, - "host": { - "hostname": "pcs-node1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:51695" - } - }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", - "observer": { - "ip": "10.5.2.3", - "name": "pcs-node1", - "product": "Pulse Secure Connect", - "type": "vpn", - "vendor": "Pulse Secure" - }, - "pulse_secure": { - "realm": "REALM", - "role": "REALM_ROLES", - "session": { - "id": "sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75" - } - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "pulse_connect_secure-log" - ], - "user": { - "name": "user.name" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| pulse_secure.realm | test | keyword | -| pulse_secure.role | test | keyword | -| pulse_secure.session.id | test | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | - diff --git a/packages/pulse_connect_secure/1.0.1/img/pulse_connect_secure.svg b/packages/pulse_connect_secure/1.0.1/img/pulse_connect_secure.svg deleted file mode 100755 index be2244431b..0000000000 --- a/packages/pulse_connect_secure/1.0.1/img/pulse_connect_secure.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.1/manifest.yml b/packages/pulse_connect_secure/1.0.1/manifest.yml deleted file mode 100755 index a1d00eb1c0..0000000000 --- a/packages/pulse_connect_secure/1.0.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: pulse_connect_secure -title: Pulse Connect Secure -version: 1.0.1 -release: ga -description: Collect logs from Pulse Connect Secure with Elastic Agent. -type: integration -icons: - - src: /img/pulse_connect_secure.svg - title: pulse_connect_secure - size: 300x70 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, security] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -policy_templates: - - name: pulse_connect_secure - title: Pulse Connect Secure logs - description: Collect logs from Pulse Connect Secure instances - inputs: - - type: udp - title: "Collect Pulse Connect Secure logs (input: udp)" - description: "Collecting logs from Pulse Connect Secure instances (input: udp)" - - type: tcp - title: "Collect Pulse Connect Secure logs (input: tcp)" - description: "Collecting logs from Pulse Connect Secure instances (input: tcp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/sophos/2.2.2/changelog.yml b/packages/sophos/2.2.2/changelog.yml deleted file mode 100755 index 31177383db..0000000000 --- a/packages/sophos/2.2.2/changelog.yml +++ /dev/null @@ -1,180 +0,0 @@ -# newer versions go on top -- version: "2.2.2" - changes: - - description: Update Readme to include links to Sophos's documentation. Also used the latest product name for Astaro - type: enhancement - link: https://github.com/elastic/integrations/pull/3160 -- version: "2.2.1" - changes: - - description: Format source.mac and destination.mac as per ECS for the UTM data stream. - type: bugfix - link: https://github.com/elastic/integrations/pull/3370 -- version: "2.2.0" - changes: - - description: Improve inputs for Sophos XG pipeline. - type: enhancement - link: https://github.com/elastic/integrations/pull/3322 -- version: "2.1.0" - changes: - - description: Update to ECS 8.2.0 to use new email field set. - type: enhancement - link: https://github.com/elastic/integrations/pull/2798 -- version: "2.0.0" - changes: - - description: Remove space from sophos.xg.trans_src_ip field. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Do not modify event.original. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Populate `url.*` fields based on `sophos.xg.url`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Rename `sophos.xg.reason` to `event.reason` (ECS). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Lowercase `network.transport` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Format `source.mac` and `destination.mac` as per ECS. - type: bugfix - link: https://github.com/elastic/integrations/pull/3127 - - description: Set the `event.code` from the message ID (and remove `sophos.xg.message_id`). - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Add `network.community_id`. - type: enhancement - link: https://github.com/elastic/integrations/pull/3127 - - description: Reduce event size by removing `client` and `server` fields that are clones of `source` and `destination`, respectively. - type: breaking-change - link: https://github.com/elastic/integrations/pull/3127 -- version: "1.2.3" - changes: - - description: Update pipelines to parse new fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2163 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Add missing ingest pipeline for "System Health" logs - type: bugfix - link: https://github.com/elastic/integrations/pull/2743 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2596 -- version: "1.1.3" - changes: - - description: Fix KV splitting and syslog header handling - type: bugfix - link: https://github.com/elastic/integrations/pull/2320 -- version: "1.1.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2271 -- version: "1.0.6" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2086 -- version: "1.0.5" - changes: - - description: Support hostname in syslog header in UTM data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/2034 -- version: "1.0.4" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1987 -- version: "1.0.3" - changes: - - description: Fixed a bug that prevents the package from working in 7.16. - type: bugfix - link: https://github.com/elastic/integrations/pull/1882 -- version: "1.0.2" - changes: - - description: Fix logic that adds known devices to policy - type: bugfix - link: https://github.com/elastic/integrations/pull/1888 -- version: "1.0.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1851 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1775 -- version: "0.6.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1678 -- version: "0.5.4" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.5.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1504 -- version: '0.5.2' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1418 -- version: "0.5.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.5.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.4.0" - changes: - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1275 -- version: "0.3.0" - changes: - - description: update to ECS 1.10.0 and adding event.original options - type: enhancement - link: https://github.com/elastic/integrations/pull/1102 -- version: "0.2.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/870 -- version: "0.2.0" - changes: - - description: Add XG data stream - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/package-storage/pull/400 diff --git a/packages/sophos/2.2.2/data_stream/utm/agent/stream/stream.yml.hbs b/packages/sophos/2.2.2/data_stream/utm/agent/stream/stream.yml.hbs deleted file mode 100755 index 8cce59a86f..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,5072 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.2.2/data_stream/utm/agent/stream/tcp.yml.hbs b/packages/sophos/2.2.2/data_stream/utm/agent/stream/tcp.yml.hbs deleted file mode 100755 index 1de04c8c77..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.2.2/data_stream/utm/agent/stream/udp.yml.hbs b/packages/sophos/2.2.2/data_stream/utm/agent/stream/udp.yml.hbs deleted file mode 100755 index cef2ed2295..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,5069 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sophos" - product: "UTM" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0002"), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ - setc("header_id","0003"), - setc("messageid","reverseproxy"), - ])); - - var hdr4 = match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0005"), - ])); - - var hdr5 = match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ - setc("header_id","0004"), - setc("messageid","astarosg_TVM"), - ])); - - var hdr6 = match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ - setc("header_id","0006"), - setc("messageid","Sophos_Firewall"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - ]); - - var part1 = match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg1 = msg("named:01", part1); - - var part2 = match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ - dup1, - dup2, - dup3, - ])); - - var msg2 = msg("named:02", part2); - - var part3 = match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ - dup4, - dup2, - dup3, - ])); - - var msg3 = msg("named:03", part3); - - var part4 = match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ - dup5, - dup2, - dup3, - ])); - - var msg4 = msg("named:04", part4); - - var part5 = match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup6, - dup2, - dup3, - ])); - - var msg5 = msg("named:05", part5); - - var part6 = match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ - setc("eventcategory","1804000000"), - dup2, - dup3, - ])); - - var msg6 = msg("named:06", part6); - - var part7 = match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ - dup7, - dup2, - dup3, - ])); - - var msg7 = msg("named:07", part7); - - var part8 = match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg8 = msg("named:08", part8); - - var part9 = match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ - dup7, - dup2, - dup3, - setc("action","reloading"), - ])); - - var msg9 = msg("named:09", part9); - - var part10 = match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - ])); - - var msg10 = msg("named:10", part10); - - var part11 = match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ - dup7, - dup9, - dup2, - dup3, - setc("action","all zones loaded"), - ])); - - var msg11 = msg("named:11", part11); - - var part12 = match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ - dup7, - setc("disposition","running"), - dup2, - dup3, - setc("action","running"), - ])); - - var msg12 = msg("named:12", part12); - - var part13 = match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ - dup7, - setc("context","built-in root key"), - dup2, - dup3, - ])); - - var msg13 = msg("named:13", part13); - - var part14 = match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ - dup8, - dup2, - dup3, - ])); - - var msg14 = msg("named:14", part14); - - var part15 = match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ - dup10, - setc("event_description","named:too many timeouts resolving DNS."), - dup11, - dup2, - ])); - - var msg15 = msg("named:15", part15); - - var part16 = match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:FORMERR resolving DNS."), - dup11, - dup2, - ])); - - var msg16 = msg("named:16", part16); - - var part17 = match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ - dup10, - setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), - dup11, - dup2, - ])); - - var msg17 = msg("named:17", part17); - - var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, - msg13, - msg14, - msg15, - msg16, - msg17, - ]); - - var part18 = match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ - dup12, - setc("event_description","httpproxy:Integrated HTTP-Proxy."), - dup11, - dup2, - ])); - - var msg18 = msg("httpproxy:09", part18); - - var part19 = match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ - dup10, - setc("event_description","httpproxy:Name or service not known."), - dup11, - dup2, - ])); - - var msg19 = msg("httpproxy:10", part19); - - var part20 = match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ - dup10, - setc("event_description","httpproxy:failed to resolve passthrough."), - dup11, - dup2, - ])); - - var msg20 = msg("httpproxy:11", part20); - - var part21 = match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ - dup10, - setc("event_description","httpproxy:ssl handshake failure."), - dup11, - dup2, - ])); - - var msg21 = msg("httpproxy:12", part21); - - var part22 = match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ - dup10, - setc("event_description","httpproxy:EVP_DecryptFinal failed."), - dup11, - dup2, - ])); - - var msg22 = msg("httpproxy:13", part22); - - var part23 = match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ - dup10, - setc("event_description","httpproxy:decrypt failed."), - dup11, - dup2, - ])); - - var msg23 = msg("httpproxy:14", part23); - - var part24 = match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:reloading av pattern"), - dup11, - dup2, - ])); - - var msg24 = msg("httpproxy:15", part24); - - var part25 = match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ - dup12, - setc("event_description","httpproxy:sc_check_servers.Server checked."), - dup11, - dup2, - ])); - - var msg25 = msg("httpproxy:16", part25); - - var part26 = match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ - dup12, - setc("event_description","httpproxy:shutdown finished, exiting."), - dup11, - dup2, - ])); - - var msg26 = msg("httpproxy:17", part26); - - var part27 = match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ - dup12, - setc("event_description","httpproxy:"), - dup11, - dup2, - ])); - - var msg27 = msg("httpproxy:18", part27); - - var part28 = match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ - dup12, - setc("event_description","httpproxy:reading profiles"), - dup11, - dup2, - ])); - - var msg28 = msg("httpproxy:19", part28); - - var part29 = match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ - dup12, - setc("event_description","httpproxy:finished startup"), - dup11, - dup2, - ])); - - var msg29 = msg("httpproxy:20", part29); - - var part30 = match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:read_request_headers related message."), - dup11, - dup2, - ])); - - var msg30 = msg("httpproxy:21", part30); - - var part31 = match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_loop related message."), - dup11, - dup2, - ])); - - var msg31 = msg("httpproxy:22", part31); - - var part32 = match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scan_exit related message."), - dup11, - dup2, - ])); - - var msg32 = msg("httpproxy:23", part32); - - var part33 = match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:epoll_exit related message."), - dup11, - dup2, - ])); - - var msg33 = msg("httpproxy:24", part33); - - var part34 = match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_exit related message."), - dup11, - dup2, - ])); - - var msg34 = msg("httpproxy:25", part34); - - var part35 = match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:disk_cache_zap related message."), - dup11, - dup2, - ])); - - var msg35 = msg("httpproxy:26", part35); - - var part36 = match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ - dup12, - setc("event_description","httpproxy:scanner_init related message."), - dup11, - dup2, - ])); - - var msg36 = msg("httpproxy:27", part36); - - var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { - "action": "action", - "ad_domain": "fld1", - "app-id": "fld18", - "application": "fld17", - "auth": "fld10", - "authtime": "fld4", - "avscantime": "fld7", - "cached": "fld2", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld6", - "content-type": "content_type", - "device": "fld9", - "dnstime": "fld5", - "dstip": "daddr", - "error": "result", - "exceptions": "fld12", - "extension": "fld13", - "file": "filename", - "filename": "filename", - "filteraction": "fld3", - "fullreqtime": "fld8", - "function": "action", - "group": "group", - "id": "rule", - "line": "fld14", - "message": "context", - "method": "web_method", - "name": "event_description", - "profile": "policyname", - "reason": "rule_group", - "referer": "web_referer", - "reputation": "fld16", - "request": "connectionid", - "severity": "severity", - "size": "rbytes", - "srcip": "saddr", - "statuscode": "resultcode", - "sub": "network_service", - "sys": "vsys", - "time": "fld15", - "ua": "fld11", - "url": "url", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg37 = msg("httpproxy:01", part37); - - var select3 = linear_select([ - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - ]); - - var part38 = match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ - dup16, - dup2, - dup3, - ])); - - var msg38 = msg("URID:01", part38); - - var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { - "action": "action", - "code": "fld30", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "fwrule": "policy_id", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "name": "event_description", - "outitf": "dinterface", - "prec": "fld27", - "proto": "fld24", - "seq": "fld23", - "severity": "severity", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "sub": "network_service", - "sys": "vsys", - "tcpflags": "fld29", - "tos": "fld26", - "ttl": "fld28", - "type": "fld31", - }, processor_chain([ - dup13, - setc("ec_subject","NetworkComm"), - setc("ec_activity","Scan"), - setc("ec_theme","TEV"), - dup11, - dup2, - dup45, - dup46, - ])); - - var msg39 = msg("ulogd:01", part39); - - var part40 = match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ - dup6, - setc("disposition","configured"), - dup2, - dup3, - ])); - - var msg40 = msg("reverseproxy:01", part40); - - var part41 = match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg41 = msg("reverseproxy:02", part41); - - var part42 = match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ - dup17, - dup2, - dup3, - ])); - - var msg42 = msg("reverseproxy:03", part42); - - var part43 = match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ - dup17, - setc("event_id","AH00292"), - dup2, - dup3, - ])); - - var msg43 = msg("reverseproxy:04", part43); - - var part44 = match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ - setc("eventcategory","1805010000"), - dup18, - dup2, - dup3, - ])); - - var msg44 = msg("reverseproxy:06", part44); - - var part45 = match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); - - var select4 = linear_select([ - dup19, - ]); - - var part46 = match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); - - var all1 = all_match({ - processors: [ - part45, - select4, - part46, - ], - on_success: processor_chain([ - dup5, - setc("event_id","AH00297"), - dup2, - dup3, - ]), - }); - - var msg45 = msg("reverseproxy:07", all1); - - var part47 = match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ - dup4, - setc("event_id","AH00112"), - dup2, - dup3, - ])); - - var msg46 = msg("reverseproxy:08", part47); - - var part48 = match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ - setc("eventcategory","1605010000"), - setc("event_id","AH00094"), - dup2, - dup3, - ])); - - var msg47 = msg("reverseproxy:09", part48); - - var part49 = match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ - dup12, - setc("event_id","AH00291"), - dup2, - dup3, - ])); - - var msg48 = msg("reverseproxy:10", part49); - - var part50 = match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ - dup20, - setc("event_id","AH02572"), - dup2, - dup3, - ])); - - var msg49 = msg("reverseproxy:11", part50); - - var part51 = match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ - dup20, - setc("context","SSL Library Error"), - dup2, - dup3, - ])); - - var msg50 = msg("reverseproxy:12", part51); - - var part52 = match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ - dup20, - setc("result","Fatal error"), - setc("event_id","AH02312"), - dup2, - dup3, - ])); - - var msg51 = msg("reverseproxy:13", part52); - - var part53 = match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ - dup20, - setc("result","Configuration Failed"), - setc("event_id","AH00020"), - dup2, - dup3, - ])); - - var msg52 = msg("reverseproxy:14", part53); - - var part54 = match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ - setc("eventcategory","1609000000"), - setc("context","Unclean shutdown"), - setc("event_id","AH00098"), - dup2, - dup3, - ])); - - var msg53 = msg("reverseproxy:15", part54); - - var part55 = match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ - dup16, - setc("event_id","AH00295"), - dup2, - dup3, - ])); - - var msg54 = msg("reverseproxy:16", part55); - - var part56 = match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); - - var part57 = match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); - - var select5 = linear_select([ - part57, - dup19, - ]); - - var part58 = match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all2 = all_match({ - processors: [ - part56, - select5, - part58, - ], - on_success: processor_chain([ - dup21, - dup2, - dup3, - ]), - }); - - var msg55 = msg("reverseproxy:17", all2); - - var part59 = match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ - dup4, - dup22, - dup2, - dup3, - ])); - - var msg56 = msg("reverseproxy:18", part59); - - var part60 = match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ - dup23, - dup22, - dup2, - dup3, - ])); - - var msg57 = msg("reverseproxy:19", part60); - - var part61 = match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg58 = msg("reverseproxy:20", part61); - - var part62 = match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ - dup20, - dup18, - setc("event_id","AH01909"), - dup2, - dup3, - ])); - - var msg59 = msg("reverseproxy:21", part62); - - var part63 = match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ - dup20, - setc("comments","Invalid port configuration"), - dup2, - dup3, - ])); - - var msg60 = msg("reverseproxy:22", part63); - - var part64 = match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg61 = msg("reverseproxy:23", part64); - - var part65 = match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg62 = msg("reverseproxy:24", part65); - - var part66 = match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ - dup21, - dup2, - dup3, - ])); - - var msg63 = msg("reverseproxy:25", part66); - - var part67 = match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); - - var part68 = match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); - - var select6 = linear_select([ - part68, - dup19, - ]); - - var part69 = match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); - - var part70 = match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); - - var part71 = match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); - - var select7 = linear_select([ - part70, - part71, - ]); - - var part72 = match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); - - var all3 = all_match({ - processors: [ - part67, - select6, - part69, - select7, - part72, - ], - on_success: processor_chain([ - dup24, - dup2, - dup3, - ]), - }); - - var msg64 = msg("reverseproxy:26", all3); - - var part73 = match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg65 = msg("reverseproxy:27", part73); - - var part74 = match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ - dup26, - setc("result","virus daemon error"), - dup2, - dup3, - ])); - - var msg66 = msg("reverseproxy:28", part74); - - var part75 = match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ - dup27, - setc("result","virus found"), - dup2, - dup3, - ])); - - var msg67 = msg("reverseproxy:29", part75); - - var part76 = match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg68 = msg("reverseproxy:30", part76); - - var part77 = match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ - dup25, - setc("result","Cannot read reply"), - dup2, - dup3, - ])); - - var msg69 = msg("reverseproxy:31", part77); - - var part78 = match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg70 = msg("reverseproxy:32", part78); - - var part79 = match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg71 = msg("reverseproxy:33", part79); - - var part80 = match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg72 = msg("reverseproxy:34", part80); - - var part81 = match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ - dup26, - dup29, - dup2, - dup3, - ])); - - var msg73 = msg("reverseproxy:35", part81); - - var part82 = match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ - dup27, - setc("result","Virus found"), - dup2, - dup3, - ])); - - var msg74 = msg("reverseproxy:36", part82); - - var part83 = match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ - dup24, - dup28, - dup2, - dup3, - ])); - - var msg75 = msg("reverseproxy:37", part83); - - var part84 = match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ - dup25, - dup2, - dup3, - ])); - - var msg76 = msg("reverseproxy:38", part84); - - var part85 = match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ - dup23, - setc("result","Form validation failed"), - dup2, - dup3, - ])); - - var msg77 = msg("reverseproxy:39", part85); - - var part86 = match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ - dup25, - setc("result","Sending trickle failed"), - dup2, - dup3, - ])); - - var msg78 = msg("reverseproxy:40", part86); - - var part87 = match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ - dup30, - dup2, - dup3, - ])); - - var msg79 = msg("reverseproxy:41", part87); - - var part88 = match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ - setc("eventcategory","1603050000"), - dup2, - dup3, - ])); - - var msg80 = msg("reverseproxy:42", part88); - - var part89 = match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ - dup30, - setc("event_id","AH01110"), - setc("result","Error reading response"), - dup2, - dup3, - ])); - - var msg81 = msg("reverseproxy:43", part89); - - var part90 = match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1601020000"), - setc("result","No form context found"), - dup2, - dup3, - ])); - - var msg82 = msg("reverseproxy:44", part90); - - var part91 = match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ - dup25, - setc("event_id","AH00957"), - dup2, - dup3, - ])); - - var msg83 = msg("reverseproxy:45", part91); - - var part92 = match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ - dup16, - setc("event_id","AH00959"), - setc("result","disabling worker"), - dup2, - dup3, - ])); - - var msg84 = msg("reverseproxy:46", part92); - - var part93 = match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ - setc("eventcategory","1801000000"), - setc("context","Not all file sent to client"), - dup2, - dup3, - ])); - - var msg85 = msg("reverseproxy:47", part93); - - var part94 = match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg86 = msg("reverseproxy:48", part94); - - var part95 = match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ - dup25, - dup31, - dup32, - dup2, - dup3, - ])); - - var msg87 = msg("reverseproxy:49", part95); - - var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { - "cookie": "web_cookie", - "exceptions": "policy_waiver", - "extra": "info", - "host": "dhost", - "id": "policy_id", - "localip": "fld3", - "method": "web_method", - "reason": "comments", - "referer": "web_referer", - "server": "daddr", - "set-cookie": "fld5", - "size": "fld4", - "srcip": "saddr", - "statuscode": "resultcode", - "time": "processing_time", - "url": "web_root", - "user": "username", - }, processor_chain([ - setc("eventcategory","1802000000"), - dup2, - dup3, - ])); - - var msg88 = msg("reverseproxy:05", part96); - - var select8 = linear_select([ - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, - msg58, - msg59, - msg60, - msg61, - msg62, - msg63, - msg64, - msg65, - msg66, - msg67, - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, - msg83, - msg84, - msg85, - msg86, - msg87, - msg88, - ]); - - var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { - "id": "fld5", - "name": "event_description", - "severity": "severity", - "sub": "service", - "sys": "fld2", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg89 = msg("confd-sync", part97); - - var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { - "account": "logon_id", - "attributes": "obj_name", - "class": "group_object", - "client": "fld3", - "count": "fld4", - "facility": "logon_type", - "id": "fld1", - "name": "event_description", - "node": "node", - "object": "fld6", - "severity": "severity", - "srcip": "saddr", - "storage": "directory", - "sub": "service", - "sys": "fld2", - "type": "obj_type", - "user": "username", - "version": "version", - }, processor_chain([ - dup1, - dup11, - dup2, - ])); - - var msg90 = msg("confd:01", part98); - - var part99 = match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy Frox started."), - dup11, - dup2, - ])); - - var msg91 = msg("frox", part99); - - var part100 = match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy listening on port."), - dup11, - dup2, - ])); - - var msg92 = msg("frox:01", part100); - - var part101 = match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ - dup12, - setc("event_description","frox:FTP Proxy dropped priveleges."), - dup11, - dup2, - ])); - - var msg93 = msg("frox:02", part101); - - var select9 = linear_select([ - msg91, - msg92, - msg93, - ]); - - var part102 = match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ - dup12, - setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), - dup11, - dup2, - ])); - - var msg94 = msg("afcd", part102); - - var part103 = match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ - dup12, - setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), - dup11, - dup2, - ])); - - var msg95 = msg("ipsec_starter", part103); - - var part104 = match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ - dup12, - setc("event_description","ipsec_starter: IP address or index of physical interface changed."), - dup11, - dup2, - ])); - - var msg96 = msg("ipsec_starter:01", part104); - - var select10 = linear_select([ - msg95, - msg96, - ]); - - var part105 = match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: Starting Pluto."), - dup11, - dup2, - ])); - - var msg97 = msg("pluto", part105); - - var part106 = match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ - dup12, - setc("event_description","pluto: including NAT-Traversal patch."), - dup11, - dup2, - ])); - - var msg98 = msg("pluto:01", part106); - - var part107 = match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating encryption algorithm."), - dup11, - dup2, - ])); - - var msg99 = msg("pluto:02", part107); - - var part108 = match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ - dup33, - setc("event_description","pluto: Activating hash algorithm."), - dup11, - dup2, - ])); - - var msg100 = msg("pluto:03", part108); - - var part109 = match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ - dup12, - setc("event_description","pluto: Testing registered IKE encryption algorithms"), - dup11, - dup2, - ])); - - var msg101 = msg("pluto:04", part109); - - var part110 = match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test not available."), - dup11, - dup2, - ])); - - var msg102 = msg("pluto:05", part110); - - var part111 = match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ - dup12, - setc("event_description","pluto: Algorithm self-test passed."), - dup11, - dup2, - ])); - - var msg103 = msg("pluto:06", part111); - - var part112 = match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ - dup12, - setc("event_description","pluto: Using KLIPS IPsec interface code"), - dup11, - dup2, - ])); - - var msg104 = msg("pluto:07", part112); - - var part113 = match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ - dup12, - setc("event_description","pluto: adding interface"), - dup11, - dup2, - ])); - - var msg105 = msg("pluto:08", part113); - - var part114 = match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ - dup34, - setc("event_description","pluto: loading secrets"), - dup11, - dup2, - ])); - - var msg106 = msg("pluto:09", part114); - - var part115 = match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ - dup34, - setc("event_description","pluto: loaded private key file"), - dup11, - dup2, - ])); - - var msg107 = msg("pluto:10", part115); - - var part116 = match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ - dup12, - setc("event_description","pluto: added connection description"), - dup11, - dup2, - ])); - - var msg108 = msg("pluto:11", part116); - - var part117 = match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg109 = msg("pluto:12", part117); - - var part118 = match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup10, - dup36, - dup11, - dup2, - ])); - - var msg110 = msg("pluto:13", part118); - - var part119 = match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg111 = msg("pluto:14", part119); - - var part120 = match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ - dup12, - setc("event_description","pluto:forgetting secrets"), - dup11, - dup2, - ])); - - var msg112 = msg("pluto:15", part120); - - var part121 = match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ - dup12, - setc("event_description","pluto:Changing to directory"), - dup11, - dup2, - ])); - - var msg113 = msg("pluto:17", part121); - - var part122 = match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ - dup12, - setc("event_description","pluto:*time to handle event"), - dup11, - dup2, - ])); - - var msg114 = msg("pluto:18", part122); - - var part123 = match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ - dup12, - setc("event_description","pluto:*received kernel message"), - dup11, - dup2, - ])); - - var msg115 = msg("pluto:19", part123); - - var part124 = match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ - dup25, - setc("event_description","pluto:rejected packet"), - dup11, - dup2, - ])); - - var msg116 = msg("pluto:20", part124); - - var part125 = match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg117 = msg("pluto:21", part125); - - var part126 = match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg118 = msg("pluto:22", part126); - - var part127 = match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg119 = msg("pluto:23", part127); - - var part128 = match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg120 = msg("pluto:24", part128); - - var part129 = match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg121 = msg("pluto:25", part129); - - var part130 = match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg122 = msg("pluto:26", part130); - - var part131 = match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg123 = msg("pluto:27", part131); - - var part132 = match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg124 = msg("pluto:28", part132); - - var part133 = match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg125 = msg("pluto:29", part133); - - var part134 = match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg126 = msg("pluto:30", part134); - - var part135 = match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg127 = msg("pluto:31", part135); - - var part136 = match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ - dup12, - setc("event_description","not authenticated"), - dup11, - dup2, - ])); - - var msg128 = msg("pluto:32", part136); - - var part137 = match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ - dup12, - dup35, - dup11, - dup2, - ])); - - var msg129 = msg("pluto:33", part137); - - var part138 = match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ - dup12, - dup36, - dup11, - dup2, - ])); - - var msg130 = msg("pluto:34", part138); - - var part139 = match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ - dup12, - dup37, - dup11, - dup2, - ])); - - var msg131 = msg("pluto:35", part139); - - var select11 = linear_select([ - msg97, - msg98, - msg99, - msg100, - msg101, - msg102, - msg103, - msg104, - msg105, - msg106, - msg107, - msg108, - msg109, - msg110, - msg111, - msg112, - msg113, - msg114, - msg115, - msg116, - msg117, - msg118, - msg119, - msg120, - msg121, - msg122, - msg123, - msg124, - msg125, - msg126, - msg127, - msg128, - msg129, - msg130, - msg131, - ]); - - var part140 = match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ - setc("eventcategory","1607000000"), - setc("event_description","xl2tpd:This binary does not support kernel L2TP."), - dup11, - dup2, - ])); - - var msg132 = msg("xl2tpd", part140); - - var part141 = match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ - dup12, - setc("event_description","xl2tpd:xl2tpd started."), - dup11, - dup2, - ])); - - var msg133 = msg("xl2tpd:01", part141); - - var part142 = match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg134 = msg("xl2tpd:02", part142); - - var part143 = match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg135 = msg("xl2tpd:03", part143); - - var part144 = match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg136 = msg("xl2tpd:04", part144); - - var part145 = match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ - dup12, - dup38, - dup11, - dup2, - ])); - - var msg137 = msg("xl2tpd:05", part145); - - var select12 = linear_select([ - msg132, - msg133, - msg134, - msg135, - msg136, - msg137, - ]); - - var part146 = match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ - dup12, - setc("event_description","barnyard: Exiting"), - dup11, - dup2, - ])); - - var msg138 = msg("barnyard:01", part146); - - var part147 = match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Initializing daemon mode"), - dup11, - dup2, - ])); - - var msg139 = msg("barnyard:02", part147); - - var part148 = match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ - dup12, - setc("event_description","barnyard:Opened spool file."), - dup11, - dup2, - ])); - - var msg140 = msg("barnyard:03", part148); - - var part149 = match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ - dup12, - setc("event_description","barnyard:Waiting for new data"), - dup11, - dup2, - ])); - - var msg141 = msg("barnyard:04", part149); - - var select13 = linear_select([ - msg138, - msg139, - msg140, - msg141, - ]); - - var part150 = match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ - dup12, - setc("event_description","exim:SMTP connection from localhost closed by QUIT"), - dup11, - dup2, - ])); - - var msg142 = msg("exim:01", part150); - - var part151 = match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ - setc("eventcategory","1207010000"), - setc("event_description","exim:e-mail accepted from relay."), - dup11, - dup2, - ])); - - var msg143 = msg("exim:02", part151); - - var part152 = match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ - setc("eventcategory","1207000000"), - setc("event_description","exim: e-mail sent."), - dup11, - dup2, - ])); - - var msg144 = msg("exim:03", part152); - - var part153 = match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ - dup39, - setc("event_description","exim: e-mail host lookup did not complete in DNS."), - dup11, - dup2, - ])); - - var msg145 = msg("exim:04", part153); - - var part154 = match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ - dup39, - setc("event_description","exim: e-mail routing defer:retry time not reached."), - dup11, - dup2, - ])); - - var msg146 = msg("exim:05", part154); - - var part155 = match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ - dup12, - setc("event_description","exim: exim daemon started."), - dup11, - dup2, - ])); - - var msg147 = msg("exim:06", part155); - - var part156 = match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ - dup12, - setc("event_description","exim: Start queue run."), - dup11, - dup2, - ])); - - var msg148 = msg("exim:07", part156); - - var part157 = match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ - dup12, - setc("event_description","exim: SIGHUP received: re-exec daemon."), - dup11, - dup2, - ])); - - var msg149 = msg("exim:08", part157); - - var part158 = match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim: SMTP connection from host."), - dup11, - dup2, - ])); - - var msg150 = msg("exim:09", part158); - - var part159 = match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:rejected EHLO from host."), - dup11, - dup2, - ])); - - var msg151 = msg("exim:10", part159); - - var part160 = match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), - dup11, - dup2, - ])); - - var msg152 = msg("exim:11", part160); - - var part161 = match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - setc("event_description","exim:TLS error on connection from host."), - dup11, - dup2, - ])); - - var msg153 = msg("exim:12", part161); - - var part162 = match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg154 = msg("exim:13", part162); - - var part163 = match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg155 = msg("exim:14", part163); - - var part164 = match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ - dup12, - dup40, - dup11, - dup2, - ])); - - var msg156 = msg("exim:15", part164); - - var part165 = match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ - dup12, - dup11, - dup2, - ])); - - var msg157 = msg("exim:16", part165); - - var select14 = linear_select([ - msg142, - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - msg155, - msg156, - msg157, - ]); - - var part166 = match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ - dup12, - setc("event_description","smtpd: Process moved to work queue."), - dup11, - dup2, - ])); - - var msg158 = msg("smtpd:01", part166); - - var part167 = match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ - setc("eventcategory","1207010100"), - dup11, - dup2, - ])); - - var msg159 = msg("smtpd:02", part167); - - var part168 = match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ - dup12, - setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), - dup11, - dup2, - ])); - - var msg160 = msg("smtpd:03", part168); - - var part169 = match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), - dup11, - dup2, - ])); - - var msg161 = msg("smtpd:04", part169); - - var part170 = match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), - dup11, - dup2, - ])); - - var msg162 = msg("smtpd:07", part170); - - var part171 = match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), - dup11, - dup2, - ])); - - var msg163 = msg("smtpd:05", part171); - - var part172 = match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ - dup12, - setc("event_description","smtpd: MASTER:Sending QR one."), - dup11, - dup2, - ])); - - var msg164 = msg("smtpd:06", part172); - - var select15 = linear_select([ - msg158, - msg159, - msg160, - msg161, - msg162, - msg163, - msg164, - ]); - - var part173 = match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ - dup10, - setc("event_description","sshd: Did not receive identification string."), - dup11, - dup2, - ])); - - var msg165 = msg("sshd:01", part173); - - var part174 = match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ - dup12, - setc("event_description","sshd:Received SIGHUP restarting."), - dup11, - dup2, - ])); - - var msg166 = msg("sshd:02", part174); - - var part175 = match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ - dup12, - setc("event_description","sshd:Server listening; restarting."), - dup11, - dup2, - ])); - - var msg167 = msg("sshd:03", part175); - - var part176 = match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ - dup41, - setc("event_description","sshd:Invalid user admin."), - dup11, - dup2, - ])); - - var msg168 = msg("sshd:04", part176); - - var part177 = match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed none for invalid user admin."), - dup11, - dup2, - ])); - - var msg169 = msg("sshd:05", part177); - - var part178 = match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ - dup10, - setc("event_description","sshd:error:Could not get shadow information for NOUSER"), - dup11, - dup2, - ])); - - var msg170 = msg("sshd:06", part178); - - var part179 = match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - dup41, - setc("event_description","sshd:Failed password for root."), - dup11, - dup2, - ])); - - var msg171 = msg("sshd:07", part179); - - var part180 = match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ - setc("eventcategory","1302000000"), - setc("event_description","sshd:Accepted password for loginuser."), - dup11, - dup2, - ])); - - var msg172 = msg("sshd:08", part180); - - var part181 = match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ - dup10, - setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), - dup11, - dup2, - ])); - - var msg173 = msg("sshd:09", part181); - - var select16 = linear_select([ - msg165, - msg166, - msg167, - msg168, - msg169, - msg170, - msg171, - msg172, - msg173, - ]); - - var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { - "caller": "fld4", - "engine": "fld5", - "id": "fld1", - "name": "event_description", - "severity": "severity", - "srcip": "saddr", - "sub": "service", - "sys": "fld2", - "user": "username", - }, processor_chain([ - dup13, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg174 = msg("aua:01", part182); - - var part183 = match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ - dup12, - setc("event_description","sockd: created new negotiatorchild."), - dup11, - dup2, - ])); - - var msg175 = msg("sockd:01", part183); - - var part184 = match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ - dup12, - setc("event_description","sockd:dante/server running."), - dup11, - dup2, - ])); - - var msg176 = msg("sockd:02", part184); - - var part185 = match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ - dup12, - setc("event_description","sockd:sockdexit():terminating on signal."), - dup11, - dup2, - ])); - - var msg177 = msg("sockd:03", part185); - - var select17 = linear_select([ - msg175, - msg176, - msg177, - ]); - - var part186 = match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ - dup12, - setc("event_description","pop3proxy:Master started."), - dup11, - dup2, - ])); - - var msg178 = msg("pop3proxy", part186); - - var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg179 = msg("astarosg_TVM", part187); - - var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { - "account": "logon_id", - "action": "action", - "ad_domain": "fld5", - "app-id": "fld20", - "application": "fld19", - "attributes": "obj_name", - "auth": "fld15", - "authtime": "fld9", - "avscantime": "fld12", - "cached": "fld7", - "caller": "fld30", - "category": "policy_id", - "categoryname": "info", - "cattime": "fld11", - "class": "group_object", - "client": "fld3", - "content-type": "content_type", - "cookie": "web_cookie", - "count": "fld4", - "device": "fld14", - "dnstime": "fld10", - "dstip": "daddr", - "dstmac": "dmacaddr", - "dstport": "dport", - "engine": "fld31", - "error": "comments", - "exceptions": "fld17", - "extension": "web_extension", - "extra": "info", - "facility": "logon_type", - "file": "filename", - "filename": "filename", - "filteraction": "policyname", - "fullreqtime": "fld13", - "function": "action", - "fwrule": "policy_id", - "group": "group", - "host": "dhost", - "id": "rule", - "info": "context", - "initf": "sinterface", - "length": "fld25", - "line": "fld22", - "localip": "fld31", - "message": "context", - "method": "web_method", - "name": "event_description", - "node": "node", - "object": "fld6", - "outitf": "dinterface", - "port": "network_port", - "prec": "fld30", - "profile": "owner", - "proto": "fld24", - "query": "web_query", - "reason": "comments", - "referer": "web_referer", - "reputation": "fld18", - "request": "fld8", - "seq": "fld23", - "server": "daddr", - "set-cookie": "fld32", - "severity": "severity", - "size": "filename_size", - "srcip": "saddr", - "srcmac": "smacaddr", - "srcport": "sport", - "statuscode": "resultcode", - "storage": "directory", - "sub": "service", - "sys": "vsys", - "tcpflags": "fld29", - "time": "fld21", - "tos": "fld26", - "ttl": "fld28", - "type": "obj_type", - "ua": "fld16", - "uid": "uid", - "url": "url", - "user": "username", - "version": "version", - }, processor_chain([ - dup12, - dup11, - dup2, - dup45, - dup46, - ])); - - var msg180 = msg("httpd", part188); - - var part189 = match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ - setc("eventcategory","1502000000"), - dup2, - dup3, - ])); - - var msg181 = msg("httpd:01", part189); - - var select18 = linear_select([ - msg180, - msg181, - ]); - - var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { - "activityname": "fld9", - "appfilter_policy_id": "fld10", - "application": "application", - "application_category": "fld23", - "application_risk": "risk_num", - "application_technology": "fld11", - "appresolvedby": "fld22", - "category": "fld4", - "category_type": "fld5", - "connevent": "fld19", - "connid": "connectionid", - "contenttype": "content_type", - "dir_disp": "fld18", - "domain": "fqdn", - "dst_country_code": "location_dst", - "dst_ip": "daddr", - "dst_port": "dport", - "dstzone": "dst_zone", - "dstzonetype": "fld17", - "duration": "duration", - "exceptions": "fld8", - "fw_rule_id": "rule_uid", - "hb_health": "fld21", - "httpresponsecode": "fld7", - "iap": "id1", - "in_interface": "sinterface", - "ips_policy_id": "policy_id", - "log_component": "event_source", - "log_subtype": "category", - "log_type": "event_type", - "message": "info", - "out_interface": "dinterface", - "override_token": "fld6", - "policy_type": "fld23", - "priority": "severity", - "protocol": "protocol", - "reason": "result", - "recv_bytes": "rbytes", - "recv_pkts": "fld15", - "referer": "web_referer", - "sent_bytes": "sbytes", - "sent_pkts": "fld14", - "src_country_code": "location_src", - "src_ip": "saddr", - "src_mac": "smacaddr", - "src_port": "sport", - "srczone": "src_zone", - "srczonetype": "fld16", - "status": "event_state", - "status_code": "resultcode", - "tran_dst_ip": "dtransaddr", - "tran_dst_port": "dtransport", - "tran_src_ip": "stransaddr", - "tran_src_port": "stransport", - "transactionid": "id2", - "url": "url", - "user_agent": "user_agent", - "user_gp": "group", - "user_name": "username", - "vconnid": "fld20", - }, processor_chain([ - setc("eventcategory","1204000000"), - dup2, - date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], - ], - }), - ])); - - var msg182 = msg("Sophos_Firewall", part190); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "Sophos_Firewall": msg182, - "URID": msg38, - "afcd": msg94, - "astarosg_TVM": msg179, - "aua": msg174, - "barnyard": select13, - "confd": msg90, - "confd-sync": msg89, - "exim": select14, - "frox": select9, - "httpd": select18, - "httpproxy": select3, - "ipsec_starter": select10, - "named": select2, - "pluto": select11, - "pop3proxy": msg178, - "reverseproxy": select8, - "smtpd": select15, - "sockd": select17, - "sshd": select16, - "ulogd": msg39, - "xl2tpd": select12, - }), - ]); - - var part191 = match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sophos/2.2.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.2.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0ccb6ce73a..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -description: Pipeline for Sophos UTM (formerly Astaro Security Gateway). - -processors: - - set: - field: ecs.version - value: '8.2.0' - - gsub: - field: destination.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - gsub: - field: source.mac - ignore_missing: true - pattern: '[:]' - replacement: '-' - - uppercase: - field: destination.mac - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.2.2/data_stream/utm/fields/base-fields.yml b/packages/sophos/2.2.2/data_stream/utm/fields/base-fields.yml deleted file mode 100755 index 0c50a77637..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/fields/base-fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.utm -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/2.2.2/data_stream/utm/fields/ecs.yml b/packages/sophos/2.2.2/data_stream/utm/fields/ecs.yml deleted file mode 100755 index a7357fbfbe..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/fields/ecs.yml +++ /dev/null @@ -1,539 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: destination.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: destination.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: destination.top_level_domain - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Array of file attributes. - Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. - name: file.attributes - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: File type (file, dir, or symlink). - name: file.type - type: keyword -- description: City name. - name: geo.city_name - type: keyword -- description: Country name. - name: geo.country_name - type: keyword -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: geo.name - type: keyword -- description: Region name. - name: geo.region_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - The Syslog numeric facility of the log event, if available. - According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - name: log.syslog.facility.code - type: long -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. - name: log.syslog.severity.code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.parent.title - type: keyword -- description: Process id. - name: process.pid - type: long -- description: Process id. - name: process.parent.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: |- - The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: server.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: server.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: server.top_level_domain - type: keyword -- description: |- - Name of the service data is collected from. - The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. - In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. - name: service.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/sophos/2.2.2/data_stream/utm/fields/fields.yml b/packages/sophos/2.2.2/data_stream/utm/fields/fields.yml deleted file mode 100755 index ea69cd79e3..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/fields/fields.yml +++ /dev/null @@ -1,1754 +0,0 @@ -- name: rsa - type: group - fields: - - name: internal - type: group - fields: - - name: msg - type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder - - name: messageid - type: keyword - - name: event_desc - type: keyword - - name: message - type: keyword - description: This key captures the contents of instant messages - - name: time - type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - - name: level - type: long - description: Deprecated key defined only in table map. - - name: msg_id - type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: msg_vid - type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: data - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - type: keyword - description: Deprecated key defined only in table map. - - name: resource - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - type: keyword - description: Deprecated key defined only in table map. - - name: statement - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - type: keyword - description: Deprecated key defined only in table map. - - name: entry - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - type: keyword - description: Deprecated key defined only in table map. - - name: inode - type: long - description: Deprecated key defined only in table map. - - name: resource_class - type: keyword - description: Deprecated key defined only in table map. - - name: dead - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: feed_name - type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: cid - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_class - type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_group - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type_id - type: long - description: Deprecated key defined only in table map. - - name: did - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: entropy_req - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: entropy_res - type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - - name: event_name - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: forward_ip - type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: header_id - type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_cid - type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: lc_ctime - type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: mcbc_res - type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - - name: medium - type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: payload_req - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: payload_res - type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - - name: process_vid_dst - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - - name: process_vid_src - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - - name: rid - type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: session_split - type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - type: keyword - description: Deprecated key defined only in table map. - - name: size - type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: sourcefile - type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: ubc_res - type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - - name: word - type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - - name: time - type: group - fields: - - name: event_time - type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - - name: duration_time - type: double - description: This key is used to capture the normalized duration/lifetime in seconds. - - name: event_time_str - type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string - - name: starttime - type: date - description: This key is used to capture the Start time mentioned in a session in a standard form - - name: month - type: keyword - - name: day - type: keyword - - name: endtime - type: date - description: This key is used to capture the End time mentioned in a session in a standard form - - name: timezone - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - type: keyword - description: A text string version of the duration - - name: date - type: keyword - - name: year - type: keyword - - name: recorded_time - type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - - name: datetime - type: keyword - - name: effective_time - type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format - - name: expire_time - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - type: keyword - description: Deprecated, use duration.time - - name: hour - type: keyword - - name: min - type: keyword - - name: timestamp - type: keyword - - name: event_queue_time - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - type: keyword - - name: tzone - type: keyword - - name: eventtime - type: keyword - - name: gmtdate - type: keyword - - name: gmttime - type: keyword - - name: p_date - type: keyword - - name: p_month - type: keyword - - name: p_time - type: keyword - - name: p_time2 - type: keyword - - name: p_year - type: keyword - - name: expire_time_str - type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. - - name: stamp - type: date - description: Deprecated key defined only in table map. - - name: misc - type: group - fields: - - name: action - type: keyword - - name: result - type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. - - name: severity - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - type: keyword - description: This key captures the event category type as specified by the event source. - - name: reference_id - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - type: keyword - description: This key captures Version of the application or OS which is generating the event. - - name: disposition - type: keyword - description: This key captures the The end state of an action. - - name: result_code - type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session - - name: category - type: keyword - description: This key is used to capture the category of an event given by the vendor in the session - - name: obj_name - type: keyword - description: This is used to capture name of object - - name: obj_type - type: keyword - description: This is used to capture type of object - - name: event_source - type: keyword - description: "This key captures Source of the event that’s not a hostname" - - name: log_session_id - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - type: keyword - description: This key captures the Group Name value - - name: policy_name - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - type: keyword - description: This key captures the Rule Name - - name: context - type: keyword - description: This key captures Information which adds additional context to the event. - - name: change_new - type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" - - name: space - type: keyword - - name: client - type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - type: keyword - - name: msgIdPart2 - type: keyword - - name: change_old - type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" - - name: operation_id - type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. - - name: event_state - type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. - - name: group_object - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. - - name: rule - type: keyword - description: This key captures the Rule number - - name: device_name - type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' - - name: param - type: keyword - description: This key is the parameters passed as part of a command or application, etc. - - name: change_attrib - type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" - - name: event_computer - type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - - name: reference_id1 - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - type: keyword - description: This key captures the Name of the event log - - name: OS - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - type: keyword - - name: filter - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - - name: event_user - type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - - name: virusname - type: keyword - description: This key captures the name of the virus - - name: content_type - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - - name: vsys - type: keyword - description: This key captures Virtual System Name - - name: connection_id - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - - name: sensor - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices - - name: sig_id - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' - - name: rule_group - type: keyword - description: This key captures the Rule group name - - name: risk_num - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly - - name: comp_version - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) - - name: risk - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - type: keyword - - name: reason - type: keyword - - name: status - type: keyword - - name: mail_id - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - type: keyword - - name: p_msgid - type: keyword - - name: data_type - type: keyword - - name: msgIdPart4 - type: keyword - - name: error - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - type: keyword - - name: listnum - type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list - - name: ntype - type: keyword - - name: observed_val - type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). - - name: policy_value - type: keyword - description: This key captures the contents of the policy. This contains details about the policy - - name: pool_name - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - - name: count - type: keyword - - name: number - type: keyword - - name: sigcat - type: keyword - - name: type - type: keyword - - name: comments - type: keyword - description: Comment information provided in the log message - - name: doc_number - type: long - description: This key captures File Identification number - - name: expected_val - type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). - - name: job_num - type: keyword - description: This key captures the Job Number - - name: spi_dst - type: keyword - description: Destination SPI Index - - name: spi_src - type: keyword - description: Source SPI Index - - name: code - type: keyword - - name: agent_id - type: keyword - description: This key is used to capture agent id - - name: message_body - type: keyword - description: This key captures the The contents of the message body. - - name: phone - type: keyword - - name: sig_id_str - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - type: keyword - - name: misc - type: keyword - - name: name - type: keyword - - name: cpu - type: long - description: This key is the CPU time used in the execution of the event being recorded. - - name: event_desc - type: keyword - description: This key is used to capture a description of an event available directly or inferred - - name: sig_id1 - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - - name: im_buddyid - type: keyword - - name: im_client - type: keyword - - name: im_userid - type: keyword - - name: pid - type: keyword - - name: priority - type: keyword - - name: context_subject - type: keyword - description: This key is to be used in an audit context where the subject is the object being identified - - name: context_target - type: keyword - - name: cve - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - - name: fcatnum - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. - - name: risk_info - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - type: long - description: This key describes the type of service - - name: vm_target - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - type: keyword - description: This key captures Workspace Description - - name: command - type: keyword - - name: event_category - type: keyword - - name: facilityname - type: keyword - - name: forensic_info - type: keyword - - name: jobname - type: keyword - - name: mode - type: keyword - - name: policy - type: keyword - - name: policy_waiver - type: keyword - - name: second - type: keyword - - name: space1 - type: keyword - - name: subcategory - type: keyword - - name: tbdstr2 - type: keyword - - name: alert_id - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. - - name: checksum_src - type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. - - name: fresult - type: long - description: This key captures the Filter Result - - name: payload_dst - type: keyword - description: This key is used to capture destination payload - - name: payload_src - type: keyword - description: This key is used to capture source payload - - name: pool_id - type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool - - name: process_id_val - type: keyword - description: This key is a failure key for Process ID when it is not an integer value - - name: risk_num_comm - type: double - description: This key captures Risk Number Community - - name: risk_num_next - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - type: keyword - description: SNMP Object Identifier - - name: sql - type: keyword - description: This key captures the SQL query - - name: vuln_ref - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - type: keyword - - name: acl_op - type: keyword - - name: acl_pos - type: keyword - - name: acl_table - type: keyword - - name: admin - type: keyword - - name: alarm_id - type: keyword - - name: alarmname - type: keyword - - name: app_id - type: keyword - - name: audit - type: keyword - - name: audit_object - type: keyword - - name: auditdata - type: keyword - - name: benchmark - type: keyword - - name: bypass - type: keyword - - name: cache - type: keyword - - name: cache_hit - type: keyword - - name: cefversion - type: keyword - - name: cfg_attr - type: keyword - - name: cfg_obj - type: keyword - - name: cfg_path - type: keyword - - name: changes - type: keyword - - name: client_ip - type: keyword - - name: clustermembers - type: keyword - - name: cn_acttimeout - type: keyword - - name: cn_asn_src - type: keyword - - name: cn_bgpv4nxthop - type: keyword - - name: cn_ctr_dst_code - type: keyword - - name: cn_dst_tos - type: keyword - - name: cn_dst_vlan - type: keyword - - name: cn_engine_id - type: keyword - - name: cn_engine_type - type: keyword - - name: cn_f_switch - type: keyword - - name: cn_flowsampid - type: keyword - - name: cn_flowsampintv - type: keyword - - name: cn_flowsampmode - type: keyword - - name: cn_inacttimeout - type: keyword - - name: cn_inpermbyts - type: keyword - - name: cn_inpermpckts - type: keyword - - name: cn_invalid - type: keyword - - name: cn_ip_proto_ver - type: keyword - - name: cn_ipv4_ident - type: keyword - - name: cn_l_switch - type: keyword - - name: cn_log_did - type: keyword - - name: cn_log_rid - type: keyword - - name: cn_max_ttl - type: keyword - - name: cn_maxpcktlen - type: keyword - - name: cn_min_ttl - type: keyword - - name: cn_minpcktlen - type: keyword - - name: cn_mpls_lbl_1 - type: keyword - - name: cn_mpls_lbl_10 - type: keyword - - name: cn_mpls_lbl_2 - type: keyword - - name: cn_mpls_lbl_3 - type: keyword - - name: cn_mpls_lbl_4 - type: keyword - - name: cn_mpls_lbl_5 - type: keyword - - name: cn_mpls_lbl_6 - type: keyword - - name: cn_mpls_lbl_7 - type: keyword - - name: cn_mpls_lbl_8 - type: keyword - - name: cn_mpls_lbl_9 - type: keyword - - name: cn_mplstoplabel - type: keyword - - name: cn_mplstoplabip - type: keyword - - name: cn_mul_dst_byt - type: keyword - - name: cn_mul_dst_pks - type: keyword - - name: cn_muligmptype - type: keyword - - name: cn_sampalgo - type: keyword - - name: cn_sampint - type: keyword - - name: cn_seqctr - type: keyword - - name: cn_spackets - type: keyword - - name: cn_src_tos - type: keyword - - name: cn_src_vlan - type: keyword - - name: cn_sysuptime - type: keyword - - name: cn_template_id - type: keyword - - name: cn_totbytsexp - type: keyword - - name: cn_totflowexp - type: keyword - - name: cn_totpcktsexp - type: keyword - - name: cn_unixnanosecs - type: keyword - - name: cn_v6flowlabel - type: keyword - - name: cn_v6optheaders - type: keyword - - name: comp_class - type: keyword - - name: comp_name - type: keyword - - name: comp_rbytes - type: keyword - - name: comp_sbytes - type: keyword - - name: cpu_data - type: keyword - - name: criticality - type: keyword - - name: cs_agency_dst - type: keyword - - name: cs_analyzedby - type: keyword - - name: cs_av_other - type: keyword - - name: cs_av_primary - type: keyword - - name: cs_av_secondary - type: keyword - - name: cs_bgpv6nxthop - type: keyword - - name: cs_bit9status - type: keyword - - name: cs_context - type: keyword - - name: cs_control - type: keyword - - name: cs_data - type: keyword - - name: cs_datecret - type: keyword - - name: cs_dst_tld - type: keyword - - name: cs_eth_dst_ven - type: keyword - - name: cs_eth_src_ven - type: keyword - - name: cs_event_uuid - type: keyword - - name: cs_filetype - type: keyword - - name: cs_fld - type: keyword - - name: cs_if_desc - type: keyword - - name: cs_if_name - type: keyword - - name: cs_ip_next_hop - type: keyword - - name: cs_ipv4dstpre - type: keyword - - name: cs_ipv4srcpre - type: keyword - - name: cs_lifetime - type: keyword - - name: cs_log_medium - type: keyword - - name: cs_loginname - type: keyword - - name: cs_modulescore - type: keyword - - name: cs_modulesign - type: keyword - - name: cs_opswatresult - type: keyword - - name: cs_payload - type: keyword - - name: cs_registrant - type: keyword - - name: cs_registrar - type: keyword - - name: cs_represult - type: keyword - - name: cs_rpayload - type: keyword - - name: cs_sampler_name - type: keyword - - name: cs_sourcemodule - type: keyword - - name: cs_streams - type: keyword - - name: cs_targetmodule - type: keyword - - name: cs_v6nxthop - type: keyword - - name: cs_whois_server - type: keyword - - name: cs_yararesult - type: keyword - - name: description - type: keyword - - name: devvendor - type: keyword - - name: distance - type: keyword - - name: dstburb - type: keyword - - name: edomain - type: keyword - - name: edomaub - type: keyword - - name: euid - type: keyword - - name: facility - type: keyword - - name: finterface - type: keyword - - name: flags - type: keyword - - name: gaddr - type: keyword - - name: id3 - type: keyword - - name: im_buddyname - type: keyword - - name: im_croomid - type: keyword - - name: im_croomtype - type: keyword - - name: im_members - type: keyword - - name: im_username - type: keyword - - name: ipkt - type: keyword - - name: ipscat - type: keyword - - name: ipspri - type: keyword - - name: latitude - type: keyword - - name: linenum - type: keyword - - name: list_name - type: keyword - - name: load_data - type: keyword - - name: location_floor - type: keyword - - name: location_mark - type: keyword - - name: log_id - type: keyword - - name: log_type - type: keyword - - name: logid - type: keyword - - name: logip - type: keyword - - name: logname - type: keyword - - name: longitude - type: keyword - - name: lport - type: keyword - - name: mbug_data - type: keyword - - name: misc_name - type: keyword - - name: msg_type - type: keyword - - name: msgid - type: keyword - - name: netsessid - type: keyword - - name: num - type: keyword - - name: number1 - type: keyword - - name: number2 - type: keyword - - name: nwwn - type: keyword - - name: object - type: keyword - - name: operation - type: keyword - - name: opkt - type: keyword - - name: orig_from - type: keyword - - name: owner_id - type: keyword - - name: p_action - type: keyword - - name: p_filter - type: keyword - - name: p_group_object - type: keyword - - name: p_id - type: keyword - - name: p_msgid1 - type: keyword - - name: p_msgid2 - type: keyword - - name: p_result1 - type: keyword - - name: password_chg - type: keyword - - name: password_expire - type: keyword - - name: permgranted - type: keyword - - name: permwanted - type: keyword - - name: pgid - type: keyword - - name: policyUUID - type: keyword - - name: prog_asp_num - type: keyword - - name: program - type: keyword - - name: real_data - type: keyword - - name: rec_asp_device - type: keyword - - name: rec_asp_num - type: keyword - - name: rec_library - type: keyword - - name: recordnum - type: keyword - - name: ruid - type: keyword - - name: sburb - type: keyword - - name: sdomain_fld - type: keyword - - name: sec - type: keyword - - name: sensorname - type: keyword - - name: seqnum - type: keyword - - name: session - type: keyword - - name: sessiontype - type: keyword - - name: sigUUID - type: keyword - - name: spi - type: keyword - - name: srcburb - type: keyword - - name: srcdom - type: keyword - - name: srcservice - type: keyword - - name: state - type: keyword - - name: status1 - type: keyword - - name: svcno - type: keyword - - name: system - type: keyword - - name: tbdstr1 - type: keyword - - name: tgtdom - type: keyword - - name: tgtdomain - type: keyword - - name: threshold - type: keyword - - name: type1 - type: keyword - - name: udb_class - type: keyword - - name: url_fld - type: keyword - - name: user_div - type: keyword - - name: userid - type: keyword - - name: username_fld - type: keyword - - name: utcstamp - type: keyword - - name: v_instafname - type: keyword - - name: virt_data - type: keyword - - name: vpnid - type: keyword - - name: autorun_type - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - type: long - description: Valid Credit Card Numbers only - - name: content - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - type: long - description: Employee Identification Numbers only - - name: found - type: keyword - description: This is used to capture the results of regex match - - name: language - type: keyword - description: This is used to capture list of languages the client support and what it prefers - - name: lifetime - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: match - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - type: keyword - description: This key captures the command line/launch argument of the target process or file - - name: param_src - type: keyword - description: This key captures source parameter - - name: search_text - type: keyword - description: This key captures the Search Text used - - name: sig_name - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - type: keyword - description: SNMP set request value - - name: streams - type: long - description: This key captures number of streams in session - - name: db - type: group - fields: - - name: index - type: keyword - description: This key captures IndexID of the index. - - name: instance - type: keyword - description: This key is used to capture the database server instance name - - name: database - type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session - - name: transact_id - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - type: keyword - description: This key is used to capture the table name - - name: db_id - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - type: long - description: This key captures the process id of a connection with database server - - name: lread - type: long - description: This key is used for the number of logical reads - - name: lwrite - type: long - description: This key is used for the number of logical writes - - name: pread - type: long - description: This key is used for the number of physical writes - - name: network - type: group - fields: - - name: alias_host - type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - - name: domain - type: keyword - - name: host_dst - type: keyword - description: "This key should only be used when it’s a Destination Hostname" - - name: network_service - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - type: keyword - description: This key should be used when the source or destination context of an interface is not clear - - name: network_port - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - type: keyword - description: "This key should only be used when it’s a Source Interface" - - name: dinterface - type: keyword - description: "This key should only be used when it’s a Destination Interface" - - name: vlan - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - type: keyword - description: "This key should only be used when it’s a Source Zone." - - name: zone - type: keyword - description: This key should be used when the source or destination context of a Zone is not clear - - name: zone_dst - type: keyword - description: "This key should only be used when it’s a Destination Zone." - - name: gateway - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - type: long - description: This key is used to capture the ICMP type only - - name: mask - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - type: keyword - description: This key is used for Destionation Device network mask - - name: port - type: long - description: This key should only be used to capture a Network Port when the directionality is not clear - - name: smask - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. - - name: paddr - type: ip - description: Deprecated - - name: faddr - type: keyword - - name: lhost - type: keyword - - name: origin - type: keyword - - name: remote_domain_id - type: keyword - - name: addr - type: keyword - - name: dns_a_record - type: keyword - - name: dns_ptr_record - type: keyword - - name: fhost - type: keyword - - name: fport - type: keyword - - name: laddr - type: keyword - - name: linterface - type: keyword - - name: phost - type: keyword - - name: ad_computer_dst - type: keyword - description: Deprecated, use host.dst - - name: eth_type - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - - name: ip_proto - type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - - name: dns_cname_record - type: keyword - - name: dns_id - type: keyword - - name: dns_opcode - type: keyword - - name: dns_resp - type: keyword - - name: dns_type - type: keyword - - name: domain1 - type: keyword - - name: host_type - type: keyword - - name: packet_length - type: keyword - - name: host_orig - type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - - name: rpayload - type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. - - name: vlan_name - type: keyword - description: This key should only be used to capture the name of the Virtual LAN - - name: investigations - type: group - fields: - - name: ec_activity - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - type: long - description: This key captures the Event category number - - name: event_cat_name - type: keyword - description: This key captures the event category name corresponding to the event cat code - - name: event_vcat - type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - - name: analysis_service - type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - - name: analysis_session - type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - - name: boc - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - type: keyword - description: This used to capture investigation category - - name: inv_context - type: keyword - description: This used to capture investigation context - - name: ioc - type: keyword - description: This is key capture indicator of compromise - - name: counters - type: group - fields: - - name: dclass_c1 - type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only - - name: dclass_c2 - type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only - - name: event_counter - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only - - name: dclass_c3 - type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only - - name: dclass_c1_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only - - name: dclass_c2_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only - - name: dclass_r1_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only - - name: dclass_r2 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only - - name: dclass_c3_str - type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only - - name: dclass_r3 - type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only - - name: dclass_r2_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only - - name: dclass_r3_str - type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only - - name: identity - type: group - fields: - - name: auth_method - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - type: keyword - description: This key is used to capture the user profile - - name: accesses - type: keyword - description: This key is used to capture actual privileges used in accessing an object - - name: realm - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - - name: org - type: keyword - description: This key captures the User organization - - name: dn_dst - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - - name: firstname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: lastname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: user_dept - type: keyword - description: User's Department Names only - - name: user_sid_src - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. - - name: federated_idp - type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. - - name: logon_type_desc - type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - - name: middlename - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: password - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" - - name: ldap_query - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - type: keyword - description: This is used to capture username the process or service is running as, the author of the task - - name: service_account - type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - - name: email - type: group - fields: - - name: email_dst - type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email - - name: email_src - type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email - - name: subject - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear - - name: trans_from - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - type: keyword - description: Deprecated key defined only in table map. - - name: file - type: group - fields: - - name: privilege - type: keyword - description: Deprecated, use permissions - - name: attachment - type: keyword - description: This key captures the attachment file name - - name: filesystem - type: keyword - - name: binary - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - type: keyword - description: This is used to capture name of the parent filename, the file which performed the action - - name: filename_tmp - type: keyword - - name: directory_dst - type: keyword - description: This key is used to capture the directory of the target process or file - - name: directory_src - type: keyword - description: This key is used to capture the directory of the source process or file - - name: file_entropy - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - type: keyword - description: This is used to capture name of the task - - name: web - type: group - fields: - - name: fqdn - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - type: keyword - - name: reputation_num - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - type: keyword - description: Web referer's domain - - name: web_ref_query - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - type: keyword - - name: web_ref_page - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - type: keyword - - name: cn_rpackets - type: keyword - - name: urlpage - type: keyword - - name: urlroot - type: keyword - - name: p_url - type: keyword - - name: p_user_agent - type: keyword - - name: p_web_cookie - type: keyword - - name: p_web_method - type: keyword - - name: p_web_referer - type: keyword - - name: web_extension_tmp - type: keyword - - name: web_page - type: keyword - - name: threat - type: group - fields: - - name: threat_category - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert - - name: threat_desc - type: keyword - description: This key is used to capture the threat description from the session directly or inferred - - name: alert - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - type: keyword - description: This key is used to capture source of the threat - - name: crypto - type: group - fields: - - name: crypto - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only - - name: cipher_src - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - type: keyword - description: IKE negotiation phase. - - name: scheme - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - type: keyword - description: "This key is for Encryption peer’s identity" - - name: sig_type - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - type: keyword - - name: cert_host_name - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - type: keyword - description: Deprecated, use version - - name: d_certauth - type: keyword - - name: s_certauth - type: keyword - - name: ike_cookie1 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" - - name: ike_cookie2 - type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" - - name: cert_checksum - type: keyword - - name: cert_host_cat - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - type: keyword - description: Deprecated, use version - - name: cert_keysize - type: keyword - - name: cert_username - type: keyword - - name: https_insact - type: keyword - - name: https_valid - type: keyword - - name: cert_ca - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - type: group - fields: - - name: wlan_ssid - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - type: long - description: This is used to capture the channel names - - name: wlan_name - type: keyword - description: This key captures either WLAN number/name - - name: storage - type: group - fields: - - name: disk_volume - type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk - - name: lun - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - type: group - fields: - - name: org_dst - type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. - - name: org_src - type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. - - name: healthcare - type: group - fields: - - name: patient_fname - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_id - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - - name: patient_mname - type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - - name: endpoint - type: group - fields: - - name: host_state - type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - - name: registry_key - type: keyword - description: This key captures the path to the registry key - - name: registry_value - type: keyword - description: This key captures values or decorators used within a registry entry -- name: dns.question.domain - type: keyword - ignore_above: 1024 - description: Server domain. -- name: network.interface.name - type: keyword diff --git a/packages/sophos/2.2.2/data_stream/utm/manifest.yml b/packages/sophos/2.2.2/data_stream/utm/manifest.yml deleted file mode 100755 index 807bd92dda..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/manifest.yml +++ /dev/null @@ -1,204 +0,0 @@ -title: Sophos UTM logs -release: experimental -type: logs -streams: - - input: udp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: udp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: udp_host - type: text - title: UDP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: udp_port - type: integer - title: UDP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: tcp - title: Sophos UTM logs - description: Collect Sophos UTM logs - template_path: tcp.yml.hbs - vars: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tcp_host - type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: TCP port to listen on - multi: false - required: true - show_user: true - default: 9549 - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: logfile - enabled: false - title: Sophos UTM logs - description: Collect Sophos UTM logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/sophos-utm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-utm - - forwarded - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - required: false - show_user: true - default: "local" - - name: rsa_fields - type: bool - title: Add non-ECS fields - required: false - show_user: true - default: true - - name: keep_raw_fields - type: bool - title: Keep raw parser fields - required: false - show_user: false - default: false - - name: debug - type: bool - title: Enable debug logging - required: false - show_user: false - default: false - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sophos/2.2.2/data_stream/utm/sample_event.json b/packages/sophos/2.2.2/data_stream/utm/sample_event.json deleted file mode 100755 index 0808f72f59..0000000000 --- a/packages/sophos/2.2.2/data_stream/utm/sample_event.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "@timestamp": "2016-01-29T06:09:59.000Z", - "agent": { - "ephemeral_id": "4a4dd5d5-8f82-4911-b531-99290943b6c6", - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "sophos.utm", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "9a015053-a5c0-4959-99ab-2b6556a2a396", - "snapshot": true, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "code": "smtpd", - "dataset": "sophos.utm", - "ingested": "2022-01-25T18:04:29Z", - "timezone": "+00:00" - }, - "host": { - "name": "localhost.localdomain" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.25.0.7:39467" - } - }, - "message": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "observer": { - "product": "UTM", - "type": "Firewall", - "vendor": "Sophos" - }, - "process": { - "pid": 905 - }, - "related": { - "hosts": [ - "localhost.localdomain" - ] - }, - "rsa": { - "internal": { - "event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", - "messageid": "smtpd" - }, - "network": { - "alias_host": [ - "localhost.localdomain" - ] - }, - "time": { - "event_time": "2016-01-29T06:09:59.000Z" - } - }, - "tags": [ - "sophos-utm", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.2.2/data_stream/xg/agent/stream/log.yml.hbs b/packages/sophos/2.2.2/data_stream/xg/agent/stream/log.yml.hbs deleted file mode 100755 index 177b022013..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/agent/stream/log.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.2.2/data_stream/xg/agent/stream/tcp.yml.hbs b/packages/sophos/2.2.2/data_stream/xg/agent/stream/tcp.yml.hbs deleted file mode 100755 index b901abd778..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,31 +0,0 @@ -tcp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} -{{#if tcp_options}} -{{tcp_options}} -{{/if}} diff --git a/packages/sophos/2.2.2/data_stream/xg/agent/stream/udp.yml.hbs b/packages/sophos/2.2.2/data_stream/xg/agent/stream/udp.yml.hbs deleted file mode 100755 index 426c9fc440..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -udp: -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ -- add_fields: - target: '_conf' - fields: - default: {{default_host_name}} - mappings: -{{#if known_devices}} - {{known_devices}} -{{/if}} diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml deleted file mode 100755 index 573c3d7f40..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antispam.yml +++ /dev/null @@ -1,135 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (anti-spam pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - ignore_empty_value: true -- set: - field: event.outcome - value: success - ignore_empty_value: true -- set: - field: event.kind - value: alert - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: malware - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: "ctx.event?.code == '13012'" -- append: - field: event.category - value: network -- append: - field: event.type - value: - - allowed - - connection - if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - info - - denied - - connection - if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.event?.code)' - -#################################### -## ECS Destination Mapping -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Source Mapping -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_missing: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml deleted file mode 100755 index cbfa5e2829..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/antivirus.yml +++ /dev/null @@ -1,222 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (antivirus pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - malware - - network - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Virus'" -- set: - field: event.kind - value: event - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - allowed - - connection - if: '["09002"].contains(ctx.event?.code)' -- append: - field: event.category - value: network - if: '["09002"].contains(ctx.event?.code)' - -############################# -## ECS Destination Mapping ## -############################# -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- rename: - field: sophos.xg.dstdomain - target_field: destination.domain - ignore_failure: true -- rename: - field: sophos.xg.dst_domainname - target_field: destination.domain - ignore_failure: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.src_domainname - target_field: source.domain - ignore_failure: true - -####################### -## ECS Email Mapping ## -####################### -- rename: - field: sophos.xg.from_email_address - target_field: source.user.email - ignore_missing: true -- rename: - field: sophos.xg.to_email_address - target_field: destination.user.email - ignore_missing: true -- append: - field: email.from.address - value: "{{{source.user.email}}}" - if: "ctx?.source?.user?.email != null" -- append: - field: email.to.address - value: "{{{destination.user.email}}}" - if: "ctx?.destination?.user?.email != null" -- set: - field: email.subject - copy_from: sophos.xg.email_subject - if: "ctx?.sophos.xg?.email_subject != null" -- set: - field: email.subject - copy_from: sophos.xg.subject - if: "ctx?.sophos.xg?.subject != null && ctx.email?.subject == null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domainname - target_field: url.domain - ignore_failure: true - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.user_agent != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: "ctx.sophos?.xg?.filename != null" -- convert: - field: sophos.xg.file_size - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.file_size != null" -- rename: - field: sophos.xg.file_path - target_field: file.directory - ignore_missing: true - if: "ctx.sophos?.xg?.file_path != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- lowercase: - field: sophos.xg.log_component - target_field: network.protocol - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.domainname - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.status_code - - sophos.xg.file_size - - sophos.xg.from_email_address - - sophos.xg.to_email_address - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml deleted file mode 100755 index 47bcb458a6..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/atp.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (atp pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["18009", "18010"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["18009", "18010"].contains(ctx.event?.code)' -- rename: - field: sophos.xg.eventid - target_field: event.id - ignore_missing: true - if: "ctx.sophos?.xg?.eventid != null" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- uri_parts: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.original - target_field: url -- set: - if: ctx.url?.original != null && ctx.url.original.contains("://") - field: url.full - copy_from: url.original - ignore_empty_value: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml deleted file mode 100755 index d8030558aa..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/cfilter.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (Content Filtering pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: - - allowed - - connection - if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' -- append: - field: event.type - value: - - info - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -########################## -## ECS Destination Mapping -########################## -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -##################### -## ECS Source Mapping -##################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.original - ignore_missing: true -- uri_parts: - field: url.original - target_field: url - if: "ctx.url?.original != null" -- set: - field: url.full - copy_from: url.original - ignore_empty_value: true -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: ctx.url?.domain == null - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.status_code - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.status_code != null && ctx.sophos?.xg?.status_code != ''" -- convert: - field: sophos.xg.http_status - target_field: http.response.status_code - type: long - ignore_missing: true - if: "ctx.sophos?.xg?.http_status != null && ctx.sophos?.xg?.http_status != '' && ctx.sophos?.xg?.http_status != '0'" -- rename: - field: sophos.xg.user_agent - target_field: user_agent.original - ignore_missing: true -- user_agent: - field: user_agent.original - target_field: user_agent - ignore_missing: true - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.protocol - copy_from: url.scheme - override: false - ignore_empty_value: true - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.domain - - sophos.xg.http_status - - sophos.xg.http_user_agent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f17e934640..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,568 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs. -processors: -- set: - field: ecs.version - value: '8.2.0' - -- set: - field: event.original - copy_from: message - override: false -- grok: - field: event.original - patterns: - - '^%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:message}$' - - '^%{SYSLOG5424PRI}%{GREEDYDATA:message}$' - - '^%{SYSLOGTIMESTAMP} %{HOSTNAME:observer.hostname} %{GREEDYDATA:message}$' - - '%{GREEDYDATA:message}$' - -# split Sophos-XG fields -- kv: - field: message - field_split: " (?=[a-zA-Z0-9_]+=)" - value_split: "=" - prefix: "sophos.xg." - ignore_missing: true - ignore_failure: false - trim_value: "\"" - -- script: - description: Lowercase sophos.xg key name names. - tag: lowercase-sophos-keys - if: ctx.sophos?.xg != null - source: | - def lowercaseMap = [:]; - for(def entry : ctx.sophos.xg.entrySet()){ - lowercaseMap.put(entry.getKey().toLowerCase(), entry.getValue()); - } - ctx.sophos.xg = lowercaseMap; - -# Parse the date -- set: - field: _temp_.time - value: "{{sophos.xg.date}} {{sophos.xg.time}}" - if: ctx.sophos?.xg?.date != null && ctx.sophos?.xg?.time != null -- set: - field: _temp_.time - copy_from: sophos.xg.timestamp - ignore_empty_value: true - if: ctx._temp_?.time == null -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone == null - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 -- date: - if: ctx._temp_?.time != null && ctx.event?.timezone != null - timezone: "{{ event.timezone }}" - field: _temp_.time - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss Z - - yyyy-MM-dd HH:mm:ss z - - ISO8601 - -# Sets starts, end and duration when start and duration is known -- script: - lang: painless - if: ctx.sophos?.xg?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); - -# Removes all empty fields -- script: - description: Remove empty fields. - tag: remove-empty-fields - lang: painless - params: - values: - - "" - - "-" - - "N/A" - source: >- - ctx.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); - -####################### -## ECS Event Mapping ## -####################### - -# log_id consists of (example: 010101600001): -# log type: 2 digits -# log component: 2 digits -# log subtype: 2 digits -# severity: 1 digit -# message ID: 5 digits -- gsub: - description: Set event.severity from log_id. - field: sophos.xg.log_id - target_field: event.severity - pattern: '^.{6}(.).*$' - replacement: '$1' - ignore_failure: true -- convert: - field: event.severity - type: long - ignore_missing: true -- gsub: - description: Set event.code from log_id. - field: sophos.xg.log_id - target_field: event.code - pattern: '^.{7}(.{5})$' - replacement: '$1' - ignore_failure: true - -##################### -## ECS Log Mapping ## -##################### -- set: - if: ctx.event?.severity == 0 - field: log.level - value: unknown -- set: - if: ctx.event?.severity == 1 - field: log.level - value: alert -- set: - if: ctx.event?.severity == 2 - field: log.level - value: critical -- set: - if: ctx.event?.severity == 3 - field: log.level - value: error -- set: - if: ctx.event?.severity == 4 - field: log.level - value: warning -- set: - if: ctx.event?.severity == 5 - field: log.level - value: notification -- set: - if: ctx.event?.severity == 6 - field: log.level - value: informational -- set: - if: ctx.event?.severity == 7 - field: log.level - value: debug - -- set: - field: log.level - copy_from: sophos.xg.severity - ignore_empty_value: true - -########################## -## ECS Observer Mapping ## -########################## -- set: - field: observer.vendor - value: Sophos -- set: - field: observer.product - value: XG -- set: - field: observer.type - value: firewall -- rename: - field: sophos.xg.device_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.device_serial_id - target_field: observer.serial_number - ignore_missing: true -- rename: - field: sophos.xg.out_interface - target_field: observer.egress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.in_interface - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: sophos.xg.srczone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.src_zone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: sophos.xg.dstzone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.dst_zone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: sophos.xg.srczonetype - target_field: sophos.xg.src_zone_type - ignore_missing: true -- rename: - field: sophos.xg.dstzonetype - target_field: sophos.xg.dst_zone_type - ignore_missing: true - -################### -## Set host.name ## -################### -- script: - lang: painless - if: ctx.observer?.serial_number != null - source: >- - def conf = ctx['_conf']; - if (conf == null) return; - def serial = ctx.observer.serial_number; - def mappings = conf.mappings; - if (mappings == null) return; - def name = conf['default']; - for (def item : mappings) { - if (item.serial_number == serial) { - name = item.hostname; - break; - } - } - if (ctx.host == null) { - ctx.host = new HashMap(); - } - ctx.host.name = name; - -############# -## Cleanup ## -############# -- remove: - field: - - message - - _temp_ - - _conf - - sophos.xg.date - - sophos.xg.time - - sophos.xg.timestamp - - sophos.xg.duration - - sophos.xg.timezone - - sophos.xg.dir_disp - - sophos.xg.log_occurrence - - sophos.xg.nat_rule_id - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - syslog5424_pri - ignore_missing: true - -- convert: - field: sophos.xg.sent_bytes - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_bytes != null" -- convert: - field: sophos.xg.bytes_sent - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_sent != null" -- convert: - field: sophos.xg.recv_bytes - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_bytes != null" -- convert: - field: sophos.xg.bytes_received - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytes_received != null" - -############################# -## ECS Source/Destination MAC -############################# -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_failure: true -- uppercase: - field: source.mac - ignore_missing: true -- gsub: - field: source.mac - pattern: '[-:. ]' - replacement: '' - ignore_missing: true -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -- rename: - field: sophos.xg.dst_mac - target_field: destination.mac - ignore_failure: true -- uppercase: - field: destination.mac - ignore_missing: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - -############################### -## Product Specific Pipelines ## -############################### -- pipeline: - name: '{{ IngestPipeline "antispam" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" -- pipeline: - name: '{{ IngestPipeline "antivirus" }}' - if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" -- pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.sophos?.xg?.log_type == 'ATP'" -- pipeline: - name: '{{ IngestPipeline "cfilter" }}' - if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" -- pipeline: - name: '{{ IngestPipeline "event" }}' - if: "ctx.sophos?.xg?.log_type == 'Event'" -- pipeline: - name: '{{ IngestPipeline "firewall" }}' - if: "ctx.sophos?.xg?.log_type == 'Firewall'" -- pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.sophos?.xg?.log_type == 'IDP'" -- pipeline: - name: '{{ IngestPipeline "sandstorm" }}' - if: "ctx.sophos?.xg?.log_type == 'Sandbox'" -- pipeline: - name: '{{ IngestPipeline "systemhealth" }}' - if: "ctx.sophos?.xg?.log_type == 'System Health'" -- pipeline: - name: '{{ IngestPipeline "waf" }}' - if: "ctx.sophos?.xg?.log_type == 'WAF'" -- pipeline: - name: '{{ IngestPipeline "wifi" }}' - if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" - -################## -# GeoIP Enrichment -################## -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -############## -## ECS Network -############## -- lowercase: - field: network.protocol - ignore_failure: true -- set: - description: Rename pops network.protocol to pop3s. - if: ctx.network?.protocol == "pops" - field: network.protocol - value: pop3s -- lowercase: - field: network.transport - ignore_failure: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx.source?.bytes != null && ctx.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx.source?.packets != null && ctx.destination?.packets != null" - ignore_failure: true -- community_id: - ignore_failure: true - -#################### -## ECS Related Hosts -#################### -- append: - if: ctx.host?.name != null - field: related.hosts - value: '{{{host.name}}}' - allow_duplicates: false -- append: - if: ctx.url?.domain != null - field: related.hosts - value: '{{{url.domain}}}' - allow_duplicates: false -- append: - if: ctx.source?.domain != null - field: related.hosts - value: '{{{source.domain}}}' - allow_duplicates: false -- append: - if: ctx.destination?.domain != null - field: related.hosts - value: '{{{destination.domain}}}' - allow_duplicates: false - -################# -## ECS Related IP -################# -- append: - if: ctx.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false -- append: - if: ctx.source?.nat?.ip != null - field: related.ip - value: '{{{source.nat.ip}}}' - allow_duplicates: false -- append: - if: ctx.destination?.nat?.ip != null - field: related.ip - value: '{{{destination.nat.ip}}}' - allow_duplicates: false - -################### -## ECS Related User -################### -- append: - if: ctx.source?.user?.name != null - field: related.user - value: "{{{source.user.name}}}" - allow_duplicates: false - -################### -## ECS Related Hash -################### -- append: - if: ctx.file?.hash?.sha1 != null - field: related.hash - value: "{{{file.hash.sha1}}}" - allow_duplicates: false -- append: - if: ctx.file?.hash?.sha256 != null - field: related.hash - value: "{{{file.hash.sha256}}}" - allow_duplicates: false - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.reason - target_field: event.reason - ignore_failure: true - -- remove: - field: - - sophos.xg.bytes_received - - sophos.xg.bytes_sent - - sophos.xg.dst_country - - sophos.xg.in_display_interface - - sophos.xg.out_display_interface - - sophos.xg.recv_bytes - - sophos.xg.sent_bytes - - sophos.xg.severity - - sophos.xg.src_country - ignore_missing: true -- remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml deleted file mode 100755 index 7442b607b2..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/event.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (authentication events pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Successful"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Authentication" && ctx.sophos?.xg?.status == "Failed"' -- set: - field: event.outcome - value: success - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Successful" && ctx.event?.code == "17507"' -- set: - field: event.outcome - value: failure - if: 'ctx.sophos?.xg?.log_subtype == "Admin" && ctx.sophos?.xg?.status == "Failed" && ctx.event?.code == "17507"' -- append: - field: event.type - value: - - user - - start - if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.event?.code)" -- append: - field: event.type - value: - - user - - end - if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.event?.code)" -- append: - field: event.type - value: connection - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: network - if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" -- append: - field: event.category - value: authentication - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- append: - field: event.type - value: info - if: 'ctx.event?.code == "17819"' -- append: - field: event.category - value: - - host - - malware - if: 'ctx.event?.code == "17819"' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.localinterfaceip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localinterfaceip != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.remoteinterfaceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.remoteinterfaceip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- set: - field: source.user.name - value: '{{sophos.xg.name}}' - if: "ctx.sophos?.xg?.name != null" -- set: - field: user.name - value: '{{source.user.name}}' - ignore_empty_value: true - if: 'ctx.sophos?.xg?.log_subtype == "Authentication"' -- rename: - field: sophos.xg.usergroupname - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.usergroupname != null" - -######################### -## ECS Message Mapping ## -######################### -- rename: - field: sophos.xg.message - target_field: message - ignore_missing: true - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - - sophos.xg.name - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' - diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml deleted file mode 100755 index 7e48fade03..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/firewall.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (firewall pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: intrusion_detection - if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.event?.code)' -- append: - field: event.category - value: network -- append: - field: event.type - value: - - start - - allowed - - connection - if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" -- append: - field: event.type - value: - - end - - allowed - - connection - if: "ctx.sophos?.xg?.connevent == 'Stop'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.status == 'Deny'" - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- rename: - field: sophos.xg.tran_dst_ip - target_field: destination.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_ip != null" -- rename: - field: sophos.xg.destinationip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.destinationip !=null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" -- convert: - field: sophos.xg.tran_dst_port - target_field: destination.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_dst_port != null" -- convert: - field: sophos.xg.recv_pkts - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.recv_pkts !=null" -- convert: - field: sophos.xg.packets_received - target_field: destination.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_received !=null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.tran_src_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_ip != null" -- rename: - field: sophos.xg.src_trans_ip - target_field: source.nat.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_trans_ip != null" -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- convert: - field: sophos.xg.tran_src_port - target_field: source.nat.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.tran_src_port != null" -- rename: - field: sophos.xg.src_mac - target_field: source.mac - ignore_missing: true - if: "ctx.sophos?.xg?.src_mac != null" -- trim: - field: sophos.xg.sent_pkts - ignore_missing: true -- trim: - field: sophos.xg.packets_sent - ignore_missing: true -- convert: - field: sophos.xg.sent_pkts - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.sent_pkts != null" -- convert: - field: sophos.xg.packets_sent - target_field: source.packets - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.packets_sent != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.fw_rule_id - target_field: rule.id - ignore_missing: true - if: "ctx.rule?.id == null" -- rename: - field: sophos.xg.policy_type - target_field: rule.ruleset - ignore_missing: true - if: "ctx.sophos?.xg?.policy_type != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.application - target_field: network.protocol - ignore_missing: true -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true -- set: - field: network.direction - value: inbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone) && ctx.observer?.ingress?.zone == 'WAN'" -- set: - field: network.direction - value: outbound - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ctx.observer?.egress?.zone == 'WAN'" -- set: - field: network.direction - value: internal - if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx.observer?.egress?.zone)" -- set: - field: network.direction - value: external - if: "ctx.observer?.ingress?.zone == 'WAN' && ctx.observer?.egress?.zone == 'WAN'" - -############# -## Cleanup ## -############# -- lowercase: - field: event.action - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.tran_dst_port - - sophos.xg.recv_pkts - - sophos.xg.src_port - - sophos.xg.tran_src_port - - sophos.xg.sent_pkts - - sophos.xg.packets_received - - sophos.xg.packets_sent - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml deleted file mode 100755 index c38552b4c6..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/idp.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (ipd pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: alert -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- append: - field: event.category - value: - - intrusion_detection - - network - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' -- append: - field: event.type - value: - - denied - - connection - if: '["06001", "06002", "07001", "07002"].contains(ctx.event?.code)' - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.dst_ip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.dst_ip != null" -- convert: - field: sophos.xg.dst_port - target_field: destination.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.dst_port != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- convert: - field: sophos.xg.src_port - target_field: source.port - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.src_port != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -###################### -## ECS Rule Mapping ## -###################### -- rename: - field: sophos.xg.signature_id - target_field: rule.id - ignore_missing: true - if: "ctx.sophos?.xg?.signature_id != null" -- rename: - field: sophos.xg.signature_msg - target_field: rule.name - ignore_missing: true - if: "ctx.sophos?.xg?.signature_msg != null" -- rename: - field: sophos.xg.classification - target_field: rule.category - ignore_missing: true - if: "ctx.sophos?.xg?.classification != null" - -###################### -## ECS Network Mapping -###################### -- rename: - field: sophos.xg.protocol - target_field: network.transport - ignore_missing: true - -############# -## Cleanup ## -############# -- lowercase: - field: network.protocol - ignore_failure: true -- lowercase: - field: event.action - ignore_failure: true -- lowercase: - field: event.info - ignore_failure: true -- remove: - field: - - sophos.xg.dst_port - - sophos.xg.src_port - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml deleted file mode 100755 index df874a5254..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/sandstorm.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (sandbox pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: "{{sophos.xg.log_subtype}}" - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.log_subtype != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.log_subtype == "Denied"' -- append: - field: event.category - value: network - if: "ctx.sophos?.xg?.log_subtype != 'Denied'" -- append: - field: event.type - value: allowed - if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" -- append: - field: event.type - value: - - start - - connection - if: "['pending'].contains(ctx.sophos?.xg?.reason)" -- append: - field: event.type - value: - - end - - connection - if: "ctx.sophos?.xg?.reason == 'eligible'" -- append: - field: event.type - value: - - denied - - connection - if: "ctx.sophos?.xg?.log_subtype == 'Denied'" - -- rename: - if: ctx.sophos?.xg?.log_component == "Web" - field: sophos.xg.source - target_field: url.domain - ignore_missing: true - -######################## -## ECS Source Mapping ## -######################## -- rename: - field: sophos.xg.src_ip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.src_ip != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" - -############################# -## ECS Destination Mapping ## -############################# -- convert: - field: url.domain - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: url.domain - ignore_empty_value: true - -###################### -## ECS File Mapping ## -###################### -- rename: - field: sophos.xg.filename - target_field: file.name - ignore_missing: true - if: ctx.sophos?.xg?.filename != null -- convert: - field: sophos.xg.filesize - target_field: file.size - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.filesize != null" -- rename: - field: sophos.xg.filetype - target_field: file.mime_type - ignore_missing: true - if: "ctx.sophos?.xg?.filetype != null" - -# In 18.0 and later the sha1sum contains the sha256 checksum of the file. -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha1 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 40" -- rename: - field: sophos.xg.sha1sum - target_field: file.hash.sha256 - ignore_missing: true - if: "ctx.sophos?.xg?.sha1sum != null && ctx.sophos.xg.sha1sum.length() == 64" - -############# -## Cleanup ## -############# -- remove: - field: - - sophos.xg.filesize - - sophos.xg.sha1sum - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml deleted file mode 100755 index 7a55e8b6a2..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/systemhealth.yml +++ /dev/null @@ -1,182 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (systemhealth pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- rename: - field: sophos.xg.idle - target_field: sophos.xg.idle_cpu - ignore_missing: true -- gsub: - field: sophos.xg.idle_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.idle_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.idle_cpu -- rename: - field: sophos.xg.system - target_field: sophos.xg.system_cpu - ignore_missing: true -- gsub: - field: sophos.xg.system_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.system_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.system_cpu -- rename: - field: sophos.xg.user - target_field: sophos.xg.user_cpu - ignore_missing: true -- gsub: - field: sophos.xg.user_cpu - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.user_cpu - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.user_cpu -- convert: - field: sophos.xg.used - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.used -- convert: - field: sophos.xg.total_memory - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.total_memory -- convert: - field: sophos.xg.free - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.free -- gsub: - field: sophos.xg.configuration - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.configuration - type: float - ignore_missing: true - on_failure: - - remove: - field: - - sophos.xg.configuration - -- gsub: - field: sophos.xg.reports - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.reports - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.reports -- gsub: - field: sophos.xg.temp - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.temp - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.temp -- gsub: - field: sophos.xg.signature - pattern: "%$" - replacement: "" - ignore_missing: true - ignore_failure: true -- convert: - field: sophos.xg.signature - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.signature -- convert: - field: sophos.xg.users - type: integer - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.users -- convert: - field: sophos.xg.transmittedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmittedkbits -- convert: - field: sophos.xg.receivedkbits - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receivedkbits -- convert: - field: sophos.xg.collisions - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.collisions -- convert: - field: sophos.xg.receiveddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.receiveddrops -- convert: - field: sophos.xg.transmitteddrops - type: float - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.transmitteddrops - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml deleted file mode 100755 index a59c4334cd..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/waf.yml +++ /dev/null @@ -1,174 +0,0 @@ ---- -description: Pipeline for parsing sophos firewall logs (waf pipeline) -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.action - value: allowed - if: 'ctx.sophos?.xg?.reason == "-"' -- set: - field: event.action - value: denied - if: 'ctx.sophos?.xg?.reason != "-"' -- set: - field: event.outcome - value: success - if: "ctx.sophos?.xg?.reason != null" -- set: - field: event.kind - value: alert - if: 'ctx.sophos?.xg?.reason != "-"' -- append: - field: event.category - value: - - malware - - network - if: 'ctx.sophos?.xg?.reason == "Antivirus"' -- append: - field: event.category - value: - - intrusion_detection - - network - if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" -- append: - field: event.type - value: - - allowed - - connection - if: 'ctx.sophos?.xg?.reason == "-"' -- append: - field: event.type - value: - - denied - - connection - if: 'ctx.sophos?.xg?.reason != "-"' - -- convert: - field: sophos.xg.responsetime - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.responsetime -- script: - description: Convert microseconds to nanoseconds. - lang: painless - source: | - if (ctx.sophos?.xg?.responsetime != null && ctx.sophos.xg.responsetime > 0) { - ctx.event.duration = ctx.sophos.xg.responsetime * 1000; - } - -#################################### -## ECS Server/Destination Mapping ## -#################################### -- rename: - field: sophos.xg.localip - target_field: destination.ip - ignore_missing: true - if: "ctx.sophos?.xg?.localip != null" -- convert: - field: sophos.xg.bytessent - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytessent != null" - -############################### -## ECS Client/Source Mapping ## -############################### -- rename: - field: sophos.xg.sourceip - target_field: source.ip - ignore_missing: true - if: "ctx.sophos?.xg?.sourceip != null" -- convert: - field: sophos.xg.bytesrcv - target_field: source.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.bytesrcv != null" -- rename: - field: sophos.xg.user_name - target_field: source.user.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_name != null" -- rename: - field: sophos.xg.user_gp - target_field: source.user.group.name - ignore_missing: true - if: "ctx.sophos?.xg?.user_gp != null" - -##################### -## ECS URL Mapping ## -##################### -- rename: - field: sophos.xg.url - target_field: url.full - ignore_missing: true - if: "ctx.sophos?.xg?.url != null" -- rename: - field: sophos.xg.domain - target_field: url.domain - ignore_missing: true - if: "ctx.sophos?.xg?.domain != null" - -############################ -## ECS User Agent Mapping ## -############################ -- rename: - field: sophos.xg.referer - target_field: http.request.referrer - ignore_missing: true - if: "ctx.sophos?.xg?.referer != null" -- convert: - field: sophos.xg.httpstatus - target_field: destination.bytes - type: long - ignore_failure: true - ignore_missing: true - if: "ctx.sophos?.xg?.httpstatus != null" -- rename: - field: sophos.xg.method - target_field: http.request.method - ignore_missing: true - if: "ctx.sophos?.xg?.method != null" -- rename: - field: sophos.xg.ws_protocol - target_field: http.version - ignore_missing: true - if: "ctx.sophos?.xg?.ws_protocol != null" -- rename: - field: sophos.xg.useragent - target_field: user_agent.original - ignore_missing: true - if: "ctx.sophos?.xg?.useragent != null" - -############# -## Cleanup ## -############# -- rename: - field: sophos.xg.SQLi - target_field: sophos.xg.sqli - ignore_missing: true -- rename: - field: sophos.xg.XSS - target_field: sophos.xg.xss - ignore_missing: true -- remove: - field: - - sophos.xg.bytesrcv - - sophos.xg.bytessent - - sophos.xg.httpstatus - - sophos.xg.responsetime - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml b/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml deleted file mode 100755 index 9dbbeb06c0..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/elasticsearch/ingest_pipeline/wifi.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for parsing Sophos XG firewall logs (wireless protection pipeline). -processors: -####################### -## ECS Event Mapping ## -####################### -- set: - field: event.kind - value: event -- set: - field: event.outcome - value: success -- convert: - field: sophos.xg.clients_conn_ssid - type: long - ignore_missing: true - on_failure: - - remove: - field: sophos.xg.clients_conn_ssid - -############# -## Cleanup ## -############# -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sophos/2.2.2/data_stream/xg/fields/agent.yml b/packages/sophos/2.2.2/data_stream/xg/fields/agent.yml deleted file mode 100755 index 98998ae549..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/fields/agent.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset -- name: log.source.address - type: keyword - ignore_above: 1024 diff --git a/packages/sophos/2.2.2/data_stream/xg/fields/base-fields.yml b/packages/sophos/2.2.2/data_stream/xg/fields/base-fields.yml deleted file mode 100755 index a6aa5f75de..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sophos -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sophos.xg -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sophos/2.2.2/data_stream/xg/fields/ecs.yml b/packages/sophos/2.2.2/data_stream/xg/fields/ecs.yml deleted file mode 100755 index c5a5b0bb40..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/fields/ecs.yml +++ /dev/null @@ -1,548 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: User email address. - name: destination.user.email - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - name: event.hash - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: file.hash.sha512 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - name: log.logger - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: User email address. - name: source.user.email - type: keyword -- description: Name of the group. - name: source.user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: url.registered_domain - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: url.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: url.top_level_domain - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/sophos/2.2.2/data_stream/xg/fields/fields.yml b/packages/sophos/2.2.2/data_stream/xg/fields/fields.yml deleted file mode 100755 index 6dd56deeab..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/fields/fields.yml +++ /dev/null @@ -1,830 +0,0 @@ -- name: sophos - type: group - fields: - - name: xg - type: group - fields: - - name: action - type: keyword - description: | - Event Action - - name: activityname - type: keyword - description: | - Web policy activity that matched and caused the policy result. - - name: ap - type: keyword - description: | - Access Point Serial ID or LocalWifi0 or LocalWifi1. - - name: app_category - type: keyword - description: | - Name of the category under which application falls - - name: app_filter_policy_id - type: keyword - description: | - Application filter policy ID applied on the traffic - - name: app_is_cloud - type: keyword - description: | - Application is Cloud - - name: app_name - type: keyword - description: | - Application name - - name: app_resolved_by - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: app_risk - type: keyword - description: | - Risk level assigned to the application - - name: app_technology - type: keyword - description: | - Technology of the application - - name: appfilter_policy_id - type: integer - description: | - Application Filter policy applied on the traffic - - name: application - type: keyword - description: | - Application name - - name: application_category - type: keyword - description: | - Application is resolved by signature or synchronized application - - name: application_filter_policy - type: integer - description: | - Application Filter policy applied on the traffic - - name: application_name - type: keyword - description: | - Application name - - name: application_risk - type: keyword - description: | - Risk level assigned to the application - - name: application_technology - type: keyword - description: | - Technology of the application - - name: appresolvedby - type: keyword - description: | - Technology of the application - - name: auth_client - type: keyword - description: | - Auth Client - - name: auth_mechanism - type: keyword - description: | - Auth mechanism - - name: av_policy_name - type: keyword - description: | - Malware scanning policy name which is applied on the traffic - - name: backup_mode - type: keyword - description: | - Backup mode - - name: branch_name - type: keyword - description: | - Branch Name - - name: category - type: keyword - description: | - IPS signature category. - - name: category_type - type: keyword - description: | - Type of category under which website falls - - name: classification - type: keyword - description: | - Signature classification - - name: client_host_name - type: keyword - description: | - Client host name - - name: client_physical_address - type: keyword - description: | - Client physical address - - name: clients_conn_ssid - type: long - description: | - Number of client connected to the SSID. - - name: collisions - type: long - description: | - collisions - - name: con_event - type: keyword - description: | - Event Start/Stop - - name: con_id - type: integer - description: | - Unique identifier of connection - - name: configuration - type: float - description: | - Configuration - - name: conn_id - type: integer - description: | - Unique identifier of connection - - name: connectionname - type: keyword - description: | - Connectionname - - name: connectiontype - type: keyword - description: | - Connectiontype - - name: connevent - type: keyword - description: | - Event on which this log is generated - - name: connid - type: keyword - description: | - Connection ID - - name: content_type - type: keyword - description: | - Type of the content - - name: contenttype - type: keyword - description: | - Type of the content - - name: context_match - type: keyword - description: | - Context Match - - name: context_prefix - type: keyword - description: | - Content Prefix - - name: context_suffix - type: keyword - description: | - Context Suffix - - name: cookie - type: keyword - description: | - cookie - - name: date - type: date - description: | - Date (yyyy-mm-dd) when the event occurred - - name: destinationip - type: ip - description: | - Original destination IP address of traffic - - name: device - type: keyword - description: | - device - - name: device_id - type: keyword - description: | - Serial number of the device - - name: device_model - type: keyword - description: | - Model number of the device - - name: device_name - type: keyword - description: | - Model number of the device - - name: dictionary_name - type: keyword - description: | - Dictionary Name - - name: dir_disp - type: keyword - description: | - TPacket direction. Possible values:“org”, “reply”, “” - - name: direction - type: keyword - description: | - Direction - - name: domainname - type: keyword - description: | - Domain from which virus was downloaded - - name: download_file_name - type: keyword - description: | - Download file name - - name: download_file_type - type: keyword - description: | - Download file type - - name: dst_country_code - type: keyword - description: | - Code of the country to which the destination IP belongs - - name: dst_domainname - type: keyword - description: | - Receiver domain name - - name: dst_ip - type: ip - description: | - Original destination IP address of traffic - - name: dst_port - type: integer - description: | - Original destination port of TCP and UDP traffic - - name: dst_zone_type - type: keyword - description: | - Type of destination zone - - name: dstdomain - type: keyword - description: | - Destination Domain - - name: duration - type: long - description: | - Durability of traffic (seconds) - - name: email_subject - type: keyword - description: | - Email Subject - - name: ep_uuid - type: keyword - description: | - Endpoint UUID - - name: ether_type - type: keyword - description: | - ethernet frame type - - name: eventid - type: keyword - description: | - ATP Evenet ID - - name: eventtime - type: date - description: | - Event time - - name: eventtype - type: keyword - description: | - ATP event type - - name: exceptions - type: keyword - description: | - List of the checks excluded by web exceptions. - - name: execution_path - type: keyword - description: | - ATP execution path - - name: extra - type: keyword - description: | - extra - - name: file_name - type: keyword - description: | - Filename - - name: file_path - type: keyword - description: | - File path - - name: file_size - type: integer - description: | - File Size - - name: filename - type: keyword - description: | - File name associated with the event - - name: filepath - type: keyword - description: | - Path of the file containing virus - - name: filesize - type: integer - description: | - Size of the file that contained virus - - name: free - type: integer - description: | - free - - name: from_email_address - type: keyword - description: | - Sender email address - - name: ftp_direction - type: keyword - description: | - Direction of FTP transfer: Upload or Download - - name: ftp_url - type: keyword - description: | - FTP URL from which virus was downloaded - - name: ftpcommand - type: keyword - description: | - FTP command used when virus was found - - name: fw_rule_id - type: integer - description: | - Firewall Rule ID which is applied on the traffic - - name: fw_rule_type - type: keyword - description: | - Firewall rule type which is applied on the traffic - - name: hb_health - type: keyword - description: | - Heartbeat status - - name: hb_status - type: keyword - description: | - Heartbeat status - - name: host - type: keyword - description: | - Host - - name: http_category - type: keyword - description: | - HTTP Category - - name: http_category_type - type: keyword - description: | - HTTP Category Type - - name: httpresponsecode - type: long - description: | - code of HTTP response - - name: iap - type: keyword - description: | - Internet Access policy ID applied on the traffic - - name: icmp_code - type: keyword - description: | - ICMP code of ICMP traffic - - name: icmp_type - type: keyword - description: | - ICMP type of ICMP traffic - - name: idle_cpu - type: float - description: | - idle ## - - name: idp_policy_id - type: integer - description: | - IPS policy ID which is applied on the traffic - - name: idp_policy_name - type: keyword - description: | - IPS policy name i.e. IPS policy name which is applied on the traffic - - name: in_interface - type: keyword - description: | - Interface for incoming traffic, e.g., Port A - - name: interface - type: keyword - description: | - interface - - name: ipaddress - type: keyword - description: | - Ipaddress - - name: ips_policy_id - type: integer - description: | - IPS policy ID applied on the traffic - - name: lease_time - type: keyword - description: | - Lease Time - - name: localgateway - type: keyword - description: | - Localgateway - - name: localnetwork - type: keyword - description: | - Localnetwork - - name: log_component - type: keyword - description: | - Component responsible for logging e.g. Firewall rule - - name: log_id - type: keyword - description: | - Unique 12 characters code (0101011) - - name: log_subtype - type: keyword - description: | - Sub type of event - - name: log_type - type: keyword - description: | - Type of event e.g. firewall event - - name: log_version - type: keyword - description: | - Log Version - - name: login_user - type: keyword - description: | - ATP login user - - name: mailid - type: keyword - description: | - mailid - - name: mailsize - type: integer - description: | - mailsize - - name: message - type: keyword - description: | - Message - - name: mode - type: keyword - description: | - Mode - - name: nat_rule_id - type: keyword - description: | - NAT Rule ID - - name: newversion - type: keyword - description: | - Newversion - - name: oldversion - type: keyword - description: | - Oldversion - - name: out_interface - type: keyword - description: | - Interface for outgoing traffic, e.g., Port B - - name: override_authorizer - type: keyword - description: | - Override authorizer - - name: override_name - type: keyword - description: | - Override name - - name: override_token - type: keyword - description: | - Override token - - name: phpsessid - type: keyword - description: | - PHP session ID - - name: platform - type: keyword - description: | - Platform of the traffic. - - name: policy_type - type: keyword - description: | - Policy type applied to the traffic - - name: priority - type: keyword - description: | - Severity level of traffic - - name: protocol - type: keyword - description: | - Protocol number of traffic - - name: qualifier - type: keyword - description: | - Qualifier - - name: quarantine - type: keyword - description: | - Path and filename of the file quarantined - - name: quarantine_reason - type: keyword - description: | - Quarantine reason - - name: querystring - type: keyword - description: | - querystring - - name: raw_data - type: keyword - description: | - Raw data - - name: received_pkts - type: long - description: | - Total number of packets received - - name: receiveddrops - type: long - description: | - received drops - - name: receivederrors - type: keyword - description: | - received errors - - name: receivedkbits - type: long - description: | - received kbits - - name: recv_bytes - type: long - description: | - Total number of bytes received - - name: red_id - type: keyword - description: | - RED ID - - name: referer - type: keyword - description: | - Referer - - name: remote_ip - type: ip - description: | - Remote IP - - name: remotenetwork - type: keyword - description: | - remotenetwork - - name: reported_host - type: keyword - description: | - Reported Host - - name: reported_ip - type: keyword - description: | - Reported IP - - name: reports - type: float - description: | - Reports - - name: rule_priority - type: keyword - description: | - Priority of IPS policy - - name: sent_bytes - type: long - description: | - Total number of bytes sent - - name: sent_pkts - type: long - description: | - Total number of packets sent - - name: server - type: keyword - description: | - Server - - name: sessionid - type: keyword - description: | - Sessionid - - name: sha1sum - type: keyword - description: | - SHA1 checksum of the item being analyzed - - name: signature - type: float - description: | - Signature - - name: signature_id - type: keyword - description: | - Signature ID - - name: signature_msg - type: keyword - description: | - Signature messsage - - name: site_category - type: keyword - description: | - Site Category - - name: source - type: keyword - description: | - Source - - name: sourceip - type: ip - description: | - Original source IP address of traffic - - name: spamaction - type: keyword - description: | - Spam Action - - name: sqli - type: keyword - description: | - related SQLI caught by the WAF - - name: src_country_code - type: keyword - description: | - Code of the country to which the source IP belongs - - name: src_domainname - type: keyword - description: | - Sender domain name - - name: src_ip - type: ip - description: | - Original source IP address of traffic - - name: src_mac - type: keyword - description: | - Original source MAC address of traffic - - name: src_port - type: integer - description: | - Original source port of TCP and UDP traffic - - name: src_zone_type - type: keyword - description: |- - Type of source zone - - name: ssid - type: keyword - description: | - Configured SSID name. - - name: start_time - type: date - description: | - Start time - - name: starttime - type: date - description: | - Starttime - - name: status - type: keyword - description: | - Ultimate status of traffic – Allowed or Denied - - name: status_code - type: keyword - description: | - Status code - - name: subject - type: keyword - description: | - Email subject - - name: syslog_server_name - type: keyword - description: | - Syslog server name - - name: syslog_server_name - type: keyword - description: | - Syslog server name. - - name: system_cpu - type: float - description: | - system - - name: target - type: keyword - description: | - Platform of the traffic. - - name: temp - type: float - description: | - Temp - - name: threatname - type: keyword - description: | - ATP threatname - - name: timestamp - type: date - description: | - timestamp - - name: timezone - type: keyword - description: | - Time (hh:mm:ss) when the event occurred - - name: to_email_address - type: keyword - description: | - Receipeint email address - - name: total_memory - type: integer - description: | - Total Memory - - name: trans_dst_ip - type: ip - description: | - Translated destination IP address for outgoing traffic - - name: trans_dst_port - type: integer - description: | - Translated destination port for outgoing traffic - - name: trans_src_ip - type: ip - description: | - Translated source IP address for outgoing traffic - - name: trans_src_port - type: integer - description: | - Translated source port for outgoing traffic - - name: transaction_id - type: keyword - description: | - Transaction ID - - name: transactionid - type: keyword - description: | - Transaction ID of the AV scan. - - name: transmitteddrops - type: long - description: | - transmitted drops - - name: transmittederrors - type: keyword - description: | - transmitted errors - - name: transmittedkbits - type: long - description: | - transmitted kbits - - name: unit - type: keyword - description: | - unit - - name: updatedip - type: ip - description: | - updatedip - - name: upload_file_name - type: keyword - description: | - Upload file name - - name: upload_file_type - type: keyword - description: | - Upload file type - - name: url - type: keyword - description: | - URL from which virus was downloaded - - name: used - type: integer - description: | - used - - name: used_quota - type: keyword - description: | - Used Quota - - name: user - type: keyword - description: | - User - - name: user_cpu - type: float - description: | - system - - name: user_gp - type: keyword - description: | - Group name to which the user belongs. - - name: user_group - type: keyword - description: | - Group name to which the user belongs - - name: user_name - type: keyword - description: | - user_name - - name: users - type: long - description: | - Number of users from System Health / Live User events. - - name: vconn_id - type: integer - description: | - Connection ID of the master connection - - name: virus - type: keyword - description: | - virus name - - name: web_policy_id - type: keyword - description: | - Web policy ID - - name: website - type: keyword - description: | - Website - - name: xss - type: keyword - description: | - related XSS caught by the WAF diff --git a/packages/sophos/2.2.2/data_stream/xg/manifest.yml b/packages/sophos/2.2.2/data_stream/xg/manifest.yml deleted file mode 100755 index 51993f6082..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/manifest.yml +++ /dev/null @@ -1,240 +0,0 @@ -type: logs -title: Sophos XG logs -streams: - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - name: tcp_options - type: yaml - title: Custom TCP Options - multi: false - required: false - show_user: false - default: | - #max_connections: 1 - #framing: delimitier - #line_delimiter: "\n" - description: Specify custom configuration options for the TCP input. - template_path: tcp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - description: The interface to listen on for syslog data. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: integer - title: Syslog Port - description: The port to listen on for syslog data. - multi: false - required: true - show_user: true - default: 9005 - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: default_host_name - type: text - title: Default Host Name - description: Host name / Observer name, since Sophos XG does not provide this in the syslog file. - multi: false - required: true - show_user: true - default: firewall.localgroup.local - - name: known_devices - type: yaml - title: Known Devices - description: | - The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. - This will match every known device serial number to a hostname. If no serial number appears the `default_host_name` will be used. - multi: false - required: true - show_user: true - default: | - - hostname: my_fancy_host - serial_number: "1234567890123456" - - hostname: some_other_host.local - serial_number: "1234567890123457" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sophos-xg - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Sophos XG logs - description: Collect Sophos XG logs diff --git a/packages/sophos/2.2.2/data_stream/xg/sample_event.json b/packages/sophos/2.2.2/data_stream/xg/sample_event.json deleted file mode 100755 index 3d6e8025ff..0000000000 --- a/packages/sophos/2.2.2/data_stream/xg/sample_event.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} \ No newline at end of file diff --git a/packages/sophos/2.2.2/docs/README.md b/packages/sophos/2.2.2/docs/README.md deleted file mode 100755 index 2c688f303f..0000000000 --- a/packages/sophos/2.2.2/docs/README.md +++ /dev/null @@ -1,1331 +0,0 @@ -# Sophos Integration - -The Sophos integration collects and parses logs from Sophos Products. - -Currently it accepts logs in syslog format or from a file for the following devices: - -- `utm` dataset: supports [Unified Threat Management](https://www.sophos.com/en-us/support/documentation/sophos-utm) (formerly known as Astaro Security Gateway) logs. -- `xg` dataset: supports [Sophos XG SFOS logs](https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Logs.html). - -To configure a remote syslog destination, please reference the [SophosXG/SFOS Documentation](https://community.sophos.com/kb/en-us/123184). - -The syslog format chosen should be `Default`. - -## Compatibility - -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. - -## Logs - -### Utm log - -The `utm` dataset collects Unified Threat Management logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| container.id | Unique container id. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.question.domain | Server domain. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.interface.name | | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | -| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | -| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | -| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | -| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | -| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | -| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | -| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | -| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | -| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | -| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | -| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | -| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | -| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | -| rsa.crypto.cert_checksum | | keyword | -| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | -| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | -| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | -| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | -| rsa.crypto.cert_issuer | | keyword | -| rsa.crypto.cert_keysize | | keyword | -| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | -| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | -| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | -| rsa.crypto.cert_username | | keyword | -| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | -| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | -| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | -| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | -| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | -| rsa.crypto.d_certauth | | keyword | -| rsa.crypto.https_insact | | keyword | -| rsa.crypto.https_valid | | keyword | -| rsa.crypto.ike | IKE negotiation phase. | keyword | -| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | -| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | -| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | -| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | -| rsa.crypto.s_certauth | | keyword | -| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | -| rsa.crypto.sig_type | This key captures the Signature Type | keyword | -| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | -| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | -| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | -| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | -| rsa.db.db_pid | This key captures the process id of a connection with database server | long | -| rsa.db.index | This key captures IndexID of the index. | keyword | -| rsa.db.instance | This key is used to capture the database server instance name | keyword | -| rsa.db.lread | This key is used for the number of logical reads | long | -| rsa.db.lwrite | This key is used for the number of logical writes | long | -| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | -| rsa.db.pread | This key is used for the number of physical writes | long | -| rsa.db.table_name | This key is used to capture the table name | keyword | -| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | -| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | -| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | -| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | -| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | -| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | -| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | -| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | -| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | -| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | -| rsa.file.attachment | This key captures the attachment file name | keyword | -| rsa.file.binary | Deprecated key defined only in table map. | keyword | -| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | -| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | -| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | -| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | -| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | -| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | -| rsa.file.filename_tmp | | keyword | -| rsa.file.filesystem | | keyword | -| rsa.file.privilege | Deprecated, use permissions | keyword | -| rsa.file.task_name | This is used to capture name of the task | keyword | -| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | -| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | -| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | -| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | -| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | -| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | -| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | -| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | -| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | -| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | -| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | -| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | -| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | -| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | -| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | -| rsa.identity.org | This key captures the User organization | keyword | -| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | -| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | -| rsa.identity.profile | This key is used to capture the user profile | keyword | -| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | -| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | -| rsa.identity.user_dept | User's Department Names only | keyword | -| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | -| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | -| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | -| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.data | Deprecated key defined only in table map. | keyword | -| rsa.internal.dead | Deprecated key defined only in table map. | long | -| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | -| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | -| rsa.internal.entry | Deprecated key defined only in table map. | keyword | -| rsa.internal.event_desc | | keyword | -| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | -| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | -| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | -| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.inode | Deprecated key defined only in table map. | long | -| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | -| rsa.internal.level | Deprecated key defined only in table map. | long | -| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | -| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | -| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | -| rsa.internal.message | This key captures the contents of instant messages | keyword | -| rsa.internal.messageid | | keyword | -| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | -| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | -| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | -| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | -| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | -| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | -| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | -| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | -| rsa.internal.resource | Deprecated key defined only in table map. | keyword | -| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | -| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.site | Deprecated key defined only in table map. | keyword | -| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | -| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.internal.statement | Deprecated key defined only in table map. | keyword | -| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | -| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | -| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | -| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | -| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | -| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | -| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | -| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | -| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | -| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | -| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | -| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | -| rsa.investigations.event_cat | This key captures the Event category number | long | -| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | -| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | -| rsa.investigations.inv_category | This used to capture investigation category | keyword | -| rsa.investigations.inv_context | This used to capture investigation context | keyword | -| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | -| rsa.misc.OS | This key captures the Name of the Operating System | keyword | -| rsa.misc.acl_id | | keyword | -| rsa.misc.acl_op | | keyword | -| rsa.misc.acl_pos | | keyword | -| rsa.misc.acl_table | | keyword | -| rsa.misc.action | | keyword | -| rsa.misc.admin | | keyword | -| rsa.misc.agent_id | This key is used to capture agent id | keyword | -| rsa.misc.alarm_id | | keyword | -| rsa.misc.alarmname | | keyword | -| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.app_id | | keyword | -| rsa.misc.audit | | keyword | -| rsa.misc.audit_object | | keyword | -| rsa.misc.auditdata | | keyword | -| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | -| rsa.misc.benchmark | | keyword | -| rsa.misc.bypass | | keyword | -| rsa.misc.cache | | keyword | -| rsa.misc.cache_hit | | keyword | -| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | -| rsa.misc.cc_number | Valid Credit Card Numbers only | long | -| rsa.misc.cefversion | | keyword | -| rsa.misc.cfg_attr | | keyword | -| rsa.misc.cfg_obj | | keyword | -| rsa.misc.cfg_path | | keyword | -| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | -| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | -| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | -| rsa.misc.changes | | keyword | -| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | -| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | -| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | -| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | -| rsa.misc.client_ip | | keyword | -| rsa.misc.clustermembers | | keyword | -| rsa.misc.cmd | | keyword | -| rsa.misc.cn_acttimeout | | keyword | -| rsa.misc.cn_asn_src | | keyword | -| rsa.misc.cn_bgpv4nxthop | | keyword | -| rsa.misc.cn_ctr_dst_code | | keyword | -| rsa.misc.cn_dst_tos | | keyword | -| rsa.misc.cn_dst_vlan | | keyword | -| rsa.misc.cn_engine_id | | keyword | -| rsa.misc.cn_engine_type | | keyword | -| rsa.misc.cn_f_switch | | keyword | -| rsa.misc.cn_flowsampid | | keyword | -| rsa.misc.cn_flowsampintv | | keyword | -| rsa.misc.cn_flowsampmode | | keyword | -| rsa.misc.cn_inacttimeout | | keyword | -| rsa.misc.cn_inpermbyts | | keyword | -| rsa.misc.cn_inpermpckts | | keyword | -| rsa.misc.cn_invalid | | keyword | -| rsa.misc.cn_ip_proto_ver | | keyword | -| rsa.misc.cn_ipv4_ident | | keyword | -| rsa.misc.cn_l_switch | | keyword | -| rsa.misc.cn_log_did | | keyword | -| rsa.misc.cn_log_rid | | keyword | -| rsa.misc.cn_max_ttl | | keyword | -| rsa.misc.cn_maxpcktlen | | keyword | -| rsa.misc.cn_min_ttl | | keyword | -| rsa.misc.cn_minpcktlen | | keyword | -| rsa.misc.cn_mpls_lbl_1 | | keyword | -| rsa.misc.cn_mpls_lbl_10 | | keyword | -| rsa.misc.cn_mpls_lbl_2 | | keyword | -| rsa.misc.cn_mpls_lbl_3 | | keyword | -| rsa.misc.cn_mpls_lbl_4 | | keyword | -| rsa.misc.cn_mpls_lbl_5 | | keyword | -| rsa.misc.cn_mpls_lbl_6 | | keyword | -| rsa.misc.cn_mpls_lbl_7 | | keyword | -| rsa.misc.cn_mpls_lbl_8 | | keyword | -| rsa.misc.cn_mpls_lbl_9 | | keyword | -| rsa.misc.cn_mplstoplabel | | keyword | -| rsa.misc.cn_mplstoplabip | | keyword | -| rsa.misc.cn_mul_dst_byt | | keyword | -| rsa.misc.cn_mul_dst_pks | | keyword | -| rsa.misc.cn_muligmptype | | keyword | -| rsa.misc.cn_sampalgo | | keyword | -| rsa.misc.cn_sampint | | keyword | -| rsa.misc.cn_seqctr | | keyword | -| rsa.misc.cn_spackets | | keyword | -| rsa.misc.cn_src_tos | | keyword | -| rsa.misc.cn_src_vlan | | keyword | -| rsa.misc.cn_sysuptime | | keyword | -| rsa.misc.cn_template_id | | keyword | -| rsa.misc.cn_totbytsexp | | keyword | -| rsa.misc.cn_totflowexp | | keyword | -| rsa.misc.cn_totpcktsexp | | keyword | -| rsa.misc.cn_unixnanosecs | | keyword | -| rsa.misc.cn_v6flowlabel | | keyword | -| rsa.misc.cn_v6optheaders | | keyword | -| rsa.misc.code | | keyword | -| rsa.misc.command | | keyword | -| rsa.misc.comments | Comment information provided in the log message | keyword | -| rsa.misc.comp_class | | keyword | -| rsa.misc.comp_name | | keyword | -| rsa.misc.comp_rbytes | | keyword | -| rsa.misc.comp_sbytes | | keyword | -| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | -| rsa.misc.connection_id | This key captures the Connection ID | keyword | -| rsa.misc.content | This key captures the content type from protocol headers | keyword | -| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | -| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | -| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | -| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | -| rsa.misc.context_target | | keyword | -| rsa.misc.count | | keyword | -| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | -| rsa.misc.cpu_data | | keyword | -| rsa.misc.criticality | | keyword | -| rsa.misc.cs_agency_dst | | keyword | -| rsa.misc.cs_analyzedby | | keyword | -| rsa.misc.cs_av_other | | keyword | -| rsa.misc.cs_av_primary | | keyword | -| rsa.misc.cs_av_secondary | | keyword | -| rsa.misc.cs_bgpv6nxthop | | keyword | -| rsa.misc.cs_bit9status | | keyword | -| rsa.misc.cs_context | | keyword | -| rsa.misc.cs_control | | keyword | -| rsa.misc.cs_data | | keyword | -| rsa.misc.cs_datecret | | keyword | -| rsa.misc.cs_dst_tld | | keyword | -| rsa.misc.cs_eth_dst_ven | | keyword | -| rsa.misc.cs_eth_src_ven | | keyword | -| rsa.misc.cs_event_uuid | | keyword | -| rsa.misc.cs_filetype | | keyword | -| rsa.misc.cs_fld | | keyword | -| rsa.misc.cs_if_desc | | keyword | -| rsa.misc.cs_if_name | | keyword | -| rsa.misc.cs_ip_next_hop | | keyword | -| rsa.misc.cs_ipv4dstpre | | keyword | -| rsa.misc.cs_ipv4srcpre | | keyword | -| rsa.misc.cs_lifetime | | keyword | -| rsa.misc.cs_log_medium | | keyword | -| rsa.misc.cs_loginname | | keyword | -| rsa.misc.cs_modulescore | | keyword | -| rsa.misc.cs_modulesign | | keyword | -| rsa.misc.cs_opswatresult | | keyword | -| rsa.misc.cs_payload | | keyword | -| rsa.misc.cs_registrant | | keyword | -| rsa.misc.cs_registrar | | keyword | -| rsa.misc.cs_represult | | keyword | -| rsa.misc.cs_rpayload | | keyword | -| rsa.misc.cs_sampler_name | | keyword | -| rsa.misc.cs_sourcemodule | | keyword | -| rsa.misc.cs_streams | | keyword | -| rsa.misc.cs_targetmodule | | keyword | -| rsa.misc.cs_v6nxthop | | keyword | -| rsa.misc.cs_whois_server | | keyword | -| rsa.misc.cs_yararesult | | keyword | -| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | -| rsa.misc.data_type | | keyword | -| rsa.misc.description | | keyword | -| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | -| rsa.misc.devvendor | | keyword | -| rsa.misc.disposition | This key captures the The end state of an action. | keyword | -| rsa.misc.distance | | keyword | -| rsa.misc.doc_number | This key captures File Identification number | long | -| rsa.misc.dstburb | | keyword | -| rsa.misc.edomain | | keyword | -| rsa.misc.edomaub | | keyword | -| rsa.misc.ein_number | Employee Identification Numbers only | long | -| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | -| rsa.misc.euid | | keyword | -| rsa.misc.event_category | | keyword | -| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | -| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | -| rsa.misc.event_id | | keyword | -| rsa.misc.event_log | This key captures the Name of the event log | keyword | -| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | -| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | -| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | -| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | -| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | -| rsa.misc.facility | | keyword | -| rsa.misc.facilityname | | keyword | -| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | -| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | -| rsa.misc.finterface | | keyword | -| rsa.misc.flags | | keyword | -| rsa.misc.forensic_info | | keyword | -| rsa.misc.found | This is used to capture the results of regex match | keyword | -| rsa.misc.fresult | This key captures the Filter Result | long | -| rsa.misc.gaddr | | keyword | -| rsa.misc.group | This key captures the Group Name value | keyword | -| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | -| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | -| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | -| rsa.misc.id3 | | keyword | -| rsa.misc.im_buddyid | | keyword | -| rsa.misc.im_buddyname | | keyword | -| rsa.misc.im_client | | keyword | -| rsa.misc.im_croomid | | keyword | -| rsa.misc.im_croomtype | | keyword | -| rsa.misc.im_members | | keyword | -| rsa.misc.im_userid | | keyword | -| rsa.misc.im_username | | keyword | -| rsa.misc.index | | keyword | -| rsa.misc.inout | | keyword | -| rsa.misc.ipkt | | keyword | -| rsa.misc.ipscat | | keyword | -| rsa.misc.ipspri | | keyword | -| rsa.misc.job_num | This key captures the Job Number | keyword | -| rsa.misc.jobname | | keyword | -| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | -| rsa.misc.latitude | | keyword | -| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | -| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | -| rsa.misc.linenum | | keyword | -| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | -| rsa.misc.list_name | | keyword | -| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | -| rsa.misc.load_data | | keyword | -| rsa.misc.location_floor | | keyword | -| rsa.misc.location_mark | | keyword | -| rsa.misc.log_id | | keyword | -| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | -| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | -| rsa.misc.log_type | | keyword | -| rsa.misc.logid | | keyword | -| rsa.misc.logip | | keyword | -| rsa.misc.logname | | keyword | -| rsa.misc.longitude | | keyword | -| rsa.misc.lport | | keyword | -| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | -| rsa.misc.match | This key is for regex match name from search.ini | keyword | -| rsa.misc.mbug_data | | keyword | -| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | -| rsa.misc.misc | | keyword | -| rsa.misc.misc_name | | keyword | -| rsa.misc.mode | | keyword | -| rsa.misc.msgIdPart1 | | keyword | -| rsa.misc.msgIdPart2 | | keyword | -| rsa.misc.msgIdPart3 | | keyword | -| rsa.misc.msgIdPart4 | | keyword | -| rsa.misc.msg_type | | keyword | -| rsa.misc.msgid | | keyword | -| rsa.misc.name | | keyword | -| rsa.misc.netsessid | | keyword | -| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | -| rsa.misc.ntype | | keyword | -| rsa.misc.num | | keyword | -| rsa.misc.number | | keyword | -| rsa.misc.number1 | | keyword | -| rsa.misc.number2 | | keyword | -| rsa.misc.nwwn | | keyword | -| rsa.misc.obj_name | This is used to capture name of object | keyword | -| rsa.misc.obj_type | This is used to capture type of object | keyword | -| rsa.misc.object | | keyword | -| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | -| rsa.misc.operation | | keyword | -| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | -| rsa.misc.opkt | | keyword | -| rsa.misc.orig_from | | keyword | -| rsa.misc.owner_id | | keyword | -| rsa.misc.p_action | | keyword | -| rsa.misc.p_filter | | keyword | -| rsa.misc.p_group_object | | keyword | -| rsa.misc.p_id | | keyword | -| rsa.misc.p_msgid | | keyword | -| rsa.misc.p_msgid1 | | keyword | -| rsa.misc.p_msgid2 | | keyword | -| rsa.misc.p_result1 | | keyword | -| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | -| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | -| rsa.misc.param_src | This key captures source parameter | keyword | -| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | -| rsa.misc.password_chg | | keyword | -| rsa.misc.password_expire | | keyword | -| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | -| rsa.misc.payload_src | This key is used to capture source payload | keyword | -| rsa.misc.permgranted | | keyword | -| rsa.misc.permwanted | | keyword | -| rsa.misc.pgid | | keyword | -| rsa.misc.phone | | keyword | -| rsa.misc.pid | | keyword | -| rsa.misc.policy | | keyword | -| rsa.misc.policyUUID | | keyword | -| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | -| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | -| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | -| rsa.misc.policy_waiver | | keyword | -| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | -| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | -| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | -| rsa.misc.priority | | keyword | -| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | -| rsa.misc.prog_asp_num | | keyword | -| rsa.misc.program | | keyword | -| rsa.misc.real_data | | keyword | -| rsa.misc.reason | | keyword | -| rsa.misc.rec_asp_device | | keyword | -| rsa.misc.rec_asp_num | | keyword | -| rsa.misc.rec_library | | keyword | -| rsa.misc.recordnum | | keyword | -| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | -| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | -| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | -| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | -| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | -| rsa.misc.risk | This key captures the non-numeric risk value | keyword | -| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_num | This key captures a Numeric Risk value | double | -| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | -| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | -| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | -| rsa.misc.risk_num_static | This key captures Risk Number Static | double | -| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | -| rsa.misc.ruid | | keyword | -| rsa.misc.rule | This key captures the Rule number | keyword | -| rsa.misc.rule_group | This key captures the Rule group name | keyword | -| rsa.misc.rule_name | This key captures the Rule Name | keyword | -| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | -| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | -| rsa.misc.sburb | | keyword | -| rsa.misc.sdomain_fld | | keyword | -| rsa.misc.search_text | This key captures the Search Text used | keyword | -| rsa.misc.sec | | keyword | -| rsa.misc.second | | keyword | -| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | -| rsa.misc.sensorname | | keyword | -| rsa.misc.seqnum | | keyword | -| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | -| rsa.misc.session | | keyword | -| rsa.misc.sessiontype | | keyword | -| rsa.misc.severity | This key is used to capture the severity given the session | keyword | -| rsa.misc.sigUUID | | keyword | -| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | -| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | -| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | -| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | -| rsa.misc.sigcat | | keyword | -| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | -| rsa.misc.snmp_value | SNMP set request value | keyword | -| rsa.misc.space | | keyword | -| rsa.misc.space1 | | keyword | -| rsa.misc.spi | | keyword | -| rsa.misc.spi_dst | Destination SPI Index | keyword | -| rsa.misc.spi_src | Source SPI Index | keyword | -| rsa.misc.sql | This key captures the SQL query | keyword | -| rsa.misc.srcburb | | keyword | -| rsa.misc.srcdom | | keyword | -| rsa.misc.srcservice | | keyword | -| rsa.misc.state | | keyword | -| rsa.misc.status | | keyword | -| rsa.misc.status1 | | keyword | -| rsa.misc.streams | This key captures number of streams in session | long | -| rsa.misc.subcategory | | keyword | -| rsa.misc.svcno | | keyword | -| rsa.misc.system | | keyword | -| rsa.misc.tbdstr1 | | keyword | -| rsa.misc.tbdstr2 | | keyword | -| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | -| rsa.misc.terminal | This key captures the Terminal Names only | keyword | -| rsa.misc.tgtdom | | keyword | -| rsa.misc.tgtdomain | | keyword | -| rsa.misc.threshold | | keyword | -| rsa.misc.tos | This key describes the type of service | long | -| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | -| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | -| rsa.misc.type | | keyword | -| rsa.misc.type1 | | keyword | -| rsa.misc.udb_class | | keyword | -| rsa.misc.url_fld | | keyword | -| rsa.misc.user_div | | keyword | -| rsa.misc.userid | | keyword | -| rsa.misc.username_fld | | keyword | -| rsa.misc.utcstamp | | keyword | -| rsa.misc.v_instafname | | keyword | -| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | -| rsa.misc.virt_data | | keyword | -| rsa.misc.virusname | This key captures the name of the virus | keyword | -| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | -| rsa.misc.vpnid | | keyword | -| rsa.misc.vsys | This key captures Virtual System Name | keyword | -| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | -| rsa.misc.workspace | This key captures Workspace Description | keyword | -| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | -| rsa.network.addr | | keyword | -| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | -| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | -| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | -| rsa.network.dns_a_record | | keyword | -| rsa.network.dns_cname_record | | keyword | -| rsa.network.dns_id | | keyword | -| rsa.network.dns_opcode | | keyword | -| rsa.network.dns_ptr_record | | keyword | -| rsa.network.dns_resp | | keyword | -| rsa.network.dns_type | | keyword | -| rsa.network.domain | | keyword | -| rsa.network.domain1 | | keyword | -| rsa.network.eth_host | Deprecated, use alias.mac | keyword | -| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | -| rsa.network.faddr | | keyword | -| rsa.network.fhost | | keyword | -| rsa.network.fport | | keyword | -| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | -| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | -| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | -| rsa.network.host_type | | keyword | -| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | -| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | -| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | -| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | -| rsa.network.laddr | | keyword | -| rsa.network.lhost | | keyword | -| rsa.network.linterface | | keyword | -| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | -| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | -| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | -| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | -| rsa.network.origin | | keyword | -| rsa.network.packet_length | | keyword | -| rsa.network.paddr | Deprecated | ip | -| rsa.network.phost | | keyword | -| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | -| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | -| rsa.network.remote_domain_id | | keyword | -| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | -| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | -| rsa.network.smask | This key is used for capturing source Network Mask | keyword | -| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | -| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | -| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | -| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | -| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | -| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | -| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | -| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | -| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | -| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | -| rsa.threat.alert | This key is used to capture name of the alert | keyword | -| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | -| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | -| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | -| rsa.time.date | | keyword | -| rsa.time.datetime | | keyword | -| rsa.time.day | | keyword | -| rsa.time.duration_str | A text string version of the duration | keyword | -| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | -| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | -| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | -| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | -| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | -| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | -| rsa.time.eventtime | | keyword | -| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | -| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | -| rsa.time.gmtdate | | keyword | -| rsa.time.gmttime | | keyword | -| rsa.time.hour | | keyword | -| rsa.time.min | | keyword | -| rsa.time.month | | keyword | -| rsa.time.p_date | | keyword | -| rsa.time.p_month | | keyword | -| rsa.time.p_time | | keyword | -| rsa.time.p_time1 | | keyword | -| rsa.time.p_time2 | | keyword | -| rsa.time.p_year | | keyword | -| rsa.time.process_time | Deprecated, use duration.time | keyword | -| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | -| rsa.time.stamp | Deprecated key defined only in table map. | date | -| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | -| rsa.time.timestamp | | keyword | -| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | -| rsa.time.tzone | | keyword | -| rsa.time.year | | keyword | -| rsa.web.alias_host | | keyword | -| rsa.web.cn_asn_dst | | keyword | -| rsa.web.cn_rpackets | | keyword | -| rsa.web.fqdn | Fully Qualified Domain Names | keyword | -| rsa.web.p_url | | keyword | -| rsa.web.p_user_agent | | keyword | -| rsa.web.p_web_cookie | | keyword | -| rsa.web.p_web_method | | keyword | -| rsa.web.p_web_referer | | keyword | -| rsa.web.remote_domain | | keyword | -| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | -| rsa.web.urlpage | | keyword | -| rsa.web.urlroot | | keyword | -| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | -| rsa.web.web_extension_tmp | | keyword | -| rsa.web.web_page | | keyword | -| rsa.web.web_ref_domain | Web referer's domain | keyword | -| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | -| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | -| rsa.web.web_ref_root | Web referer's root URL path | keyword | -| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | -| rsa.wireless.wlan_channel | This is used to capture the channel names | long | -| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | -| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -### XG log - -This is the Sophos `xg` dataset. Reference information about the log formats -can be found in the [Sophos syslog guide]( -https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf). - -An example event for `xg` looks as following: - -```json -{ - "@timestamp": "2016-12-02T18:50:20.000Z", - "agent": { - "ephemeral_id": "b1eb8b45-bca7-40b1-b2f4-9d5c87e449bc", - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "sophos.xg", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "dee3c982-4bd2-4c06-b207-fe0ce9ef19c5", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "alert", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "16010", - "dataset": "sophos.xg", - "ingested": "2022-04-20T20:13:02Z", - "kind": "event", - "outcome": "success", - "severity": 1, - "timezone": "+00:00" - }, - "host": { - "name": "XG230" - }, - "input": { - "type": "udp" - }, - "log": { - "level": "alert", - "source": { - "address": "172.31.0.8:48162" - } - }, - "observer": { - "product": "XG", - "serial_number": "1234567890123456", - "type": "firewall", - "vendor": "Sophos" - }, - "related": { - "hosts": [ - "XG230" - ], - "ip": [ - "10.108.108.49" - ] - }, - "sophos": { - "xg": { - "action": "Deny", - "context_match": "Not", - "context_prefix": "blah blah hello ", - "context_suffix": " hello blah ", - "device": "SFW", - "device_name": "SF01V", - "dictionary_name": "complicated_Custom", - "direction": "in", - "file_name": "cgi_echo.pl", - "log_component": "Web Content Policy", - "log_id": "058420116010", - "log_subtype": "Alert", - "log_type": "Content Filtering", - "site_category": "Information Technology", - "transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", - "user": "gi123456", - "website": "ta-web-static-testing.qa. astaro.de" - } - }, - "source": { - "ip": "10.108.108.49" - }, - "tags": [ - "sophos-xg", - "forwarded" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| destination.user.email | User email address. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.hash.sha512 | SHA512 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | -| log.offset | Log offset | long | -| log.source.address | | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| sophos.xg.action | Event Action | keyword | -| sophos.xg.activityname | Web policy activity that matched and caused the policy result. | keyword | -| sophos.xg.ap | Access Point Serial ID or LocalWifi0 or LocalWifi1. | keyword | -| sophos.xg.app_category | Name of the category under which application falls | keyword | -| sophos.xg.app_filter_policy_id | Application filter policy ID applied on the traffic | keyword | -| sophos.xg.app_is_cloud | Application is Cloud | keyword | -| sophos.xg.app_name | Application name | keyword | -| sophos.xg.app_resolved_by | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.app_risk | Risk level assigned to the application | keyword | -| sophos.xg.app_technology | Technology of the application | keyword | -| sophos.xg.appfilter_policy_id | Application Filter policy applied on the traffic | integer | -| sophos.xg.application | Application name | keyword | -| sophos.xg.application_category | Application is resolved by signature or synchronized application | keyword | -| sophos.xg.application_filter_policy | Application Filter policy applied on the traffic | integer | -| sophos.xg.application_name | Application name | keyword | -| sophos.xg.application_risk | Risk level assigned to the application | keyword | -| sophos.xg.application_technology | Technology of the application | keyword | -| sophos.xg.appresolvedby | Technology of the application | keyword | -| sophos.xg.auth_client | Auth Client | keyword | -| sophos.xg.auth_mechanism | Auth mechanism | keyword | -| sophos.xg.av_policy_name | Malware scanning policy name which is applied on the traffic | keyword | -| sophos.xg.backup_mode | Backup mode | keyword | -| sophos.xg.branch_name | Branch Name | keyword | -| sophos.xg.category | IPS signature category. | keyword | -| sophos.xg.category_type | Type of category under which website falls | keyword | -| sophos.xg.classification | Signature classification | keyword | -| sophos.xg.client_host_name | Client host name | keyword | -| sophos.xg.client_physical_address | Client physical address | keyword | -| sophos.xg.clients_conn_ssid | Number of client connected to the SSID. | long | -| sophos.xg.collisions | collisions | long | -| sophos.xg.con_event | Event Start/Stop | keyword | -| sophos.xg.con_id | Unique identifier of connection | integer | -| sophos.xg.configuration | Configuration | float | -| sophos.xg.conn_id | Unique identifier of connection | integer | -| sophos.xg.connectionname | Connectionname | keyword | -| sophos.xg.connectiontype | Connectiontype | keyword | -| sophos.xg.connevent | Event on which this log is generated | keyword | -| sophos.xg.connid | Connection ID | keyword | -| sophos.xg.content_type | Type of the content | keyword | -| sophos.xg.contenttype | Type of the content | keyword | -| sophos.xg.context_match | Context Match | keyword | -| sophos.xg.context_prefix | Content Prefix | keyword | -| sophos.xg.context_suffix | Context Suffix | keyword | -| sophos.xg.cookie | cookie | keyword | -| sophos.xg.date | Date (yyyy-mm-dd) when the event occurred | date | -| sophos.xg.destinationip | Original destination IP address of traffic | ip | -| sophos.xg.device | device | keyword | -| sophos.xg.device_id | Serial number of the device | keyword | -| sophos.xg.device_model | Model number of the device | keyword | -| sophos.xg.device_name | Model number of the device | keyword | -| sophos.xg.dictionary_name | Dictionary Name | keyword | -| sophos.xg.dir_disp | TPacket direction. Possible values:“org”, “reply”, “” | keyword | -| sophos.xg.direction | Direction | keyword | -| sophos.xg.domainname | Domain from which virus was downloaded | keyword | -| sophos.xg.download_file_name | Download file name | keyword | -| sophos.xg.download_file_type | Download file type | keyword | -| sophos.xg.dst_country_code | Code of the country to which the destination IP belongs | keyword | -| sophos.xg.dst_domainname | Receiver domain name | keyword | -| sophos.xg.dst_ip | Original destination IP address of traffic | ip | -| sophos.xg.dst_port | Original destination port of TCP and UDP traffic | integer | -| sophos.xg.dst_zone_type | Type of destination zone | keyword | -| sophos.xg.dstdomain | Destination Domain | keyword | -| sophos.xg.duration | Durability of traffic (seconds) | long | -| sophos.xg.email_subject | Email Subject | keyword | -| sophos.xg.ep_uuid | Endpoint UUID | keyword | -| sophos.xg.ether_type | ethernet frame type | keyword | -| sophos.xg.eventid | ATP Evenet ID | keyword | -| sophos.xg.eventtime | Event time | date | -| sophos.xg.eventtype | ATP event type | keyword | -| sophos.xg.exceptions | List of the checks excluded by web exceptions. | keyword | -| sophos.xg.execution_path | ATP execution path | keyword | -| sophos.xg.extra | extra | keyword | -| sophos.xg.file_name | Filename | keyword | -| sophos.xg.file_path | File path | keyword | -| sophos.xg.file_size | File Size | integer | -| sophos.xg.filename | File name associated with the event | keyword | -| sophos.xg.filepath | Path of the file containing virus | keyword | -| sophos.xg.filesize | Size of the file that contained virus | integer | -| sophos.xg.free | free | integer | -| sophos.xg.from_email_address | Sender email address | keyword | -| sophos.xg.ftp_direction | Direction of FTP transfer: Upload or Download | keyword | -| sophos.xg.ftp_url | FTP URL from which virus was downloaded | keyword | -| sophos.xg.ftpcommand | FTP command used when virus was found | keyword | -| sophos.xg.fw_rule_id | Firewall Rule ID which is applied on the traffic | integer | -| sophos.xg.fw_rule_type | Firewall rule type which is applied on the traffic | keyword | -| sophos.xg.hb_health | Heartbeat status | keyword | -| sophos.xg.hb_status | Heartbeat status | keyword | -| sophos.xg.host | Host | keyword | -| sophos.xg.http_category | HTTP Category | keyword | -| sophos.xg.http_category_type | HTTP Category Type | keyword | -| sophos.xg.httpresponsecode | code of HTTP response | long | -| sophos.xg.iap | Internet Access policy ID applied on the traffic | keyword | -| sophos.xg.icmp_code | ICMP code of ICMP traffic | keyword | -| sophos.xg.icmp_type | ICMP type of ICMP traffic | keyword | -| sophos.xg.idle_cpu | idle ## | float | -| sophos.xg.idp_policy_id | IPS policy ID which is applied on the traffic | integer | -| sophos.xg.idp_policy_name | IPS policy name i.e. IPS policy name which is applied on the traffic | keyword | -| sophos.xg.in_interface | Interface for incoming traffic, e.g., Port A | keyword | -| sophos.xg.interface | interface | keyword | -| sophos.xg.ipaddress | Ipaddress | keyword | -| sophos.xg.ips_policy_id | IPS policy ID applied on the traffic | integer | -| sophos.xg.lease_time | Lease Time | keyword | -| sophos.xg.localgateway | Localgateway | keyword | -| sophos.xg.localnetwork | Localnetwork | keyword | -| sophos.xg.log_component | Component responsible for logging e.g. Firewall rule | keyword | -| sophos.xg.log_id | Unique 12 characters code (0101011) | keyword | -| sophos.xg.log_subtype | Sub type of event | keyword | -| sophos.xg.log_type | Type of event e.g. firewall event | keyword | -| sophos.xg.log_version | Log Version | keyword | -| sophos.xg.login_user | ATP login user | keyword | -| sophos.xg.mailid | mailid | keyword | -| sophos.xg.mailsize | mailsize | integer | -| sophos.xg.message | Message | keyword | -| sophos.xg.mode | Mode | keyword | -| sophos.xg.nat_rule_id | NAT Rule ID | keyword | -| sophos.xg.newversion | Newversion | keyword | -| sophos.xg.oldversion | Oldversion | keyword | -| sophos.xg.out_interface | Interface for outgoing traffic, e.g., Port B | keyword | -| sophos.xg.override_authorizer | Override authorizer | keyword | -| sophos.xg.override_name | Override name | keyword | -| sophos.xg.override_token | Override token | keyword | -| sophos.xg.phpsessid | PHP session ID | keyword | -| sophos.xg.platform | Platform of the traffic. | keyword | -| sophos.xg.policy_type | Policy type applied to the traffic | keyword | -| sophos.xg.priority | Severity level of traffic | keyword | -| sophos.xg.protocol | Protocol number of traffic | keyword | -| sophos.xg.qualifier | Qualifier | keyword | -| sophos.xg.quarantine | Path and filename of the file quarantined | keyword | -| sophos.xg.quarantine_reason | Quarantine reason | keyword | -| sophos.xg.querystring | querystring | keyword | -| sophos.xg.raw_data | Raw data | keyword | -| sophos.xg.received_pkts | Total number of packets received | long | -| sophos.xg.receiveddrops | received drops | long | -| sophos.xg.receivederrors | received errors | keyword | -| sophos.xg.receivedkbits | received kbits | long | -| sophos.xg.recv_bytes | Total number of bytes received | long | -| sophos.xg.red_id | RED ID | keyword | -| sophos.xg.referer | Referer | keyword | -| sophos.xg.remote_ip | Remote IP | ip | -| sophos.xg.remotenetwork | remotenetwork | keyword | -| sophos.xg.reported_host | Reported Host | keyword | -| sophos.xg.reported_ip | Reported IP | keyword | -| sophos.xg.reports | Reports | float | -| sophos.xg.rule_priority | Priority of IPS policy | keyword | -| sophos.xg.sent_bytes | Total number of bytes sent | long | -| sophos.xg.sent_pkts | Total number of packets sent | long | -| sophos.xg.server | Server | keyword | -| sophos.xg.sessionid | Sessionid | keyword | -| sophos.xg.sha1sum | SHA1 checksum of the item being analyzed | keyword | -| sophos.xg.signature | Signature | float | -| sophos.xg.signature_id | Signature ID | keyword | -| sophos.xg.signature_msg | Signature messsage | keyword | -| sophos.xg.site_category | Site Category | keyword | -| sophos.xg.source | Source | keyword | -| sophos.xg.sourceip | Original source IP address of traffic | ip | -| sophos.xg.spamaction | Spam Action | keyword | -| sophos.xg.sqli | related SQLI caught by the WAF | keyword | -| sophos.xg.src_country_code | Code of the country to which the source IP belongs | keyword | -| sophos.xg.src_domainname | Sender domain name | keyword | -| sophos.xg.src_ip | Original source IP address of traffic | ip | -| sophos.xg.src_mac | Original source MAC address of traffic | keyword | -| sophos.xg.src_port | Original source port of TCP and UDP traffic | integer | -| sophos.xg.src_zone_type | Type of source zone | keyword | -| sophos.xg.ssid | Configured SSID name. | keyword | -| sophos.xg.start_time | Start time | date | -| sophos.xg.starttime | Starttime | date | -| sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | -| sophos.xg.status_code | Status code | keyword | -| sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | -| sophos.xg.system_cpu | system | float | -| sophos.xg.target | Platform of the traffic. | keyword | -| sophos.xg.temp | Temp | float | -| sophos.xg.threatname | ATP threatname | keyword | -| sophos.xg.timestamp | timestamp | date | -| sophos.xg.timezone | Time (hh:mm:ss) when the event occurred | keyword | -| sophos.xg.to_email_address | Receipeint email address | keyword | -| sophos.xg.total_memory | Total Memory | integer | -| sophos.xg.trans_dst_ip | Translated destination IP address for outgoing traffic | ip | -| sophos.xg.trans_dst_port | Translated destination port for outgoing traffic | integer | -| sophos.xg.trans_src_ip | Translated source IP address for outgoing traffic | ip | -| sophos.xg.trans_src_port | Translated source port for outgoing traffic | integer | -| sophos.xg.transaction_id | Transaction ID | keyword | -| sophos.xg.transactionid | Transaction ID of the AV scan. | keyword | -| sophos.xg.transmitteddrops | transmitted drops | long | -| sophos.xg.transmittederrors | transmitted errors | keyword | -| sophos.xg.transmittedkbits | transmitted kbits | long | -| sophos.xg.unit | unit | keyword | -| sophos.xg.updatedip | updatedip | ip | -| sophos.xg.upload_file_name | Upload file name | keyword | -| sophos.xg.upload_file_type | Upload file type | keyword | -| sophos.xg.url | URL from which virus was downloaded | keyword | -| sophos.xg.used | used | integer | -| sophos.xg.used_quota | Used Quota | keyword | -| sophos.xg.user | User | keyword | -| sophos.xg.user_cpu | system | float | -| sophos.xg.user_gp | Group name to which the user belongs. | keyword | -| sophos.xg.user_group | Group name to which the user belongs | keyword | -| sophos.xg.user_name | user_name | keyword | -| sophos.xg.users | Number of users from System Health / Live User events. | long | -| sophos.xg.vconn_id | Connection ID of the master connection | integer | -| sophos.xg.virus | virus name | keyword | -| sophos.xg.web_policy_id | Web policy ID | keyword | -| sophos.xg.website | Website | keyword | -| sophos.xg.xss | related XSS caught by the WAF | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| source.user.email | User email address. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/sophos/2.2.2/img/logo.svg b/packages/sophos/2.2.2/img/logo.svg deleted file mode 100755 index 44612bd861..0000000000 --- a/packages/sophos/2.2.2/img/logo.svg +++ /dev/null @@ -1,39 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/packages/sophos/2.2.2/img/sophos.svg b/packages/sophos/2.2.2/img/sophos.svg deleted file mode 100755 index 5ebdeaf788..0000000000 --- a/packages/sophos/2.2.2/img/sophos.svg +++ /dev/null @@ -1,69 +0,0 @@ - - - -image/svg+xml diff --git a/packages/sophos/2.2.2/manifest.yml b/packages/sophos/2.2.2/manifest.yml deleted file mode 100755 index edc91b8022..0000000000 --- a/packages/sophos/2.2.2/manifest.yml +++ /dev/null @@ -1,32 +0,0 @@ -format_version: 1.0.0 -name: sophos -title: Sophos Logs -version: 2.2.2 -description: Collect and parse logs from Sophos Products with Elastic Agent. -categories: ["security"] -release: ga -license: basic -type: integration -conditions: - kibana.version: "^7.17.0 || ^8.0.0" -policy_templates: - - name: sophos - title: Sophos logs - description: Collect Sophos logs from syslog or a file. - inputs: - - type: udp - title: Collect logs from Sophos via UDP - description: Collecting syslog from Sophos via UDP - - type: tcp - title: Collect logs from Sophos via TCP - description: Collecting syslog from Sophos via TCP - - type: logfile - title: Collect logs from Sophos via file - description: Collecting syslog from Sophos via file. -icons: - - src: /img/logo.svg - title: Sophos logo - size: 32x32 - type: image/svg+xml -owner: - github: elastic/security-external-integrations diff --git a/packages/suricata/2.1.0/changelog.yml b/packages/suricata/2.1.0/changelog.yml deleted file mode 100755 index 567542096b..0000000000 --- a/packages/suricata/2.1.0/changelog.yml +++ /dev/null @@ -1,142 +0,0 @@ -# newer versions go on top -- version: "2.1.0" - changes: - - description: Add JA3/JA3S to `related.hash` - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: enhancement - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.7.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.6.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.6.0" - changes: - - description: Add network.protocol support for krb5, smtp, snmp, and ikev2. - type: enhancement - link: https://github.com/elastic/integrations/pull/2772 -- version: "1.5.0" - changes: - - description: Set destination.ip in events. - type: bugfix - link: https://github.com/elastic/integrations/issues/2558 - - description: Format MAC addresses per ECS and RFC 7042. - type: enhancement - link: https://github.com/elastic/integrations/pull/2564 -- version: "1.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2443 -- version: "1.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2244 -- version: "1.2.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2083 -- version: "1.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1989 -- version: "1.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1854 -- version: "1.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1680 -- version: "1.1.3" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1507 -- version: "1.1.2" - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1421 -- version: "1.1.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.1" - changes: - - description: Fixes improper date fields and metadata field issues. - type: bugfix - link: https://github.com/elastic/integrations/pull/1287 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1216 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1216 -- version: "0.6.3" - changes: - - description: Use `wildcard` field type. - type: enhancement - link: https://github.com/elastic/integrations/pull/1162 -- version: "0.6.2" - changes: - - description: Modify event.original and update ECS version to 1.10.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1105 -- version: "0.6.1" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/991 -- version: "0.6.0" - changes: - - description: Move edge processing to ingest pipelines - type: enhancement - link: https://github.com/elastic/integrations/pull/749 -- version: "0.5.2" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/873 -- version: "0.5.1" - changes: - - description: Change kibana.version constraint to be more conservative. - type: bugfix - link: https://github.com/elastic/integrations/pull/749 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/186 diff --git a/packages/suricata/2.1.0/data_stream/eve/agent/stream/log.yml.hbs b/packages/suricata/2.1.0/data_stream/eve/agent/stream/log.yml.hbs deleted file mode 100755 index 0acdce5615..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/agent/stream/log.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/default.yml b/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b619ad869f..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,669 +0,0 @@ ---- -description: Pipeline for parsing Suricata EVE logs - -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.original - copy_from: message - override: false - ignore_failure: true - - remove: - field: message - ignore_missing: true - - set: - field: event.created - copy_from: '@timestamp' - override: false - ignore_failure: true - - json: - field: event.original - target_field: suricata.eve - - rename: - field: suricata.eve.ether.dest_mac - target_field: destination.mac - ignore_missing: true - - rename: - field: suricata.eve.ether.src_mac - target_field: source.mac - ignore_missing: true - - # Format source.mac address. - - gsub: - field: source.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true - - gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: source.mac - ignore_missing: true - - # Format destination.mac address. - - gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true - - gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: destination.mac - ignore_missing: true - - - rename: - field: suricata.eve.src_ip - target_field: source.address - ignore_missing: true - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_failure: true - - convert: - field: suricata.eve.src_port - target_field: source.port - type: integer - ignore_failure: true - - rename: - field: suricata.eve.dest_ip - target_field: destination.address - ignore_missing: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - - convert: - field: suricata.eve.dest_port - target_field: destination.port - type: integer - ignore_failure: true - - rename: - field: suricata.eve.proto - target_field: network.transport - ignore_missing: true - - convert: - field: suricata.eve.flow_id - type: string - ignore_missing: true - - date: - field: '@timestamp' - target_field: event.created - formats: - - ISO8601 - ignore_failure: true - - date: - field: suricata.eve.timestamp - formats: - - ISO8601 - - community_id: - target_field: network.community_id - ignore_failure: true - - registered_domain: - field: suricata.eve.dns.rrname - target_field: dns.question - ignore_missing: true - # Handle the different Suricata event types. - - lowercase: - field: suricata.eve.event_type - ignore_missing: true - - script: - lang: painless - ignore_failure: true - params: - alert: - kind: alert - category: - - network - - intrusion_detection - dns: - type: - - protocol - network_protocol: dns - flow: - type: - - connection - ftp: - type: - - protocol - network_protocol: ftp - ftp_data: - type: - - protocol - network_protocol: ftp - http: - category: - - network - - web - type: - - access - - protocol - network_protocol: http - http2: - category: - - network - - web - type: - - access - - protocol - network_protocol: http - ikev2: - type: - - protocol - network_protocol: ikev2 - krb5: - type: - - protocol - network_protocol: krb5 - mqtt: - type: - - protocol - network_protocol: mqtt - smb: - type: - - protocol - network_protocol: smb - smtp: - type: - - protocol - network_protocol: smtp - snmp: - type: - - protocol - network_protocol: snmp - ssh: - type: - - protocol - network_protocol: ssh - stats: - kind: metric - tftp: - type: - - protocol - network_protocol: tftp - tls: - type: - - protocol - network_protocol: tls - rdp: - type: - - protocol - network_protocol: rdp - rfb: # RFB (Remote Framebuffer Protocol) - type: - - protocol - network_protocol: rdp - - source: | - ctx.event.kind = 'event'; - ctx.event.category = ['network']; - def type_params = params.get(ctx?.suricata?.eve?.event_type); - if (type_params == null) { - return; - } - type_params.forEach((k, v) -> { - if ('network_protocol' == k) { - if (ctx.network == null) { - ctx.network = ['protocol': v]; - } else { - ctx.network.protocol = v; - } - } else { - ctx.event[k] = v; - } - }); - - ## Anomaly and Alert - - lowercase: - field: suricata.eve.app_proto - ignore_missing: true - - set: - if: ctx?.suricata?.eve?.app_proto == "ftp-data" - field: network.protocol - value: ftp - - set: - if: >- - ctx?.suricata?.eve?.app_proto != "failed" && - ctx?.suricata?.eve?.app_proto != "template" && - ctx?.suricata?.eve?.app_proto != "template-rust" - field: network.protocol - copy_from: suricata.eve.app_proto - ignore_failure: true - ## HTTP - - set: - if: 'ctx?.suricata?.eve?.event_type == "http" && ctx?.suricata?.eve?.http?.status != null && ctx?.suricata?.eve?.http?.status < 400' - field: event.outcome - value: success - - set: - if: 'ctx?.suricata?.eve?.event_type == "http" && ctx?.suricata?.eve?.http?.status != null && ctx?.suricata?.eve?.http?.status >= 400' - field: event.outcome - value: failure - - convert: - field: suricata.eve.http.http_port - type: integer - if: ctx?.suricata?.eve?.http?.http_port != null - ## DNS - - pipeline: - if: >- - ctx?.network?.protocol == "dns" - name: '{{ IngestPipeline "dns" }}' - ## TLS - - pipeline: - if: ctx?.network?.protocol == "tls" - name: '{{ IngestPipeline "tls" }}' - ## Flow - - append: - if: ctx?.suricata?.eve?.flow?.state == "new" - field: event.type - value: - - start - - append: - if: ctx?.suricata?.eve?.flow?.state == "closed" - field: event.type - value: - - end - - set: - field: http.request.method - copy_from: suricata.eve.http.http_method - ignore_failure: true - - rename: - field: suricata.eve.http.status - target_field: http.response.status_code - ignore_missing: true - - append: - if: ctx.suricata?.eve?.http?.hostname != null - value: '{{{suricata.eve.http.hostname}}}' - field: destination.domain - allow_duplicates: false - - remove: - field: suricata.eve.http.hostname - ignore_failure: true - - script: - lang: painless - tag: suricata_deduplicate_dest_domain - source: > - def domain = ctx.destination?.domain; - if (domain instanceof Collection) { - domain = domain.stream().distinct().collect(Collectors.toList()); - if (domain.length == 1) { - domain = domain[0]; - } - ctx.destination.domain = domain; - } - ignore_failure: true - - set: - if: "ctx?.network?.protocol == 'http'" - field: url.domain - copy_from: destination.domain - ignore_failure: true - - grok: - field: suricata.eve.http.url - patterns: - - '%{PATH:url.path}(?:\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?' - ignore_missing: true - pattern_definitions: - PATH: '[^?#]*' - QUERY: '[^#]*' - ANY: '.*' - - rename: - field: suricata.eve.http.url - target_field: url.original - ignore_missing: true - - rename: - field: suricata.eve.http.http_refer - target_field: http.request.referrer - ignore_missing: true - - rename: - field: suricata.eve.http.length - target_field: http.response.body.bytes - ignore_missing: true - - rename: - field: suricata.eve.fileinfo.filename - target_field: file.path - ignore_missing: true - - rename: - field: suricata.eve.fileinfo.size - target_field: file.size - ignore_missing: true - - lowercase: - field: network.transport - ignore_missing: true - - # Suricata alert and metadata - - convert: - field: suricata.eve.alert.category - target_field: message - type: string - ignore_missing: true - - set: - field: rule.category - value: "{{{suricata.eve.alert.category}}}" - ignore_empty_value: true - - set: - field: rule.id - value: "{{{suricata.eve.alert.signature_id}}}" - ignore_empty_value: true - - set: - field: rule.name - value: "{{{suricata.eve.alert.signature}}}" - ignore_empty_value: true - - set: - field: suricata.eve.alert.action - value: denied - if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" - - append: - field: event.type - value: "{{{suricata.eve.alert.action}}}" - if: "ctx?.suricata?.eve?.alert?.action != null" - - remove: - field: suricata.eve.alert.action - ignore_failure: true - - rename: - field: suricata.eve.alert.severity - target_field: event.severity - ignore_missing: true - # All defined keys for metadata is moved out, leaving the metadata field as flattened for any custom fields introduced - # by suricata rules, to prevent the defined keys to be set as flattened type: - # https://better-schema.readthedocs.io/en/latest/schema.html#defined-keys - - rename: - field: suricata.eve.alert.metadata.protocols - target_field: suricata.eve.alert.protocols - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.attack_target - target_field: suricata.eve.alert.attack_target - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.capec_id - target_field: suricata.eve.alert.capec_id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cwe_id - target_field: suricata.eve.alert.cwe_id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.malware - target_field: suricata.eve.alert.malware - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cve - target_field: suricata.eve.alert.cve - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v2_base - target_field: suricata.eve.alert.cvss_v2_base - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v2_temporal - target_field: suricata.eve.alert.cvss_v2_temporal - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v3_base - target_field: suricata.eve.alert.cvss_v3_base - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.cvss_v3_temporal - target_field: suricata.eve.alert.cvss_v3_temporal - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.priority - target_field: suricata.eve.alert.priority - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.hostile - target_field: suricata.eve.alert.hostile - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.infected - target_field: suricata.eve.alert.infected - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.created_at - target_field: _tmp_.created_at - ignore_missing: true - - join: - field: _tmp_.created_at - description: Converts date field to string - separator: "," - if: ctx._tmp_?.created_at != null - - date: - field: _tmp_.created_at - target_field: suricata.eve.alert.created_at - formats: - - yyyy-MM-dd - - yyyy_MM_dd - if: ctx._tmp_?.created_at != null - ignore_failure: true - - rename: - field: suricata.eve.alert.metadata.updated_at - target_field: _tmp_.updated_at - ignore_missing: true - - join: - field: _tmp_.updated_at - description: Converts date field to string - separator: "," - if: ctx._tmp_?.updated_at != null - - date: - field: _tmp_.updated_at - target_field: suricata.eve.alert.updated_at - formats: - - yyyy-MM-dd - - yyyy_MM_dd - if: ctx._tmp_?.updated_at != null - ignore_failure: true - - rename: - field: suricata.eve.alert.metadata.filename - target_field: file.name - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.classtype - target_field: suricata.eve.alert.classtype - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.rule_source - target_field: suricata.eve.alert.rule_source - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.sid - target_field: suricata.eve.alert.sid - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_attack - target_field: threat.tactic.id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_tactic_id - target_field: threat.tactic.id - ignore_missing: true - if: ctx.threat?.tactic?.id == null - - rename: - field: suricata.eve.alert.metadata.mitre_tactic_name - target_field: threat.tactic.name - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_technique_id - target_field: threat.technique.id - ignore_missing: true - - rename: - field: suricata.eve.alert.metadata.mitre_technique_id - target_field: threat.technique.name - ignore_missing: true - - rename: - field: suricata.eve.flow.pkts_toclient - target_field: destination.packets - ignore_missing: true - - rename: - field: suricata.eve.flow.pkts_toserver - target_field: source.packets - ignore_missing: true - - rename: - field: suricata.eve.flow.bytes_toclient - target_field: destination.bytes - ignore_missing: true - - rename: - field: suricata.eve.flow.bytes_toserver - target_field: source.bytes - ignore_missing: true - - script: - lang: painless - source: > - long getOrZero(def map, def key) { - if (map!=null && map[key]!=null) { - return map[key]; - } - return 0; - } - def network=ctx['network'], source=ctx['source'], dest=ctx['destination']; - def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); - if (sb+db+sp+dp > 0) { - if (network == null) { - network=new HashMap(); - ctx['network']=network; - } - if (sb+db > 0) { - network['bytes'] = sb+db; - } - if(sp+dp>0) { - network['packets'] = sp+dp; - } - } - - date: - field: suricata.eve.flow.start - target_field: event.start - formats: - - ISO8601 - ignore_failure: true - - date: - field: suricata.eve.flow.end - target_field: event.end - formats: - - ISO8601 - ignore_failure: true - - script: - lang: painless - source: > - Instant ins(def d) { - try { - return Instant.parse(d); - } catch(Exception e) { - return null; - } - } - def ev = ctx['event']; - if (ev != null) { - def start = ins(ev['start']); - def end = ins(ev['end']); - if (start != null && end != null && !start.isAfter(end)) { - ev['duration'] = Duration.between(start,end).toNanos(); - } - } - - lowercase: - field: suricata.eve.proto - target_field: network.transport - ignore_missing: true - - user_agent: - field: suricata.eve.http.http_user_agent - ignore_missing: true - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{url.domain}}}' - if: ctx.url?.domain != null && ctx.url?.domain != '' - allow_duplicates: false - - append: - if: ctx?.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false - - append: - if: ctx?.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - remove: - field: suricata.eve.alert.metadata - if: "ctx.suricata?.eve?.alert?.metadata == null || ctx.suricata?.eve?.alert?.metadata.isEmpty()" - ignore_failure: true - ignore_missing: true - - remove: - field: - - suricata.eve.app_proto - - suricata.eve.flow.end - - suricata.eve.flow.start - - suricata.eve.http.http_method - - suricata.eve.http.http_user_agent - - suricata.eve.timestamp - - suricata.eve.src_port - - suricata.eve.dest_port - - dns.question.domain - - _tmp_ - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml b/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml deleted file mode 100755 index cc71bfd21c..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v1.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for Suricata DNS answers v1 - -# Suricata DNS v1 events contain a single answer. Multiple events are created -# to represent all of the answers. -processors: - - script: - lang: painless - tag: suricata_dns_answer_v1 - source: | - def name = ctx?.suricata?.eve?.dns?.rrname; - def data = ctx?.suricata?.eve?.dns?.rdata; - def type = ctx?.suricata?.eve?.dns?.rrtype; - def ttl = ctx?.suricata?.eve?.dns?.ttl; - - def answer = [:]; - if (name != null) { - answer["name"] = name; - } - if (data != null) { - answer["data"] = data; - } - if (type != null) { - answer["type"] = type; - } - if (ttl != null) { - answer["ttl"] = ttl; - } - if (!answer.isEmpty()) { - ctx.dns.answers = [answer]; - } - - if (type == "A" || type == "AAAA") { - ctx.dns.resolved_ip = [data]; - } -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml b/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml deleted file mode 100755 index 509ad65db2..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -description: Pipeline for Suricata DNS answers v2 - -# Suricata DNS v2 events contain all answers in a single event. -processors: - - rename: - field: suricata.eve.dns.answers - target_field: dns.answers - ignore_missing: true - - script: - if: ctx?.dns?.answers != null - lang: painless - tag: suricata_dns_answers_v2 - source: | - def resolvedIps = new ArrayList(); - for (def answer : ctx?.dns?.answers) { - // Normalize field names to match ECS. - def name = answer.remove("rrname"); - if (name != null) { - answer["name"] = name; - } - def type = answer.remove("rrtype"); - if (type != null) { - answer["type"] = type; - } - def data = answer.remove("rdata"); - if (data != null) { - answer["data"] = data; - } - - if (type == "A" || type == "AAAA") { - resolvedIps.add(data); - } - } - - if (resolvedIps.size() > 0) { - ctx.dns.resolved_ip = resolvedIps; - } -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml b/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml deleted file mode 100755 index a41a3f1641..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/dns.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for Suricata DNS Events - -processors: - - set: - field: dns.id - value: '{{suricata.eve.dns.id}}' - ignore_empty_value: true - - set: - field: dns.response_code - value: '{{suricata.eve.dns.rcode}}' - ignore_empty_value: true - - set: - field: dns.type - value: '{{suricata.eve.dns.type}}' - ignore_empty_value: true - - set: - # V2 events always include the query data. - if: >- - ctx?.dns?.type == "query" || - ctx?.suricata?.eve?.dns?.version == 2 - field: dns.question.name - value: '{{suricata.eve.dns.rrname}}' - ignore_empty_value: true - - set: - # V2 events always include the query data. - if: >- - ctx?.dns?.type == "query" || - ctx?.suricata?.eve?.dns?.version == 2 - field: dns.question.type - value: '{{suricata.eve.dns.rrtype}}' - ignore_empty_value: true - - pipeline: - if: >- - ctx?.dns?.type == "answer" && - ctx?.suricata?.eve?.dns?.version == null - name: '{{ IngestPipeline "dns-answer-v1" }}' - - pipeline: - if: >- - ctx?.dns?.type == "answer" && - ctx?.suricata?.eve?.dns?.version == 2 - name: '{{ IngestPipeline "dns-answer-v2" }}' - - foreach: - field: dns.resolved_ip - ignore_missing: true - processor: - append: - field: related.ip - value: - - '{{_ingest._value}}' - allow_duplicates: false - - script: - if: ctx?.dns?.question?.registered_domain != null - tag: suricata_dns_top_level_domain - lang: painless - source: | - def rd = ctx.dns.question.registered_domain; - def firstDot = rd.indexOf("."); - if (firstDot == -1) { - return; - } - ctx.dns.question.top_level_domain = rd.substring(firstDot + 1); - - append: - if: ctx?.suricata?.eve?.dns?.aa == true - field: dns.header_flags - value: AA - - append: - if: ctx?.suricata?.eve?.dns?.tc == true - field: dns.header_flags - value: TC - - append: - if: ctx?.suricata?.eve?.dns?.rd == true - field: dns.header_flags - value: RD - - append: - if: ctx?.suricata?.eve?.dns?.ra == true - field: dns.header_flags - value: RA - - remove: - field: - - suricata.eve.dns.aa - - suricata.eve.dns.tc - - suricata.eve.dns.rd - - suricata.eve.dns.ra - - suricata.eve.dns.qr - - suricata.eve.dns.version - - suricata.eve.dns.flags - - suricata.eve.dns.grouped - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml b/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml deleted file mode 100755 index 8db48ed80c..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/elasticsearch/ingest_pipeline/tls.yml +++ /dev/null @@ -1,184 +0,0 @@ ---- -description: Pipeline for Suricata TLS Events - -processors: - - dissect: - field: suricata.eve.tls.version - pattern: '%{tls.version_protocol} %{tls.version}' - ignore_missing: true - if: ctx?.suricata?.eve?.tls?.version != 'UNDETERMINED' - - lowercase: - field: tls.version_protocol - ignore_missing: true - - script: - if: ctx?.suricata?.eve?.tls?.sni != null - tag: suricata_trim_tls_sni - lang: painless - source: | - def sni = ctx.suricata.eve.tls.sni; - if (!sni.endsWith(".")) { - return; - } - ctx.suricata.eve.tls.sni = sni.substring(0, sni.length() - 1); - # Subject - - set: - field: tls.server.subject - value: '{{suricata.eve.tls.subject}}' - ignore_empty_value: true - - kv: - field: suricata.eve.tls.subject - field_split: ' (?=[a-zA-Z]+=)' - value_split: '=' - target_field: suricata.eve.tls.kv_subject - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.C - target_field: tls.server.x509.subject.country - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.CN - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.L - target_field: tls.server.x509.subject.locality - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.O - target_field: tls.server.x509.subject.organization - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.OU - target_field: tls.server.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_subject.ST - target_field: tls.server.x509.subject.state_or_province - ignore_missing: true - # Issuer - - set: - field: tls.server.issuer - value: '{{suricata.eve.tls.issuerdn}}' - ignore_empty_value: true - - gsub: - field: suricata.eve.tls.issuerdn - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: suricata.eve.tls.issuerdn - field_split: ', ' - value_split: '=' - target_field: suricata.eve.tls.kv_issuerdn - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.C - target_field: tls.server.x509.issuer.country - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.CN - target_field: tls.server.x509.issuer.common_name - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.L - target_field: tls.server.x509.issuer.locality - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.O - target_field: tls.server.x509.issuer.organization - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.OU - target_field: tls.server.x509.issuer.organizational_unit - ignore_missing: true - - rename: - field: suricata.eve.tls.kv_issuerdn.ST - target_field: tls.server.x509.issuer.state_or_province - ignore_missing: true - - - convert: - field: suricata.eve.tls.session_resumed - target_field: tls.resumed - type: boolean - ignore_missing: true - - set: - field: tls.server.hash.sha1 - value: '{{suricata.eve.tls.fingerprint}}' - ignore_empty_value: true - - uppercase: - field: tls.server.hash.sha1 - ignore_missing: true - - split: - field: tls.server.hash.sha1 - separator: ":" - ignore_missing: true - - join: - field: tls.server.hash.sha1 - separator: "" - ignore_failure: true - - append: - field: related.hash - value: "{{tls.server.hash.sha1}}" - if: "ctx?.tls?.server?.hash?.sha1 != null" - - set: - field: tls.client.server_name - value: '{{suricata.eve.tls.sni}}' - ignore_empty_value: true - - set: - field: destination.domain - value: '{{suricata.eve.tls.sni}}' - ignore_empty_value: true - - set: - field: tls.server.ja3s - value: '{{suricata.eve.tls.ja3s.hash}}' - ignore_empty_value: true - - set: - field: tls.client.ja3 - value: '{{suricata.eve.tls.ja3.hash}}' - ignore_empty_value: true - - set: - field: tls.server.certificate - value: '{{suricata.eve.tls.certificate}}' - ignore_empty_value: true - - set: - field: tls.server.certificate_chain - value: '{{suricata.eve.tls.chain}}' - ignore_empty_value: true - - set: - field: tls.server.x509.serial_number - value: '{{suricata.eve.tls.serial}}' - ignore_empty_value: true - - gsub: - field: tls.server.x509.serial_number - pattern: ':' - replacement: '' - ignore_missing: true - - date: - field: suricata.eve.tls.notafter - target_field: tls.server.not_after - formats: - - ISO8601 - if: ctx.suricata?.eve?.tls?.notafter != null - - date: - field: suricata.eve.tls.notbefore - target_field: tls.server.not_before - formats: - - ISO8601 - if: ctx.suricata?.eve?.tls?.notbefore != null - - set: - field: tls.server.x509.not_after - value: '{{tls.server.not_after}}' - ignore_empty_value: true - - set: - field: tls.server.x509.not_before - value: '{{tls.server.not_before}}' - ignore_empty_value: true - - remove: - field: - - suricata.eve.tls.kv_issuerdn - - suricata.eve.tls.kv_subject - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/suricata/2.1.0/data_stream/eve/fields/agent.yml b/packages/suricata/2.1.0/data_stream/eve/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/suricata/2.1.0/data_stream/eve/fields/base-fields.yml b/packages/suricata/2.1.0/data_stream/eve/fields/base-fields.yml deleted file mode 100755 index eee838550f..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: suricata -- name: event.dataset - type: constant_keyword - description: Event dataset - value: suricata.eve -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/suricata/2.1.0/data_stream/eve/fields/ecs.yml b/packages/suricata/2.1.0/data_stream/eve/fields/ecs.yml deleted file mode 100755 index a3109402b9..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/fields/ecs.yml +++ /dev/null @@ -1,377 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - type: keyword -- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - multi_fields: - - name: text - type: match_only_text - name: threat.technique.name - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/suricata/2.1.0/data_stream/eve/fields/fields-epr.yml b/packages/suricata/2.1.0/data_stream/eve/fields/fields-epr.yml deleted file mode 100755 index b8a01e0fdc..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/fields/fields-epr.yml +++ /dev/null @@ -1,169 +0,0 @@ -- name: event - title: Event - group: 2 - description: "The event fields are used for context information about the log or metric event itself.\nA log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events." - type: group - fields: - - name: created - level: core - type: date - description: "event.created contains the date/time when the event was first read by an agent, or by your pipeline.\nThis field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.\nIn most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.\nIn case the two timestamps are identical, @timestamp should be used." - example: "2016-05-23T08:05:34.857Z" - - name: ingested - level: core - type: date - description: "Timestamp when an event arrived in the central data store.\nThis is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.\nIn normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`." - example: "2016-05-23T08:05:35.101Z" - - name: original - level: core - type: keyword - ignore_above: 1024 - description: "Raw text message of entire event. Used to demonstrate log integrity.\nThis field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`." - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -- name: dns - title: DNS - group: 2 - description: "Fields describing DNS queries and answers.\nDNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`)." - type: group - fields: - - name: answers - level: extended - type: object - object_type: keyword - description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - - name: answers.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of DNS data contained in this resource record. - example: IN - - name: answers.data - level: extended - type: keyword - ignore_above: 1024 - description: "The data describing the resource.\nThe meaning of this data depends on the type and class of the resource record." - example: 10.10.10.10 - - name: answers.name - level: extended - type: keyword - ignore_above: 1024 - description: "The domain name to which this resource record pertains.\nIf a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated." - example: www.google.com - - name: answers.ttl - level: extended - type: long - description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - example: 180 - - name: answers.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of data contained in this resource record. - example: CNAME - - name: header_flags - level: extended - type: keyword - ignore_above: 1024 - description: "Array of 2 letter DNS header flags.\nExpected values are: AA, TC, RD, RA, AD, CD, DO." - example: - - RD - - RA - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - example: 62111 - - name: op_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - example: QUERY - - name: question.class - level: extended - type: keyword - ignore_above: 1024 - description: The class of records being queried. - example: IN - - name: question.name - level: extended - type: keyword - ignore_above: 1024 - description: 'The name being queried. - - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' - example: www.google.com - - name: question.registered_domain - level: extended - type: keyword - ignore_above: 1024 - description: 'The highest registered domain, stripped of the subdomain. - - For example, the registered domain for "foo.google.com" is "google.com". - - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com - - name: question.subdomain - level: extended - type: keyword - ignore_above: 1024 - description: 'The subdomain is all of the labels under the registered_domain. - - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' - example: www - - name: question.top_level_domain - level: extended - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". - - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - - name: question.type - level: extended - type: keyword - ignore_above: 1024 - description: The type of record being queried. - example: AAAA - - name: resolved_ip - level: extended - type: ip - description: "Array containing all IPs seen in `answers.data`.\nThe `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for." - example: - - 10.10.10.10 - - 10.10.10.11 - - name: response_code - level: extended - type: keyword - ignore_above: 1024 - description: The DNS response code. - example: NOERROR - - name: type - level: extended - type: keyword - ignore_above: 1024 - description: "The type of DNS event captured, query or answer.\nIf your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.\nIf your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers." - example: answer -- name: related - title: Related - group: 2 - description: "This field set is meant to facilitate pivoting around a piece of data.\nSome pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.\nA concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`." - type: group - fields: - - name: ip - level: extended - type: ip - description: All of the IPs seen on your event. -- name: input.type # Filebeat Fields - type: keyword - description: Filebeat input type used to collect the log. -- name: log.file.path - type: keyword - description: > - The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. - -- name: log.offset - type: long - description: >- - The file offset the reported line starts at. diff --git a/packages/suricata/2.1.0/data_stream/eve/fields/fields.yml b/packages/suricata/2.1.0/data_stream/eve/fields/fields.yml deleted file mode 100755 index 35d0142cbd..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/fields/fields.yml +++ /dev/null @@ -1,528 +0,0 @@ -- name: suricata.eve - type: group - fields: - - name: event_type - type: keyword - - name: app_proto_orig - type: keyword - - name: tcp - type: group - fields: - - name: tcp_flags - type: keyword - - name: psh - type: boolean - - name: tcp_flags_tc - type: keyword - - name: ack - type: boolean - - name: syn - type: boolean - - name: state - type: keyword - - name: tcp_flags_ts - type: keyword - - name: rst - type: boolean - - name: fin - type: boolean - - name: fileinfo - type: group - fields: - - name: sha1 - type: keyword - - name: tx_id - type: long - - name: state - type: keyword - - name: stored - type: boolean - - name: gaps - type: boolean - - name: sha256 - type: keyword - - name: md5 - type: keyword - - name: icmp_type - type: long - - name: pcap_cnt - type: long - - name: dns - type: group - fields: - - name: type - type: keyword - - name: rrtype - type: keyword - - name: rrname - type: keyword - - name: rdata - type: keyword - - name: tx_id - type: long - - name: ttl - type: long - - name: rcode - type: keyword - - name: id - type: long - - name: flow_id - type: keyword - - name: email - type: group - fields: - - name: status - type: keyword - - name: icmp_code - type: long - - name: http - type: group - fields: - - name: redirect - type: keyword - - name: protocol - type: keyword - - name: http_content_type - type: keyword - - name: http_port - type: long - - name: in_iface - type: keyword - - name: alert - type: group - fields: - - name: category - type: keyword - - name: rev - type: long - - name: gid - type: long - - name: signature - type: keyword - - name: signature_id - type: long - - name: protocols - type: keyword - - name: attack_target - type: keyword - - name: capec_id - type: keyword - - name: cwe_id - type: keyword - - name: malware - type: keyword - - name: cve - type: keyword - - name: cvss_v2_base - type: keyword - - name: cvss_v2_temporal - type: keyword - - name: cvss_v3_base - type: keyword - - name: cvss_v3_temporal - type: keyword - - name: priority - type: keyword - - name: hostile - type: keyword - - name: infected - type: keyword - - name: created_at - type: date - - name: updated_at - type: date - - name: classtype - type: keyword - - name: rule_source - type: keyword - - name: sid - type: keyword - - name: affected_product - type: keyword - - name: deployment - type: keyword - - name: former_category - type: keyword - - name: mitre_tool_id - type: keyword - - name: performance_impact - type: keyword - - name: signature_severity - type: keyword - - name: tag - type: keyword - - name: metadata - type: flattened - - name: ssh - type: group - fields: - - name: client - type: group - fields: - - name: proto_version - type: keyword - - name: software_version - type: keyword - - name: server - type: group - fields: - - name: proto_version - type: keyword - - name: software_version - type: keyword - - name: stats - type: group - fields: - - name: capture - type: group - fields: - - name: kernel_packets - type: long - - name: kernel_drops - type: long - - name: kernel_ifdrops - type: long - - name: uptime - type: long - - name: detect - type: group - fields: - - name: alert - type: long - - name: http - type: group - fields: - - name: memcap - type: long - - name: memuse - type: long - - name: file_store - type: group - fields: - - name: open_files - type: long - - name: defrag - type: group - fields: - - name: max_frag_hits - type: long - - name: ipv4 - type: group - fields: - - name: timeouts - type: long - - name: fragments - type: long - - name: reassembled - type: long - - name: ipv6 - type: group - fields: - - name: timeouts - type: long - - name: fragments - type: long - - name: reassembled - type: long - - name: flow - type: group - fields: - - name: tcp_reuse - type: long - - name: udp - type: long - - name: memcap - type: long - - name: emerg_mode_entered - type: long - - name: emerg_mode_over - type: long - - name: tcp - type: long - - name: icmpv6 - type: long - - name: icmpv4 - type: long - - name: spare - type: long - - name: memuse - type: long - - name: tcp - type: group - fields: - - name: pseudo_failed - type: long - - name: ssn_memcap_drop - type: long - - name: insert_data_overlap_fail - type: long - - name: sessions - type: long - - name: pseudo - type: long - - name: synack - type: long - - name: insert_data_normal_fail - type: long - - name: syn - type: long - - name: memuse - type: long - - name: invalid_checksum - type: long - - name: segment_memcap_drop - type: long - - name: overlap - type: long - - name: insert_list_fail - type: long - - name: rst - type: long - - name: stream_depth_reached - type: long - - name: reassembly_memuse - type: long - - name: reassembly_gap - type: long - - name: overlap_diff_data - type: long - - name: no_flow - type: long - - name: decoder - type: group - fields: - - name: avg_pkt_size - type: long - - name: bytes - type: long - - name: tcp - type: long - - name: raw - type: long - - name: ppp - type: long - - name: vlan_qinq - type: long - - name: "null" - type: long - - name: ltnull - type: group - fields: - - name: unsupported_type - type: long - - name: pkt_too_small - type: long - - name: invalid - type: long - - name: gre - type: long - - name: ipv4 - type: long - - name: ipv6 - type: long - - name: pkts - type: long - - name: ipv6_in_ipv6 - type: long - - name: ipraw - type: group - fields: - - name: invalid_ip_version - type: long - - name: pppoe - type: long - - name: udp - type: long - - name: dce - type: group - fields: - - name: pkt_too_small - type: long - - name: vlan - type: long - - name: sctp - type: long - - name: max_pkt_size - type: long - - name: teredo - type: long - - name: mpls - type: long - - name: sll - type: long - - name: icmpv6 - type: long - - name: icmpv4 - type: long - - name: erspan - type: long - - name: ethernet - type: long - - name: ipv4_in_ipv6 - type: long - - name: ieee8021ah - type: long - - name: dns - type: group - fields: - - name: memcap_global - type: long - - name: memcap_state - type: long - - name: memuse - type: long - - name: flow_mgr - type: group - fields: - - name: rows_busy - type: long - - name: flows_timeout - type: long - - name: flows_notimeout - type: long - - name: rows_skipped - type: long - - name: closed_pruned - type: long - - name: new_pruned - type: long - - name: flows_removed - type: long - - name: bypassed_pruned - type: long - - name: est_pruned - type: long - - name: flows_timeout_inuse - type: long - - name: flows_checked - type: long - - name: rows_maxlen - type: long - - name: rows_checked - type: long - - name: rows_empty - type: long - - name: app_layer - type: group - fields: - - name: flow - type: group - fields: - - name: tls - type: long - - name: ftp - type: long - - name: http - type: long - - name: failed_udp - type: long - - name: dns_udp - type: long - - name: dns_tcp - type: long - - name: smtp - type: long - - name: failed_tcp - type: long - - name: msn - type: long - - name: ssh - type: long - - name: imap - type: long - - name: dcerpc_udp - type: long - - name: dcerpc_tcp - type: long - - name: smb - type: long - - name: tx - type: group - fields: - - name: tls - type: long - - name: ftp - type: long - - name: http - type: long - - name: dns_udp - type: long - - name: dns_tcp - type: long - - name: smtp - type: long - - name: ssh - type: long - - name: dcerpc_udp - type: long - - name: dcerpc_tcp - type: long - - name: smb - type: long - - name: tls - type: group - fields: - - name: notbefore - type: date - - name: issuerdn - type: keyword - - name: sni - type: keyword - - name: version - type: keyword - - name: session_resumed - type: boolean - - name: fingerprint - type: keyword - - name: serial - type: keyword - - name: notafter - type: date - - name: subject - type: keyword - - name: ja3s - type: group - fields: - - name: string - type: keyword - - name: hash - type: keyword - - name: ja3 - type: group - fields: - - name: string - type: keyword - - name: hash - type: keyword - - name: app_proto_ts - type: keyword - - name: flow - type: group - fields: - - name: age - type: long - - name: state - type: keyword - - name: reason - type: keyword - - name: end - type: date - - name: alerted - type: boolean - - name: tx_id - type: long - - name: app_proto_tc - type: keyword - - name: smtp - type: group - fields: - - name: rcpt_to - type: keyword - - name: mail_from - type: keyword - - name: helo - type: keyword - - name: app_proto_expected - type: keyword - - name: flags - type: group diff --git a/packages/suricata/2.1.0/data_stream/eve/manifest.yml b/packages/suricata/2.1.0/data_stream/eve/manifest.yml deleted file mode 100755 index ccf51cd55e..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -type: logs -title: Suricata eve logs -streams: - - input: logfile - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/suricata/eve.json - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - suricata-eve - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Suricata eve logs (log) - description: Collect Suricata eve logs using log input diff --git a/packages/suricata/2.1.0/data_stream/eve/sample_event.json b/packages/suricata/2.1.0/data_stream/eve/sample_event.json deleted file mode 100755 index 000da0c559..0000000000 --- a/packages/suricata/2.1.0/data_stream/eve/sample_event.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "@timestamp": "2018-07-05T19:01:09.820Z", - "agent": { - "ephemeral_id": "5087d9af-5bd8-452b-90e2-96bb9c5e4770", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "suricata.eve", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.253.112", - "port": 22 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-01-03T01:09:30.084Z", - "dataset": "suricata.eve", - "ingested": "2022-01-03T01:09:31Z", - "kind": "event", - "type": [ - "protocol" - ] - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/eve-small.ndjson" - }, - "offset": 0 - }, - "network": { - "protocol": "ssh", - "transport": "tcp" - }, - "related": { - "ip": [ - "192.168.86.85" - ] - }, - "source": { - "address": "192.168.86.85", - "ip": "192.168.86.85", - "port": 55406 - }, - "suricata": { - "eve": { - "event_type": "ssh", - "flow_id": "298824096901438", - "in_iface": "en0", - "ssh": { - "client": { - "proto_version": "2.0", - "software_version": "OpenSSH_7.6" - }, - "server": { - "proto_version": "2.0", - "software_version": "libssh_0.7.0" - } - } - } - }, - "tags": [ - "forwarded", - "suricata-eve" - ] -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/docs/README.md b/packages/suricata/2.1.0/docs/README.md deleted file mode 100755 index fd9310c598..0000000000 --- a/packages/suricata/2.1.0/docs/README.md +++ /dev/null @@ -1,486 +0,0 @@ -# Suricata Integration - -This integration is for [Suricata](https://suricata-ids.org/). It reads the EVE -JSON output file. The EVE output writes alerts, anomalies, metadata, file info -and protocol specific records as JSON. - -## Compatibility - -This module has been developed against Suricata v4.0.4, but is expected to work -with other versions of Suricata. - -## EVE - -An example event for `eve` looks as following: - -```json -{ - "@timestamp": "2018-07-05T19:01:09.820Z", - "agent": { - "ephemeral_id": "5087d9af-5bd8-452b-90e2-96bb9c5e4770", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "suricata.eve", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "192.168.253.112", - "port": 22 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "created": "2022-01-03T01:09:30.084Z", - "dataset": "suricata.eve", - "ingested": "2022-01-03T01:09:31Z", - "kind": "event", - "type": [ - "protocol" - ] - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/eve-small.ndjson" - }, - "offset": 0 - }, - "network": { - "protocol": "ssh", - "transport": "tcp" - }, - "related": { - "ip": [ - "192.168.86.85" - ] - }, - "source": { - "address": "192.168.86.85", - "ip": "192.168.86.85", - "port": 55406 - }, - "suricata": { - "eve": { - "event_type": "ssh", - "flow_id": "298824096901438", - "in_iface": "en0", - "ssh": { - "client": { - "proto_version": "2.0", - "software_version": "OpenSSH_7.6" - }, - "server": { - "proto_version": "2.0", - "software_version": "libssh_0.7.0" - } - } - } - }, - "tags": [ - "forwarded", - "suricata-eve" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Filebeat input type used to collect the log. | keyword | -| log.file.path | The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. | keyword | -| log.offset | The file offset the reported line starts at. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| suricata.eve.alert.affected_product | | keyword | -| suricata.eve.alert.attack_target | | keyword | -| suricata.eve.alert.capec_id | | keyword | -| suricata.eve.alert.category | | keyword | -| suricata.eve.alert.classtype | | keyword | -| suricata.eve.alert.created_at | | date | -| suricata.eve.alert.cve | | keyword | -| suricata.eve.alert.cvss_v2_base | | keyword | -| suricata.eve.alert.cvss_v2_temporal | | keyword | -| suricata.eve.alert.cvss_v3_base | | keyword | -| suricata.eve.alert.cvss_v3_temporal | | keyword | -| suricata.eve.alert.cwe_id | | keyword | -| suricata.eve.alert.deployment | | keyword | -| suricata.eve.alert.former_category | | keyword | -| suricata.eve.alert.gid | | long | -| suricata.eve.alert.hostile | | keyword | -| suricata.eve.alert.infected | | keyword | -| suricata.eve.alert.malware | | keyword | -| suricata.eve.alert.metadata | | flattened | -| suricata.eve.alert.mitre_tool_id | | keyword | -| suricata.eve.alert.performance_impact | | keyword | -| suricata.eve.alert.priority | | keyword | -| suricata.eve.alert.protocols | | keyword | -| suricata.eve.alert.rev | | long | -| suricata.eve.alert.rule_source | | keyword | -| suricata.eve.alert.sid | | keyword | -| suricata.eve.alert.signature | | keyword | -| suricata.eve.alert.signature_id | | long | -| suricata.eve.alert.signature_severity | | keyword | -| suricata.eve.alert.tag | | keyword | -| suricata.eve.alert.updated_at | | date | -| suricata.eve.app_proto_expected | | keyword | -| suricata.eve.app_proto_orig | | keyword | -| suricata.eve.app_proto_tc | | keyword | -| suricata.eve.app_proto_ts | | keyword | -| suricata.eve.dns.id | | long | -| suricata.eve.dns.rcode | | keyword | -| suricata.eve.dns.rdata | | keyword | -| suricata.eve.dns.rrname | | keyword | -| suricata.eve.dns.rrtype | | keyword | -| suricata.eve.dns.ttl | | long | -| suricata.eve.dns.tx_id | | long | -| suricata.eve.dns.type | | keyword | -| suricata.eve.email.status | | keyword | -| suricata.eve.event_type | | keyword | -| suricata.eve.fileinfo.gaps | | boolean | -| suricata.eve.fileinfo.md5 | | keyword | -| suricata.eve.fileinfo.sha1 | | keyword | -| suricata.eve.fileinfo.sha256 | | keyword | -| suricata.eve.fileinfo.state | | keyword | -| suricata.eve.fileinfo.stored | | boolean | -| suricata.eve.fileinfo.tx_id | | long | -| suricata.eve.flow.age | | long | -| suricata.eve.flow.alerted | | boolean | -| suricata.eve.flow.end | | date | -| suricata.eve.flow.reason | | keyword | -| suricata.eve.flow.state | | keyword | -| suricata.eve.flow_id | | keyword | -| suricata.eve.http.http_content_type | | keyword | -| suricata.eve.http.http_port | | long | -| suricata.eve.http.protocol | | keyword | -| suricata.eve.http.redirect | | keyword | -| suricata.eve.icmp_code | | long | -| suricata.eve.icmp_type | | long | -| suricata.eve.in_iface | | keyword | -| suricata.eve.pcap_cnt | | long | -| suricata.eve.smtp.helo | | keyword | -| suricata.eve.smtp.mail_from | | keyword | -| suricata.eve.smtp.rcpt_to | | keyword | -| suricata.eve.ssh.client.proto_version | | keyword | -| suricata.eve.ssh.client.software_version | | keyword | -| suricata.eve.ssh.server.proto_version | | keyword | -| suricata.eve.ssh.server.software_version | | keyword | -| suricata.eve.stats.app_layer.flow.dcerpc_tcp | | long | -| suricata.eve.stats.app_layer.flow.dcerpc_udp | | long | -| suricata.eve.stats.app_layer.flow.dns_tcp | | long | -| suricata.eve.stats.app_layer.flow.dns_udp | | long | -| suricata.eve.stats.app_layer.flow.failed_tcp | | long | -| suricata.eve.stats.app_layer.flow.failed_udp | | long | -| suricata.eve.stats.app_layer.flow.ftp | | long | -| suricata.eve.stats.app_layer.flow.http | | long | -| suricata.eve.stats.app_layer.flow.imap | | long | -| suricata.eve.stats.app_layer.flow.msn | | long | -| suricata.eve.stats.app_layer.flow.smb | | long | -| suricata.eve.stats.app_layer.flow.smtp | | long | -| suricata.eve.stats.app_layer.flow.ssh | | long | -| suricata.eve.stats.app_layer.flow.tls | | long | -| suricata.eve.stats.app_layer.tx.dcerpc_tcp | | long | -| suricata.eve.stats.app_layer.tx.dcerpc_udp | | long | -| suricata.eve.stats.app_layer.tx.dns_tcp | | long | -| suricata.eve.stats.app_layer.tx.dns_udp | | long | -| suricata.eve.stats.app_layer.tx.ftp | | long | -| suricata.eve.stats.app_layer.tx.http | | long | -| suricata.eve.stats.app_layer.tx.smb | | long | -| suricata.eve.stats.app_layer.tx.smtp | | long | -| suricata.eve.stats.app_layer.tx.ssh | | long | -| suricata.eve.stats.app_layer.tx.tls | | long | -| suricata.eve.stats.capture.kernel_drops | | long | -| suricata.eve.stats.capture.kernel_ifdrops | | long | -| suricata.eve.stats.capture.kernel_packets | | long | -| suricata.eve.stats.decoder.avg_pkt_size | | long | -| suricata.eve.stats.decoder.bytes | | long | -| suricata.eve.stats.decoder.dce.pkt_too_small | | long | -| suricata.eve.stats.decoder.erspan | | long | -| suricata.eve.stats.decoder.ethernet | | long | -| suricata.eve.stats.decoder.gre | | long | -| suricata.eve.stats.decoder.icmpv4 | | long | -| suricata.eve.stats.decoder.icmpv6 | | long | -| suricata.eve.stats.decoder.ieee8021ah | | long | -| suricata.eve.stats.decoder.invalid | | long | -| suricata.eve.stats.decoder.ipraw.invalid_ip_version | | long | -| suricata.eve.stats.decoder.ipv4 | | long | -| suricata.eve.stats.decoder.ipv4_in_ipv6 | | long | -| suricata.eve.stats.decoder.ipv6 | | long | -| suricata.eve.stats.decoder.ipv6_in_ipv6 | | long | -| suricata.eve.stats.decoder.ltnull.pkt_too_small | | long | -| suricata.eve.stats.decoder.ltnull.unsupported_type | | long | -| suricata.eve.stats.decoder.max_pkt_size | | long | -| suricata.eve.stats.decoder.mpls | | long | -| suricata.eve.stats.decoder.null | | long | -| suricata.eve.stats.decoder.pkts | | long | -| suricata.eve.stats.decoder.ppp | | long | -| suricata.eve.stats.decoder.pppoe | | long | -| suricata.eve.stats.decoder.raw | | long | -| suricata.eve.stats.decoder.sctp | | long | -| suricata.eve.stats.decoder.sll | | long | -| suricata.eve.stats.decoder.tcp | | long | -| suricata.eve.stats.decoder.teredo | | long | -| suricata.eve.stats.decoder.udp | | long | -| suricata.eve.stats.decoder.vlan | | long | -| suricata.eve.stats.decoder.vlan_qinq | | long | -| suricata.eve.stats.defrag.ipv4.fragments | | long | -| suricata.eve.stats.defrag.ipv4.reassembled | | long | -| suricata.eve.stats.defrag.ipv4.timeouts | | long | -| suricata.eve.stats.defrag.ipv6.fragments | | long | -| suricata.eve.stats.defrag.ipv6.reassembled | | long | -| suricata.eve.stats.defrag.ipv6.timeouts | | long | -| suricata.eve.stats.defrag.max_frag_hits | | long | -| suricata.eve.stats.detect.alert | | long | -| suricata.eve.stats.dns.memcap_global | | long | -| suricata.eve.stats.dns.memcap_state | | long | -| suricata.eve.stats.dns.memuse | | long | -| suricata.eve.stats.file_store.open_files | | long | -| suricata.eve.stats.flow.emerg_mode_entered | | long | -| suricata.eve.stats.flow.emerg_mode_over | | long | -| suricata.eve.stats.flow.icmpv4 | | long | -| suricata.eve.stats.flow.icmpv6 | | long | -| suricata.eve.stats.flow.memcap | | long | -| suricata.eve.stats.flow.memuse | | long | -| suricata.eve.stats.flow.spare | | long | -| suricata.eve.stats.flow.tcp | | long | -| suricata.eve.stats.flow.tcp_reuse | | long | -| suricata.eve.stats.flow.udp | | long | -| suricata.eve.stats.flow_mgr.bypassed_pruned | | long | -| suricata.eve.stats.flow_mgr.closed_pruned | | long | -| suricata.eve.stats.flow_mgr.est_pruned | | long | -| suricata.eve.stats.flow_mgr.flows_checked | | long | -| suricata.eve.stats.flow_mgr.flows_notimeout | | long | -| suricata.eve.stats.flow_mgr.flows_removed | | long | -| suricata.eve.stats.flow_mgr.flows_timeout | | long | -| suricata.eve.stats.flow_mgr.flows_timeout_inuse | | long | -| suricata.eve.stats.flow_mgr.new_pruned | | long | -| suricata.eve.stats.flow_mgr.rows_busy | | long | -| suricata.eve.stats.flow_mgr.rows_checked | | long | -| suricata.eve.stats.flow_mgr.rows_empty | | long | -| suricata.eve.stats.flow_mgr.rows_maxlen | | long | -| suricata.eve.stats.flow_mgr.rows_skipped | | long | -| suricata.eve.stats.http.memcap | | long | -| suricata.eve.stats.http.memuse | | long | -| suricata.eve.stats.tcp.insert_data_normal_fail | | long | -| suricata.eve.stats.tcp.insert_data_overlap_fail | | long | -| suricata.eve.stats.tcp.insert_list_fail | | long | -| suricata.eve.stats.tcp.invalid_checksum | | long | -| suricata.eve.stats.tcp.memuse | | long | -| suricata.eve.stats.tcp.no_flow | | long | -| suricata.eve.stats.tcp.overlap | | long | -| suricata.eve.stats.tcp.overlap_diff_data | | long | -| suricata.eve.stats.tcp.pseudo | | long | -| suricata.eve.stats.tcp.pseudo_failed | | long | -| suricata.eve.stats.tcp.reassembly_gap | | long | -| suricata.eve.stats.tcp.reassembly_memuse | | long | -| suricata.eve.stats.tcp.rst | | long | -| suricata.eve.stats.tcp.segment_memcap_drop | | long | -| suricata.eve.stats.tcp.sessions | | long | -| suricata.eve.stats.tcp.ssn_memcap_drop | | long | -| suricata.eve.stats.tcp.stream_depth_reached | | long | -| suricata.eve.stats.tcp.syn | | long | -| suricata.eve.stats.tcp.synack | | long | -| suricata.eve.stats.uptime | | long | -| suricata.eve.tcp.ack | | boolean | -| suricata.eve.tcp.fin | | boolean | -| suricata.eve.tcp.psh | | boolean | -| suricata.eve.tcp.rst | | boolean | -| suricata.eve.tcp.state | | keyword | -| suricata.eve.tcp.syn | | boolean | -| suricata.eve.tcp.tcp_flags | | keyword | -| suricata.eve.tcp.tcp_flags_tc | | keyword | -| suricata.eve.tcp.tcp_flags_ts | | keyword | -| suricata.eve.tls.fingerprint | | keyword | -| suricata.eve.tls.issuerdn | | keyword | -| suricata.eve.tls.ja3.hash | | keyword | -| suricata.eve.tls.ja3.string | | keyword | -| suricata.eve.tls.ja3s.hash | | keyword | -| suricata.eve.tls.ja3s.string | | keyword | -| suricata.eve.tls.notafter | | date | -| suricata.eve.tls.notbefore | | date | -| suricata.eve.tls.serial | | keyword | -| suricata.eve.tls.session_resumed | | boolean | -| suricata.eve.tls.sni | | keyword | -| suricata.eve.tls.subject | | keyword | -| suricata.eve.tls.version | | keyword | -| suricata.eve.tx_id | | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/suricata/2.1.0/img/filebeat-suricata-alerts.png b/packages/suricata/2.1.0/img/filebeat-suricata-alerts.png deleted file mode 100755 index bd45777eef..0000000000 Binary files a/packages/suricata/2.1.0/img/filebeat-suricata-alerts.png and /dev/null differ diff --git a/packages/suricata/2.1.0/img/filebeat-suricata-events.png b/packages/suricata/2.1.0/img/filebeat-suricata-events.png deleted file mode 100755 index b9501304ca..0000000000 Binary files a/packages/suricata/2.1.0/img/filebeat-suricata-events.png and /dev/null differ diff --git a/packages/suricata/2.1.0/img/suricata.svg b/packages/suricata/2.1.0/img/suricata.svg deleted file mode 100755 index 06e627a7e4..0000000000 --- a/packages/suricata/2.1.0/img/suricata.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 085a8d1bf7..0000000000 --- a/packages/suricata/2.1.0/kibana/dashboard/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Suricata Alerts dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":23,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":26,\"i\":\"2\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":48,\"x\":0,\"y\":41},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":12,\"x\":11,\"y\":14},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":11,\"x\":0,\"y\":14},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"w\":23,\"x\":0,\"y\":0},\"panelIndex\":\"e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"panelRefName\":\"panel_e86b7f30-96da-4f52-9ff0-cefcaadcc914\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"967e2051-c2f4-49ef-bc72-d94947e45883\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"cdbf364a-7d6f-499e-9819-0ef05d687969\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Alert - Source Location [Logs Suricata]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"345ad34d-95d3-4e10-9850-cfd6b366fd7e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Alert - Source Location [Logs Suricata]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b\",\"w\":23,\"x\":0,\"y\":26},\"panelIndex\":\"4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"20edc2ac-aae0-4f6b-8eae-405d2423b580\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9df30dd6-f660-4daf-a2b6-3691e4bd6e81\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Alert - Destination Location [Logs Suricata]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"09c636cb-a239-4636-aaba-abbab2ec3b02\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Alert - Destination Location [Logs Suricata]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"df498f0d-f08c-48e0-9b9f-1e579824a327\",\"w\":25,\"x\":23,\"y\":26},\"panelIndex\":\"df498f0d-f08c-48e0-9b9f-1e579824a327\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Suricata] Alert Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-05268ee0-86d1-11e8-b59d-21efb914e65c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "suricata-494fa290-86d2-11e8-b59d-21efb914e65c", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "suricata-16033310-86d3-11e8-b59d-21efb914e65c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "3:panel_3", - "type": "search" - }, - { - "id": "suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "name": "e86b7f30-96da-4f52-9ff0-cefcaadcc914:panel_e86b7f30-96da-4f52-9ff0-cefcaadcc914", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4b26e7f7-cfe8-4d5f-8cab-4d793c93c80b:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "df498f0d-f08c-48e0-9b9f-1e579824a327:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json deleted file mode 100755 index f064b2e5c3..0000000000 --- a/packages/suricata/2.1.0/kibana/dashboard/suricata-78289c40-86da-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Overview of the Surcata events dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2\",\"w\":9,\"x\":0,\"y\":24},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":11,\"x\":19,\"y\":24},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":38},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"6\",\"w\":9,\"x\":30,\"y\":24},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"7\",\"w\":9,\"x\":39,\"y\":24},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"8\",\"w\":10,\"x\":9,\"y\":24},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":57},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"panelRefName\":\"panel_78f64fb8-a6ed-4960-a73b-a8c42c40f799\",\"title\":\"\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"panelRefName\":\"panel_63e14057-b48b-48fe-b3e2-84f7690d60e8\",\"type\":\"visualization\",\"version\":\"7.9.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Suricata] Events Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-78289c40-86da-11e8-b59d-21efb914e65c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "suricata-c7d46c60-86da-11e8-b59d-21efb914e65c", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "suricata-0a0aa630-86db-11e8-b59d-21efb914e65c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "suricata-728f64c0-86db-11e8-b59d-21efb914e65c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "suricata-0a363820-86dd-11e8-b59d-21efb914e65c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c", - "name": "9:panel_9", - "type": "search" - }, - { - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "name": "78f64fb8-a6ed-4960-a73b-a8c42c40f799:panel_78f64fb8-a6ed-4960-a73b-a8c42c40f799", - "type": "visualization" - }, - { - "id": "suricata-169c0600-d297-11ea-90e3-8767fe7ccf14", - "name": "63e14057-b48b-48fe-b3e2-84f7690d60e8:panel_63e14057-b48b-48fe-b3e2-84f7690d60e8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3778c195e0..0000000000 --- a/packages/suricata/2.1.0/kibana/search/suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.flow_id", - "network.transport", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "destination.geo.region_name", - "destination.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"event\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"event\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Events [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 35eb9835ff..0000000000 --- a/packages/suricata/2.1.0/kibana/search/suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.flow_id", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.geo.country_iso_code", - "destination.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Alerts [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json deleted file mode 100755 index c418052731..0000000000 --- a/packages/suricata/2.1.0/kibana/search/suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "suricata.eve.stats.detect.alert", - "suricata.eve.stats.app_layer.flow.dns_udp", - "suricata.eve.stats.app_layer.flow.tls", - "suricata.eve.stats.app_layer.flow.http", - "suricata.eve.stats.app_layer.flow.ssh", - "suricata.eve.stats.tcp.sessions" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"metric\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"metric\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"suricata.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"suricata.\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Host Stats [Logs Suricata]", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-d57a2db0-86ca-11e8-b59d-21efb914e65c", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 9953a8c03c..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-0a0aa630-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Types [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ECS Event Type\",\"field\":\"event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Suricata Event Type\",\"field\":\"suricata.eve.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Event Types [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-0a0aa630-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json deleted file mode 100755 index baeb8fe1cf..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-0a363820-86dd-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Transport Protocols [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top Transport Protocols [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-0a363820-86dd-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3b4e53a494..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-16033310-86d3-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Alert Signatures [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Signature\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Alert Category\",\"field\":\"rule.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Alert Signatures [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-16033310-86d3-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json b/packages/suricata/2.1.0/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json deleted file mode 100755 index 3159b130cd..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-169c0600-d297-11ea-90e3-8767fe7ccf14.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Event Count [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Events\"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Event Count [Logs Suricata]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-169c0600-d297-11ea-90e3-8767fe7ccf14", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json deleted file mode 100755 index bfd311a949..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alerts - Top Destination Countries [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Alerts - Top Destination Countries [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-2ccdc1a0-86d8-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 8c00207969..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-494fa290-86d2-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Alerting Hosts [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Alerting Hosts [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-494fa290-86d2-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 0c80bcb277..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Connection Source Countries [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top Connection Source Countries\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Top Connection Source Countries [Logs Suricata]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-5f99eb50-86dc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index a1886532d1..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-728f64c0-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Network Protocols [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top Network Protocols [Logs Suricata]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-728f64c0-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-85fed080-86d7-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-85fed080-86d7-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 5172a135f9..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-85fed080-86d7-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alert - Source Location [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"isFilteredByCollar\":true,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.3.0\\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a\"},\"tmsLayers\":[{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.3.0\\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a\"}]}},\"title\":\"Alert - Source Location [Logs Suricata]\",\"type\":\"tile_map\"}" - }, - "id": "suricata-85fed080-86d7-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json deleted file mode 100755 index c6d32256da..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Connection Destination Countries [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top Connection Destination Countries\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":false},\"title\":\"Top Connection Destination Countries [Logs Suricata]\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-8e7f88d0-86dc-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json b/packages/suricata/2.1.0/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json deleted file mode 100755 index 298ee379ac..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Navigation [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":18,\"markdown\":\"![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/suricata-78289c40-86da-11e8-b59d-21efb914e65c) | [Alerts](/app/dashboards#/view/suricata-05268ee0-86d1-11e8-b59d-21efb914e65c)\",\"openLinksInNewTab\":false},\"title\":\"Navigation [Logs Suricata]\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-908e8c90-d296-11ea-90e3-8767fe7ccf14", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 42cfa1a720..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top Hosts Generating Events [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Hosts Generating Events [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-9d5b5b50-86db-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-a09ca070-86d7-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-a09ca070-86d7-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 89a76b1b33..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-a09ca070-86d7-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alert - Destination Location [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"isFilteredByCollar\":true,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.3.0\\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a\"},\"tmsLayers\":[{\"attribution\":\"\\u003cp\\u003e\\u0026#169; \\u003ca href=\\\"http://www.openstreetmap.org/copyright\\\"\\u003eOpenStreetMap\\u003c/a\\u003e contributors | \\u003ca href=\\\"https://www.elastic.co/elastic-maps-service\\\"\\u003eElastic Maps Service\\u003c/a\\u003e\\u003c/p\\u003e\\u0026#10;\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\\u0026my_app_name=kibana\\u0026my_app_version=6.3.0\\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a\"}]}},\"title\":\"Alert - Destination Location [Logs Suricata]\",\"type\":\"tile_map\"}" - }, - "id": "suricata-a09ca070-86d7-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 3fb650fde2..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Alerts - Top Source Countries [Logs Suricata]", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":5,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Alerts - Top Source Countries [Logs Suricata]\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-c7b8b8f0-86d8-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-1c2bcec0-86d1-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json b/packages/suricata/2.1.0/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json deleted file mode 100755 index 9ca0a3617c..0000000000 --- a/packages/suricata/2.1.0/kibana/visualization/suricata-c7d46c60-86da-11e8-b59d-21efb914e65c.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Activity Types over Time [Logs Suricata]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-6y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"suricata.eve.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Activity Types over Time [Logs Suricata]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "suricata-c7d46c60-86da-11e8-b59d-21efb914e65c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "suricata-13dd22f0-86cc-11e8-b59d-21efb914e65c", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/suricata/2.1.0/manifest.yml b/packages/suricata/2.1.0/manifest.yml deleted file mode 100755 index cb4ae49297..0000000000 --- a/packages/suricata/2.1.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: suricata -title: Suricata Events -version: 2.1.0 -release: ga -description: Collect and parse event logs from Suricata instances with Elastic Agent. -type: integration -icons: - - src: /img/suricata.svg - title: suricata - size: 309x309 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, security] -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/filebeat-suricata-events.png - title: filebeat suricata events - size: 1577x2646 - type: image/png - - src: /img/filebeat-suricata-alerts.png - title: filebeat suricata alerts - size: 1577x1750 - type: image/png -policy_templates: - - name: suricata - title: Suricata logs - description: Collect logs from Suricata instances - inputs: - - type: logfile - title: "Collect Suricata eve logs (input: logfile)" - description: "Collecting eve logs from Suricata instances (input: logfile)" -owner: - github: elastic/security-external-integrations diff --git a/packages/symantec_endpoint/1.0.1/changelog.yml b/packages/symantec_endpoint/1.0.1/changelog.yml deleted file mode 100755 index c1d6c3d184..0000000000 --- a/packages/symantec_endpoint/1.0.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Readme - added link to Vendor documentation and improved the wording - type: enhancement - link: https://github.com/elastic/integrations/pull/3162 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.0.4" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3330 -- version: "0.0.3" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3244 -- version: "0.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.0.1" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2187 diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index f1500f2dbf..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9616d31362..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1109 +0,0 @@ ---- -description: Pipeline for parsing Symantec Endpoint logs -processors: -- set: - field: event.original - copy_from: message - # Never override event.original (for the reindexing use case). - override: false - -- set: - field: ecs.version - value: '1.12.0' - -- grok: - description: Parse syslog header. - if: ctx.event.original.startsWith('<') - field: event.original - patterns: - - '^<%{NONNEGINT:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})(?: %{SYSLOGFACILITY})?(?: %{SYSLOGHOST:log.syslog.hostname})?(?: %{SYSLOGPROG}:)? %{GREEDYDATA:message}' - - '^%{SYSLOG5424LINE}' - pattern_definitions: - SYSLOGPROG: '%{PROG:log.syslog.process.name}(?:\[%{POSINT:log.syslog.process.pid:long}\])?' - SYSLOG5424PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG5424BASE: '%{SYSLOG5424PRI}%{NONNEGINT:log.syslog.version:long} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:log.syslog.hostname}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.process.name}) +(?:-|%{POSINT:log.syslog.process.pid:long}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.message_id}) +(?:-|%{SYSLOG5424SD:log.syslog.structured_data})?' - SYSLOG5424LINE: '%{SYSLOG5424BASE} +%{GREEDYDATA:message}' -- grok: - description: Parse date/severity from log file dump format. - if: ctx.event.original.startsWith('20') || ctx.event.original.startsWith('19') - field: event.original - patterns: - - '^%{TIMESTAMP_ISO8601:timestamp},%{LOG_SEVERITY:log.level},%{GREEDYDATA:message}' - pattern_definitions: - LOG_SEVERITY: '(?:%{LOGLEVEL}|[Cc]ritical|CRITICAL|[Mm]ajor|MAJOR|[Mm]inor|MINOR|[Ii]nfo|INFO|[Ww]arning|WARNING|[Ee]rror|ERROR|[Ff]atal|FATAL)' - ignore_failure: true -- date: - if: ctx?.timestamp != null - field: timestamp - target_field: "@timestamp" - formats: - - "MMM dd HH:mm:ss" - - "MMM d HH:mm:ss" - - "MMM d HH:mm:ss" - - ISO8601 - - "YYYY-dd-MM HH:mm:ss" - timezone: '{{{_conf.tz_offset}}}' -- remove: - ignore_missing: true - field: timestamp - -### -# Processing steps: -# 1. Parse the CSV into an array of column values. -# 2. Parse labels from each column if the value takes the form of 'Label Name: Some Value' or 'Label Name:'. -# 3. Fingerprint the message based by joining the labels separated by '|'. Use 'NONE' for columns without an embedded label. -# 4. Set 'event.provider' based on the message fingerprint. The different log types are listed in https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative. -# 5. Handle columns without an embedded label. Based on the fingerprint, map unlabeled columns to a key. -### - -- csv: - field: message - empty_value: "" - target_fields: - - '_csv_array.00' - - '_csv_array.01' - - '_csv_array.02' - - '_csv_array.03' - - '_csv_array.04' - - '_csv_array.05' - - '_csv_array.06' - - '_csv_array.07' - - '_csv_array.08' - - '_csv_array.09' - - '_csv_array.10' - - '_csv_array.11' - - '_csv_array.12' - - '_csv_array.13' - - '_csv_array.14' - - '_csv_array.15' - - '_csv_array.16' - - '_csv_array.17' - - '_csv_array.18' - - '_csv_array.19' - - '_csv_array.20' - - '_csv_array.21' - - '_csv_array.22' - - '_csv_array.23' - - '_csv_array.24' - - '_csv_array.25' - - '_csv_array.26' - - '_csv_array.27' - - '_csv_array.28' - - '_csv_array.29' - - '_csv_array.30' - - '_csv_array.31' - - '_csv_array.32' - - '_csv_array.33' - - '_csv_array.34' - - '_csv_array.35' - - '_csv_array.36' - - '_csv_array.37' - - '_csv_array.38' - - '_csv_array.39' - - '_csv_array.40' - - '_csv_array.41' - - '_csv_array.42' - - '_csv_array.43' - - '_csv_array.44' - - '_csv_array.45' - - '_csv_array.46' - - '_csv_array.47' - - '_csv_array.48' - - '_csv_array.49' - - '_csv_array.50' - -- script: - description: Create array from CSV values. - tag: csv-map-to-array - lang: painless - source: | - def columnArray = []; - def sortedMap = new TreeMap(); - sortedMap.putAll(ctx._csv_array); - sortedMap.forEach((key, value) -> { - def v = value; - if (v.startsWith("'") && v.endsWith("'")) - { - v = v.substring(1, v.length() - 1); - } - columnArray.add(v); - }); - ctx['_csv_array'] = columnArray; - -- script: - description: Split colon separated key/values. - tag: split-colon-separated-key-value - lang: painless - source: | - def aliases = Collections.unmodifiableMap([ - 'computer': 'computer_name', - 'domain': 'domain_name', - 'end_time': 'end', - 'local': 'local_host_ip', - 'local_host': 'local_host_ip', - 'server_name': 'server', - 'user': 'user_name' - ]); - - def keyPattern = /^([a-zA-Z][a-zA-Z0-9 \(\)-]{0,28}):(?:\s(.+)|\s)?/; - def keyValue = [:]; - def fingerprint = []; - ctx._csv_array.forEach(v -> { - def m = keyPattern.matcher(v); - def key = 'NONE'; - if (m.matches()) { - key = m.group(1).toLowerCase().replace(' ', '_'); - key = /[\(\)]+/.matcher(key).replaceAll(''); - - def tmp = aliases[key]; - if (tmp != null) { - key = tmp; - } - - - def value = m.group(2); - if (value != null && !value.trim().isEmpty()) { - keyValue[key] = value.trim(); - } - } - - fingerprint.add(key); - return true; - }); - if (!keyValue.isEmpty()) { - ctx['_csv_map'] = keyValue; - } - ctx['_fingerprint'] = String.join("|", fingerprint); - -- remove: - field: message - ignore_missing: true - -### -# Note to maintainers: -# The fingerprints below can be generated by adding 'debug' to the tags field. -# This causes a new _fingerprint field to be added to the event. -### -- script: - description: Assign keys to unlabeled columns based on fingerprints. - lang: painless - params: - providers: - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Behavior - - name: 'Agent Behavior Log' - fingerprint: NONE|NONE|NONE|NONE|NONE|begin|end|rule|NONE|NONE|NONE|NONE|NONE|user_name|domain_name|action_type|file_size_bytes|device_id - event_category: [intrusion_detection, process] - columns: - - index: 1 - name: local_host_ip - - index: 2 - name: action - - index: 3 - name: event_description - - index: 4 - name: api_name - - index: 8 - name: caller_process_id - - index: 9 - name: caller_process_name - - index: 10 - name: caller_return_address - - index: 11 - name: caller_return_module_name - - index: 12 - name: parameters # name of the module, process, registry location or file - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security - - name: 'Agent Security Log' - fingerprint: - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|intrusion_id|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|NONE|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 7 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic - - name: 'Agent Traffic Log' - fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 9 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Activity - - name: 'Agent Activity Log' - fingerprint: site|server|domain_name|NONE|NONE|NONE|NONE - columns: - - index: 3 - name: event_description - - index: 4 - name: local_host_name - - index: 5 - name: user_name - - index: 6 - name: domain_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Packet - - name: 'Agent Packet Log' - fingerprint: - - NONE|local_host_ip|local_port|remote_host_ip|remote_host_name|remote_port|NONE|application|action - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 6 - name: traffic_direction - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System - - name: 'Agent System Log' - fingerprint: - - NONE|category|NONE|NONE|event_time - columns: - - index: 2 - name: event_source - - index: 3 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Administrative - - name: 'Administrative Log' - fingerprint: site|server|domain_name|admin|NONE - columns: - - index: 4 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System - - name: 'System Log' - fingerprint: site|server|NONE - columns: - - index: 2 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|detection_source|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip - columns: - - index: 0 - name: event_description - - index: 16 - name: submission_recommended - - index: 28 - name: file_path - - index: 29 - name: description - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|ip_address|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|risk_type|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 17 - name: submission_recommended - - index: 29 - name: file_path - - index: 30 - name: description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy - - name: 'Policy Log' - fingerprint: site|server|domain_name|admin|event_description|NONE - columns: - - index: 5 - name: policy_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan - - name: 'Agent Scan Log' - fingerprint: scan_id|begin|end|NONE|duration_seconds|user1|user2|NONE|scan_complete|command|threats|infected|total_files|omitted|computer_name|ip_address|domain_name|group|server - columns: - - index: 3 - name: action - - index: 7 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Risk - - name: 'Agent Risk Log' - fingerprint: NONE|ip_address|computer_name|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|last_update_time|domain_name|group|server|user_name|source_computer|source_ip|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|first_seen|sensitivity|permitted_application_reason|application_hash|hash_type|company_name|application_name|application_version|application_type|file_size_bytes|category_set|category_type|location|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 6 - name: file_path - source: | - // Assume first column is always the host.hostname. - def hostname = ctx._csv_array.get(0); - if (/[\.a-zA-Z0-9_-]+/.matcher(hostname).matches()) { - if (ctx?.host == null) { - ctx['host'] = [:]; - } - ctx['host']['hostname'] = hostname; - } - - def provider = null; - for (def p: params.providers) { - if (p.fingerprint == ctx._fingerprint || (p.fingerprint instanceof Collection && p.fingerprint.contains(ctx._fingerprint))) { - provider = p; - break; - } - } - if (provider == null) { return; } - - ctx['event']['provider'] = provider.name; - if (provider?.event_category != null) { - ctx['event']['category'] = new ArrayList(provider.event_category); - } - if (provider?.event_type!= null) { - ctx['event']['type'] = new ArrayList(provider.event_type); - } - for (def c : provider.columns) { - def v = ctx._csv_array.get(c.index).trim(); - if (!v.isEmpty()) { - ctx._csv_map[c.name] = v; - } - } - - -- rename: - field: _csv_map - target_field: symantec_endpoint.log - ignore_missing: true - -### -# BEGIN handling of Symantec Endpoint fields. -### - -# Action -- lowercase: - field: symantec_endpoint.log.action - ignore_missing: true -- set: - field: event.action - copy_from: symantec_endpoint.log.action - ignore_failure: true - -# Actual Action -- set: - if: ctx?.event?.action == null - field: event.action - copy_from: symantec_endpoint.log.actual_action - ignore_failure: true - -# Admin -- set: - field: user.name - copy_from: symantec_endpoint.log.admin - ignore_failure: true - -# Application -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.application - ignore_failure: true - -# Application Name -- set: - field: file.pe.product - copy_from: symantec_endpoint.log.application_name - ignore_failure: true - -# Application Version -- set: - field: file.pe.file_version - copy_from: symantec_endpoint.log.application_version - ignore_failure: true - -# Begin -- date: - field: symantec_endpoint.log.begin - target_field: event.start - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Caller MD-5 -- dissect: - tag: caller-md5 - field: symantec_endpoint.log.event_description - pattern: '%{} Caller MD5=%{process.hash.md5}' - ignore_failure: true - -# Caller Process ID -- convert: - field: symantec_endpoint.log.caller_process_id - target_field: process.pid - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.caller_process_id - -# Caller Process Name -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.caller_process_name - ignore_failure: true - -# Certificate Issuer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_issuer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_issuer}}}' - -# Certificate Serial Number -- set: - field: file.x509.serial_number - copy_from: symantec_endpoint.log.certificate_serial_number - ignore_failure: true - - # Certificate Signer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_signer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_signer}}}' - -# Certificate Thumbprint (hex encoded sha1 hashes are 40 characters) -- lowercase: - if: ctx?.symantec_endpoint?.log?.certificate_thumbprint != null && ctx.symantec_endpoint.log.certificate_thumbprint.length() == 40 - field: symantec_endpoint.log.certificate_thumbprint - target_field: file.hash.sha1 - -# Company Name -- set: - field: file.pe.company - copy_from: symantec_endpoint.log.company_name - ignore_failure: true - -# Company Name -- set: - field: host.hostname - copy_from: symantec_endpoint.log.computer_name - override: false - ignore_failure: true - -# Domain Name -- set: - if: ctx?.user?.domain == null - field: user.domain - copy_from: symantec_endpoint.log.domain_name - ignore_failure: true - -# Downloaded by -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.downloaded_by - ignore_failure: true - -# Download site -- uri_parts: - field: symantec_endpoint.log.download_site - ignore_failure: true - -# Duration (seconds) -- convert: - field: symantec_endpoint.log.duration_seconds - target_field: event.duration - type: long - ignore_missing: true - ignore_failure: true -- script: - description: Convert event.duration from seconds to nanoseconds. - if: ctx?.event?.duration != null - lang: painless - source: - ctx.event['duration'] = ctx.event.duration * 1e9; - -# End -- date: - field: symantec_endpoint.log.end - target_field: event.end - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Event Description -- set: - field: message - copy_from: symantec_endpoint.log.event_description - ignore_failure: true - -# Event Time -- date: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: symantec_endpoint.log.event_time - target_field: symantec_endpoint.log.event_time - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.event_time -- set: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: '@timestamp' - copy_from: symantec_endpoint.log.event_time - -# File Path -- set: - field: file.path - copy_from: symantec_endpoint.log.file_path - ignore_failure: true - -# File Size (bytes) -- convert: - field: symantec_endpoint.log.file_size_bytes - target_field: file.size - type: long - ignore_missing: true - ignore_failure: true - -# Infected -- convert: - field: symantec_endpoint.log.infected - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.infected - -# Inserted -- date: - if: ctx?.symantec_endpoint?.log?.inserted != null - field: symantec_endpoint.log.inserted - target_field: symantec_endpoint.log.inserted - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.inserted - -# Intrusion ID -- set: - field: rule.id - copy_from: symantec_endpoint.log.intrusion_id - ignore_failure: true - -# Intrusion Payload URL - -# Intrusion URL -- set: - field: url.original - copy_from: symantec_endpoint.log.intrusion_url - ignore_failure: true - -# IP Address -- append: - if: ctx?.symantec_endpoint.log?.ip_address != null - field: host.ip - value: '{{{symantec_endpoint.log.ip_address}}}' - allow_duplicates: false - -# Last Update Time (listed as always being in GMT) -- date: - if: ctx?.symantec_endpoint?.log?.last_update_time != null - field: symantec_endpoint.log.last_update_time - target_field: symantec_endpoint.log.last_update_time - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.last_update_time - -# Local Host IP -- set: - if: ctx?.symantec_endpoint?.log?.local_host_ip != null && ctx.symantec_endpoint.log.local_host_ip != "0.0.0.0" - field: source.address - copy_from: symantec_endpoint.log.local_host_ip - -# Local Host MAC -- set: - field: source.mac - copy_from: symantec_endpoint.log.local_host_mac - ignore_failure: true -- gsub: - field: source.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.source?.mac == '000000000000' - field: source.mac -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: source.mac - ignore_missing: true - -# Local Host Name -- set: - if: ctx?.symantec_endpoint?.log?.local_host_name != "" - field: source.domain - copy_from: symantec_endpoint.log.local_host_name - ignore_failure: true - -# Local Port -- convert: - if: ctx?.symantec_endpoint?.log?.local_port != "0" - field: symantec_endpoint.log.local_port - target_field: source.port - type: long - ignore_failure: true - -# Location -- set: - field: source.geo.name - copy_from: symantec_endpoint.log.location - ignore_failure: true - -# MD-5 -- set: - field: process.hash.md5 - copy_from: symantec_endpoint.log.md-5 - ignore_failure: true -- lowercase: - field: process.hash.md5 - ignore_missing: true - -# Network Protocol (known as ECS network transport) -- set: - field: network.transport - copy_from: symantec_endpoint.log.network_protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_missing: true - -# Occurrences -- convert: - field: symantec_endpoint.log.occurrences - target_field: event.count - type: long - ignore_failure: true - -# Omitted -- convert: - field: symantec_endpoint.log.omitted - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.omitted - -# Remote Host IP -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_ip != null && ctx.symantec_endpoint.log.remote_host_ip != "0.0.0.0" - field: destination.address - copy_from: symantec_endpoint.log.remote_host_ip - -# Remote Host MAC -- set: - field: destination.mac - copy_from: symantec_endpoint.log.remote_host_mac - ignore_failure: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.destination?.mac == '000000000000' - field: destination.mac -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: destination.mac - ignore_missing: true - -# Remote Host Name -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_name != "" - field: destination.domain - copy_from: symantec_endpoint.log.remote_host_name - ignore_failure: true - -# Remote Port -- convert: - if: ctx?.symantec_endpoint?.log?.remote_port != "0" - field: symantec_endpoint.log.remote_port - target_field: destination.port - type: long - ignore_failure: true - -# Rule -- set: - field: rule.name - copy_from: symantec_endpoint.log.rule - ignore_failure: true - -# Sensitivity -- convert: - field: symantec_endpoint.log.sensitivity - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.sensitivity - -# SHA-256 -- set: - field: process.hash.sha256 - copy_from: symantec_endpoint.log.sha-256 - ignore_failure: true -- lowercase: - field: process.hash.sha256 - ignore_missing: true - -# Signing Timestamp (Agent Risk Log) -- date: - if: ctx?.symantec_endpoint?.log?.signing_timestamp != null - field: symantec_endpoint.log.signing_timestamp - target_field: symantec_endpoint.log.signing_timestamp - formats: - - UNIX - on_failure: - - remove: - field: symantec_endpoint.log.signing_timestamp -- set: - field: file.x509.not_before - copy_from: symantec_endpoint.log.signing_timestamp - ignore_failure: true - -# Source Computer -- set: - field: source.domain - copy_from: symantec_endpoint.log.source_computer - ignore_failure: true - -# Source IP -- set: - field: source.address - copy_from: symantec_endpoint.log.source_ip - ignore_failure: true - -# Submission Recommended (Recommendation in the form of YES or NO on whether to submit this detection to Symantec or not.) -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: true -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && !ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: false - -# Traffic Direction -# NOTE: inbound/outbound is changed to ingress/egress because this is a host -# based EDR and ECS guidelines say to use ingress/egress for hosts. -- set: - field: network.direction - copy_from: symantec_endpoint.log.traffic_direction - ignore_failure: true -- lowercase: - field: network.direction - ignore_missing: true -- set: - if: ctx?.network?.direction == "inbound" - field: network.direction - value: ingress -- set: - if: ctx?.network?.direction == "outbound" - field: network.direction - value: egress - -# Threats -- convert: - field: symantec_endpoint.log.threats - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.threats - -# Total files -- convert: - field: symantec_endpoint.log.total_files - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.total_files - -# User Name -- set: - field: user.name - copy_from: symantec_endpoint.log.user_name - ignore_failure: true - -# User1 -- set: - if: ctx?.symantec_endpoint?.log?.user1 != null && ctx?.user?.name == null - field: user.name - copy_from: symantec_endpoint.log.user1 - -### -# END handling of Symantec Endpoint fields. -### - -- remove: - if: ctx?._conf?.remove_mapped_fields == true - description: Remove symantec_endpoint.log fields that are mapped in some way to ECS. - ignore_missing: true - field: - - symantec_endpoint.log.action - - symantec_endpoint.log.actual_action - - symantec_endpoint.log.admin - - symantec_endpoint.log.application - - symantec_endpoint.log.application_name - - symantec_endpoint.log.application_version - - symantec_endpoint.log.begin - - symantec_endpoint.log.caller_process_id - - symantec_endpoint.log.caller_process_name - - symantec_endpoint.log.certificate_serial_number - - symantec_endpoint.log.certificate_thumbprint - - symantec_endpoint.log.company_name - - symantec_endpoint.log.domain_name - - symantec_endpoint.log.download_site - - symantec_endpoint.log.downloaded_by - - symantec_endpoint.log.duration_seconds - - symantec_endpoint.log.end - - symantec_endpoint.log.event_description - - symantec_endpoint.log.event_time - - symantec_endpoint.log.file_path - - symantec_endpoint.log.file_size_bytes - - symantec_endpoint.log.inserted - - symantec_endpoint.log.intrusion_id - - symantec_endpoint.log.intrusion_url - - symantec_endpoint.log.last_update_time - - symantec_endpoint.log.local_host_ip - - symantec_endpoint.log.local_host_mac - - symantec_endpoint.log.local_host_name - - symantec_endpoint.log.local_port - - symantec_endpoint.log.location - - symantec_endpoint.log.md-5 - - symantec_endpoint.log.network_protocol - - symantec_endpoint.log.occurrences - - symantec_endpoint.log.remote_host_ip - - symantec_endpoint.log.remote_host_mac - - symantec_endpoint.log.remote_host_name - - symantec_endpoint.log.remote_port - - symantec_endpoint.log.rule - - symantec_endpoint.log.sha-256 - - symantec_endpoint.log.signing_timestamp - - symantec_endpoint.log.source_computer - - symantec_endpoint.log.source_ip - - symantec_endpoint.log.submission_recommended - - symantec_endpoint.log.traffic_direction - - symantec_endpoint.log.user1 - - symantec_endpoint.log.user_name - -- remove: - description: Remove empty symantec_endpoint.log object. - if: ctx?.symantec_endpoint?.log != null && ctx.symantec_endpoint.log.isEmpty() - field: symantec_endpoint - ignore_missing: true - -# ECS Categorization -- set: - field: event.kind - value: event -- append: - description: Set event.type to allowed when activity is blocked. - if: ctx?.event?.action == 'blocked' || (ctx?.message != null && !ctx.message.contains('not blocked') && ctx.message.contains('blocked')) - field: event.type - value: denied - allow_duplicates: false -- append: - description: Set event.type to allowed when activity is not blocked. - if: ctx?.event?.action == 'not blocked' || (ctx?.message != null && ctx.message.contains('not blocked')) - field: event.type - value: allowed - allow_duplicates: false -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.category - value: authentication -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.type - value: info -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on failed') - field: event.outcome - value: failure -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on succeeded') - field: event.outcome - value: success - -# Destination IP -- convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Source IP -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Network Type -- set: - if: ctx?.source?.ip != null && !ctx.source.ip.contains(':') - field: network.type - value: ipv4 -- set: - if: ctx?.source?.ip != null && ctx.source.ip.contains(':') - field: network.type - value: ipv6 - -# Host IP -- append: - if: ctx?.source?.ip != null - field: host.ip - value: '{{{source.ip}}}' - allow_duplicates: false - -# Host MAC -- append: - if: ctx?.source?.mac != null - field: host.mac - value: '{{{source.mac}}}' - allow_duplicates: false - -# Host Hostname -- set: - field: host.hostname - copy_from: source.domain - override: false - ignore_failure: true - -# Host Name -- set: - field: host.name - copy_from: host.hostname - override: false - ignore_failure: true - -# Related IP -- append: - if: ctx?.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx?.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false - -# Related Hash -- append: - if: ctx?.file?.hash?.sha1 != null - field: related.hash - value: '{{{file.hash.sha1}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.md5 != null - field: related.hash - value: '{{{process.hash.md5}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.sha256 != null - field: related.hash - value: '{{{process.hash.sha256}}}' - allow_duplicates: true - -# Community ID -- community_id: - ignore_failure: true - -# IP Geolocation Lookup -- geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -- script: - # Local was assumed to be source and remote was assumed to be destination. - # But if direction is ingress then swap the two around. - description: Swap source/destination for "ingress". - tag: swap-source-destination-on-ingress - if: ctx?.network?.direction == "ingress" && ctx?.source != null && ctx?.destination != null - lang: painless - source: | - def tmp = ctx.source; - ctx.source = ctx.destination; - ctx.destination = tmp; - -- remove: - description: Retain event.original when preserve_original_event tag exists. - if: ctx?.tags == null || !ctx.tags.contains('preserve_original_event') - field: event.original - ignore_missing: true - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _fingerprint - -on_failure: -- set: - field: error.message - value: 'processor {{ _ingest.on_failure_processor_type }}: {{ _ingest.on_failure_message }}' - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _csv_map - - _fingerprint diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/fields/agent.yml deleted file mode 100755 index c2cceee2d3..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,210 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index d5fd358e28..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: symantec_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: symantec_endpoint.log -- name: "@timestamp" - type: date - description: Event timestamp. -- name: observer.vendor - type: constant_keyword - description: Vendor name of the observer. - value: Symantec -- name: observer.product - type: constant_keyword - description: The product name of the observer. - value: Endpoint Protection -- name: observer.type - type: constant_keyword - description: The type of the observer the data is coming from. - value: edr diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 852bacf52f..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,321 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Destination domain. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: file.pe.company - type: keyword -- description: Internal version of the file, provided at compile-time. - name: file.pe.file_version - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: file.pe.product - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - type: keyword -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.type - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Source domain. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/fields.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/fields/fields.yml deleted file mode 100755 index 2c2cef565a..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,333 +0,0 @@ -- name: symantec_endpoint.log - type: group - fields: - - name: action - type: keyword - description: > - The action taken on the traffic, e.g. "Blocked". - - - name: actual_action - type: keyword - description: Actual action from risk logs and proactive detection (SONAR) logs. - - name: admin - type: keyword - description: Name of the SEPM admin. - - name: api_name - type: keyword - description: API name that was blocked (agent behavior log). - - name: application - type: keyword - description: The full path name of the application involved. - - name: application_hash - type: keyword - description: The hash for this application. - - name: application_name - type: keyword - description: The application name. - - name: application_type - type: keyword - description: Application type (Trojan, key logger etc). - - name: application_version - type: keyword - description: The application version. - - name: begin - type: keyword - description: Start time of the event (also see event.start). - - name: caller_process_id - type: keyword - description: The ID of the process that triggers the logging. - - name: caller_process_name - type: keyword - description: > - The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". - - - name: caller_return_address - type: keyword - description: > - The return address of the caller. This field allows the detection of the calling module that makes the API call. - - This is historically not used. You can expect Return Address to always be 0. - - - name: caller_return_module_name - description: > - The module name of the caller. See CallerReturnAddress for more information. - - Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. - - type: keyword - - name: category - type: keyword - description: Agent system log category (generally not populated by SEPM). - - name: category_set - type: keyword - description: Agent risk log category. - - name: category_type - type: keyword - description: Agent risk log category type. - - name: certificate_issuer - type: keyword - description: The certificate's issuer. - - name: certificate_serial_number - type: keyword - description: The certificate's serial number. - - name: certificate_signer - type: keyword - description: The certificate's signer. - - name: certificate_thumbprint - type: keyword - description: The certificate's thumbprint. - - name: cids_signature_id - type: keyword - description: The signature ID. - - name: cids_signature_string - type: keyword - description: The signature name. - - name: cids_signature_subid - type: keyword - description: The signature sub ID. - - name: coh_engine_version - type: keyword - description: TruScan engine version. - - name: command - type: keyword - description: Command sent from the SEPM. - - name: company_name - type: keyword - description: The company name from the application (used in agent risk logs). - - name: computer_name - type: keyword - description: Name of the host machine (used in agent risk/scan logs). - - name: confidence - type: keyword - description: > - The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." - - - name: description - type: keyword - description: Description of the virus file. - - name: detection_score - type: keyword - description: Score of detection. - - name: detection_source - type: keyword - description: Source of the detection. - - name: detection_type - type: keyword - description: Type of detection (e.g. heuristic). - - name: device_id - type: keyword - description: The GUID of an external device (floppy disk, DVD, USB device, etc.). - - name: disposition - type: keyword - description: Good / Bad / Unknown / Not available. - - name: domain_name - type: keyword - description: SEPM domain name. - - name: download_site - type: keyword - description: The URL determined from where the image was downloaded. - - name: downloaded_by - type: keyword - description: The creator process of the dropper threat. - - name: duration_seconds - type: keyword - description: The length of the scan, in seconds. - - name: end - type: keyword - description: Start time of the event (also see event.end). - - name: event_description - type: keyword - description: Description of the event. Usually, the first line of the description is treated as the summary. - - name: event_source - type: keyword - description: The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. - - name: event_time - type: date - description: Time of event occurrence. - - name: file_path - type: keyword - description: The file path of the attacked file. - - name: file_size_bytes - type: keyword - description: File size of application. - - name: first_seen - type: keyword - description: The first seen date for the convicted application. - - name: group - type: keyword - description: SEPM client group name. - - name: hash_type - type: keyword - description: Application hash type (MD5, SHA1, SHA256 etc). - - name: infected - type: long - description: The number of files that the scan found that were infected. - - name: inserted - type: date - description: The time that the event was inserted into the database. - - name: intensive_protection_level - type: keyword - description: The High Intensity Detection Level. - - name: intrusion_id - type: keyword - description: Intrusion ID. - - name: intrusion_payload_url - type: keyword - description: The URL that hosted the payload. - - name: intrusion_url - type: keyword - description: The URL from the detection. - - name: ip_address - type: keyword - description: IP Address of the machine. - - name: last_update_time - type: date - description: The time on the server when the event is logged into the system or updated in the system (GMT). - - name: local_host - type: keyword - description: The host name of the client computer. - - name: local_host_ip - type: keyword - description: The IP address of the local computer. - - name: local_host_mac - type: keyword - description: The MAC address of the local computer. - - name: local_host_name - type: keyword - description: The host name of the client computer. - - name: local_port - type: keyword - description: The TCP/UDP port of the local computer. - - name: location - type: keyword - description: The location used when the event occurred. - - name: md-5 - type: keyword - description: The MD5 hash value. - - name: network_protocol - type: keyword - description: Localized string for Others/ TCP/ UDP/ ICMP. - - name: occurrences - type: keyword - description: The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. - - name: omitted - type: long - description: The number of files that were omitted. - - name: parameters - type: keyword - description: > - Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. - - As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. - - - name: permitted_application_reason - type: keyword - description: Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). - - name: policy_name - type: keyword - description: Name of the policy. - - name: prevalence - type: keyword - description: Number of users that have seen this. - - name: remote_host_ip - type: keyword - description: The IP address of the remote computer. - - name: remote_host_mac - type: keyword - description: The MAC address of the remote computer. - - name: remote_port - type: keyword - description: The TCP/UDP port of the remote computer. - - name: requested_action - type: keyword - description: Requested action by policy. - - name: risk_level - type: keyword - description: The risk level (high, med, low) for the convicted threat. - - name: risk_name - type: keyword - - name: risk_type - type: keyword - description: Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. - - name: rule - type: keyword - description: > - The name of the rule that was triggered by the event. - - If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. - - - name: scan_complete - type: keyword - description: Scan message when scan ended. - - name: scan_id - type: keyword - description: The scan ID provided by the agent. - - name: secondary_action - type: keyword - description: Secondary action requested by policy - - name: sensitivity - type: long - description: Engine sensitivity that produced this detection - - name: server - type: keyword - description: Name of the server. - - name: server_name - type: keyword - description: Name of the server. - - name: sha-256 - type: keyword - description: The SHA-256 hash value. - - name: signing_timestamp - type: date - description: The certificate's signature timestamp. - - name: site - type: keyword - description: SEPM site name. - - name: source - type: keyword - description: Scan source (e.g. scheduled). - - name: source_computer - type: keyword - description: Computer name where this event occurred. - - name: source_ip - type: keyword - description: IP address of the machine on which the event occurred. - - name: submission_recommended - type: boolean - description: Recommendation on whether to submit this detection to Symantec. - - name: threats - type: long - description: The number of threats that the scan found. - - name: total_files - type: long - description: The number of files scanned. - - name: traffic_direction - type: keyword - description: Unknown / Inbound / Outbound - - name: url_tracking_status - type: keyword - description: Network intrusion prevention status - - name: user1 - type: keyword - description: User when scan started. - - name: user2 - type: keyword - description: User when scan ended. - - name: user_name - type: keyword - - name: web_domain - type: keyword - description: The web domain. -- name: log.syslog.hostname - type: keyword - description: Hostname parsed from syslog header. -- name: log.syslog.process.name - type: keyword -- name: log.syslog.process.pid - type: long -- name: log.syslog.priority - type: long -- name: log.syslog.version - type: long -- name: log.syslog.structured_data - type: flattened diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/manifest.yml b/packages/symantec_endpoint/1.0.1/data_stream/log/manifest.yml deleted file mode 100755 index e24087b13b..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,190 +0,0 @@ -title: Symantec Endpoint Protection (SEP) Logs -type: logs -release: beta -streams: - - input: udp - template_path: udp.yml.hbs - title: SEP logs (syslog over UDP) - description: Collect Symantec Endpoint Protection (SEP) logs over UDP. - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: tcp - template_path: tcp.yml.hbs - title: SEP logs (syslog over TCP) - description: Collect Symantec Endpoint Protection (SEP) logs over TCP. - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: logfile - template_path: logfile.yml.hbs - title: SEP logs (from file) - description: Collect Symantec Endpoint Protection (SEP) logs from a file. - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log' - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false diff --git a/packages/symantec_endpoint/1.0.1/data_stream/log/sample_event.json b/packages/symantec_endpoint/1.0.1/data_stream/log/sample_event.json deleted file mode 100755 index 080bd684ef..0000000000 --- a/packages/symantec_endpoint/1.0.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "process": { - "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "hash": { - "sha256": "5379732000000000000000000000000000000000000000000000000000000000", - "md5": "53797320000000000000000000000000" - } - }, - "log": { - "syslog": { - "process": { - "name": "myproc", - "pid": 8710 - }, - "hostname": "192.0.2.1", - "priority": 165, - "version": 1 - } - }, - "destination": { - "geo": { - "name": "Default" - }, - "address": "192.168.1.113", - "port": 80, - "mac": "CC-F9-E4-A9-12-26", - "ip": "192.168.1.113" - }, - "rule": { - "name": "Block Unapproved Incoming Ports" - }, - "source": { - "address": "192.168.1.1", - "port": 33424, - "mac": "2C-3A-FD-A7-9E-71", - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "preserve_original_event" - ], - "network": { - "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", - "transport": "tcp", - "type": "ipv4", - "direction": "ingress" - }, - "@timestamp": "2021-11-16T12:14:15.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "53797320000000000000000000000000", - "5379732000000000000000000000000000000000000000000000000000000000" - ], - "ip": [ - "192.168.1.113", - "192.168.1.1" - ] - }, - "host": { - "name": "host-rfc5424", - "hostname": "host-rfc5424", - "mac": [ - "CC-F9-E4-A9-12-26" - ], - "ip": [ - "192.168.1.113" - ] - }, - "symantec_endpoint": { - "log": { - "occurrences": "4", - "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", - "local_port": "80", - "user_name": "sampleuser4", - "remote_port": "33424", - "rule": "Block Unapproved Incoming Ports", - "md-5": "53797320000000000000000000000000", - "network_protocol": "TCP", - "traffic_direction": "Inbound", - "remote_host_ip": "192.168.1.1", - "remote_host_mac": "2C3AFDA79E71", - "domain_name": "SMPL", - "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "local_host_ip": "192.168.1.113", - "action": "blocked", - "end": "2020-11-11 19:25:28", - "location": "Default", - "local_host_mac": "CCF9E4A91226", - "begin": "2020-11-11 19:25:21" - } - }, - "event": { - "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", - "provider": "Agent Traffic Log", - "kind": "event", - "start": "2020-11-11T19:25:21.000Z", - "count": 4, - "action": "blocked", - "end": "2020-11-11T19:25:28.000Z", - "category": [ - "intrusion_detection", - "network", - "process" - ], - "type": [ - "connection", - "denied" - ] - }, - "user": { - "name": "sampleuser4", - "domain": "SMPL" - } -} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.1/docs/README.md b/packages/symantec_endpoint/1.0.1/docs/README.md deleted file mode 100755 index 71e62e88ce..0000000000 --- a/packages/symantec_endpoint/1.0.1/docs/README.md +++ /dev/null @@ -1,472 +0,0 @@ -# Symantec Endpoint Protection Integration - -This integration is for [Symantec Endpoint Protection (SEP)](https://knowledge.broadcom.com/external/article?legacyId=tech171741) logs. It can be used -to receive logs sent by SEP over syslog or read logs exported to a text file. - -The log message is expected to be in CSV format. Syslog RFC3164 and RCF5424 -headers are allowed and will be parsed if present. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`symantec_endpoint.log.*`. - -If a specific SEP log type is detected then `event.provider` is set (e.g. -`Agent Traffic Log`). - -## Syslog setup steps - -1. Enable this integration with the UDP input. -2. If the Symantec management server and Elastic Agent are running on different -hosts then configure the integration to listen on 0.0.0.0 so that it will accept -UDP packets on all interfaces. This makes the listening port reachable by the -Symantec server. -3. Configure the Symantec management server to send syslog to the Elastic Agent -that is running this integration. See [Exporting data to a Syslog server]( -https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) -in the SEP guide. Use the IP address or hostname of the Elastic Agent as the -syslog server address. And use the listen port as the destination port (default -is 9008). - -## Log file setup steps - -1. Configure the Symantec management server to export log data to a text file. -See [Exporting log data to a text file](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-log-data-to-a-text-file-v8440135-d15e1197.html). -2. Enable this integration with the log file input. Configure the input to -read from the location where the log files are being written. The default is -`C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log`. - -Logs exported to text file always begin with the event time and severity -columns (e.g. `2020-01-16 08:00:31,Critical,...`). - -## Log samples - -Below are samples of some different SEP log types. These examples have had their -syslog header removed, but when sent over syslog these lines typically -begin with an RFC3164 header like -`<51>Oct 3 10:38:14 symantec.endpointprotection.test SymantecServer: ` - -### Administrative Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative) - -`Site: SEPSite,Server: SEPServer,Domain: _domainOrigin,Admin: _originUser,Administrator log on succeeded` - -### Agent Activity Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager]( https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Activity) - -`Site: SEPSite,Server Name: exampleserver,Domain Name: Default,The management server received the client log successfully,TESTHOST01,sampleuser01,sample.example.com` - -### Agent Behavior Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Behavior) - -`exampleserver,216.160.83.57,Blocked,[AC7-2.1] Block scripts - Caller MD5=d73b04b0e696b0945283defa3eee4538,File Write,Begin: 2019-09-06 15:18:56,End: 2019-09-06 15:18:56,Rule: Rule Name,9552,C:/ProgramData/bomgar-scc-0x5d4162a4/bomgar-scc.exe,0,No Module Name,C:/ProgramData/bomgar-scc-0x5d4162a4/start-cb-hook.bat,User: _originUser,Domain: _domainOrigin,Action Type: ,File size (bytes): 1403,Device ID: SCSI\Disk&Ven_WDC&Prod_WD10SPCX-75KHST0\4&1d8ead7a&0&000200` - -### Agent Packet Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Packet) - -`exampleserver,Local Host: 81.2.69.143,Local Port: 138,Remote Host IP: 81.2.69.144.,Remote Host Name: ,Remote Port: 138,Outbound,Application: C:/windows/system32/NTOSKRNL.EXE,Action: Blocked` - -### Agent Proactive Detection Log - -See vendor documentation:[External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection) - -`Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,"Application version: ""3",0,6,"0""",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\user\workspace\baseline package creator\release\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:` - -### Agent Risk Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Risk) - -`Security risk found,IP Address: 1.128.3.4,Computer name: exampleComputer,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,e:\removablemediaaccessutility.exe,,Actual action: All actions failed,Requested action: Process terminate pending restart,Secondary action: Left alone,Event time: 2019-09-03 08:12:25,Inserted: 2019-09-03 08:14:03,End: 2019-09-03 08:12:25,Last update time: 2019-09-03 08:14:03,Domain: SEPMServerDoman,Group: My Company\GroupName,Server: SEPMServerName,User: exampleUser,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: e:/removablemediaaccessutility.exe,Prevalence: This file has been seen by fewer than 5 Symantec users.,Confidence: There is some evidence that this file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: SHA#1234567890,Hash type: SHA2,Company name: Company Name,Application name: Client for Symantec Endpoint Encryption,Application version: 11.1.2 (Build 1248),Application type: 127,File size (bytes): 4193981,Category set: Malware,Category type: Insight Network Threat,Location: GD-OTS Unmanaged Client - Online,Intensive Protection Level: 0,Certificate issuer: Symantec Corporation,Certificate signer: VeriSign Class 3 Code Signing 2010 CA,Certificate thumbprint: AB6EF1497C6E1C8CCC12F06E945A4954FB41AD45,Signing timestamp: 1482491555,Certificate serial number: AB2D17E62E571F288ACB5666FD3C5230` - -### Agent Scan Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan) - -`Scan ID: 123456789,Begin: 2020-01-31 11:35:28,End: 2020-01-31 11:45:28,Started,Duration (seconds): 600,User1: exampleUser,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 916 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 0,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 916,Omitted: 0,Computer: _destinationHostname,IP Address: 1.128.3.4,Domain: exampleDomain,Group: Company\US\UserWS\Main Office,Server: SEPServer` - -### Agent Security Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security) - -`server03,Event Description: ARP Cache Poison,Local Host IP: 0.0.0.0,Local Host MAC: 2DFF88AABBDC,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: AABBCCDDEEFF,Inbound,Unknown,Intrusion ID: 0,Begin: 2020-11-23 13:56:35,End Time: 2020-11-23 13:56:35,Occurrences: 1,Application: ,Location: Remote,User Name: bobby,Domain Name: local,Local Port: 0,Remote Port: 0,CIDS Signature ID: 99990,CIDS Signature string: ARP Cache Poison,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:` - -### Agent System Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System) - -`exampleHostname,Category: 0,CVE,New content update failed to download from the management server. Remote file path: https://server:443/content/{02335EF8-ADE1-4DD8-9F0F-2A9662352E65}/190815061/xdelta190815061_To_190816061.dax,Event time: 2019-08-19 07:14:38` - -### Agent Traffic Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic) - -`host-plaintext,Local Host IP: 216.160.83.61,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 216.160.83.61,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000` - -### Policy Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager](https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy) - -`Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName` - -### System Log - -See vendor documentation: [External Logging settings and log event severity levels for Endpoint Protection Manager]( https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System) - -`Site: SEPSite,Server: exampleHostname,Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | Destination domain. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.hostname | Hostname parsed from syslog header. | keyword | -| log.syslog.priority | | long | -| log.syslog.process.name | | keyword | -| log.syslog.process.pid | | long | -| log.syslog.structured_data | | flattened | -| log.syslog.version | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| observer.product | The product name of the observer. | constant_keyword | -| observer.type | The type of the observer the data is coming from. | constant_keyword | -| observer.vendor | Vendor name of the observer. | constant_keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | Source domain. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| symantec_endpoint.log.action | The action taken on the traffic, e.g. "Blocked". | keyword | -| symantec_endpoint.log.actual_action | Actual action from risk logs and proactive detection (SONAR) logs. | keyword | -| symantec_endpoint.log.admin | Name of the SEPM admin. | keyword | -| symantec_endpoint.log.api_name | API name that was blocked (agent behavior log). | keyword | -| symantec_endpoint.log.application | The full path name of the application involved. | keyword | -| symantec_endpoint.log.application_hash | The hash for this application. | keyword | -| symantec_endpoint.log.application_name | The application name. | keyword | -| symantec_endpoint.log.application_type | Application type (Trojan, key logger etc). | keyword | -| symantec_endpoint.log.application_version | The application version. | keyword | -| symantec_endpoint.log.begin | Start time of the event (also see event.start). | keyword | -| symantec_endpoint.log.caller_process_id | The ID of the process that triggers the logging. | keyword | -| symantec_endpoint.log.caller_process_name | The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". | keyword | -| symantec_endpoint.log.caller_return_address | The return address of the caller. This field allows the detection of the calling module that makes the API call. This is historically not used. You can expect Return Address to always be 0. | keyword | -| symantec_endpoint.log.caller_return_module_name | The module name of the caller. See CallerReturnAddress for more information. Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. | keyword | -| symantec_endpoint.log.category | Agent system log category (generally not populated by SEPM). | keyword | -| symantec_endpoint.log.category_set | Agent risk log category. | keyword | -| symantec_endpoint.log.category_type | Agent risk log category type. | keyword | -| symantec_endpoint.log.certificate_issuer | The certificate's issuer. | keyword | -| symantec_endpoint.log.certificate_serial_number | The certificate's serial number. | keyword | -| symantec_endpoint.log.certificate_signer | The certificate's signer. | keyword | -| symantec_endpoint.log.certificate_thumbprint | The certificate's thumbprint. | keyword | -| symantec_endpoint.log.cids_signature_id | The signature ID. | keyword | -| symantec_endpoint.log.cids_signature_string | The signature name. | keyword | -| symantec_endpoint.log.cids_signature_subid | The signature sub ID. | keyword | -| symantec_endpoint.log.coh_engine_version | TruScan engine version. | keyword | -| symantec_endpoint.log.command | Command sent from the SEPM. | keyword | -| symantec_endpoint.log.company_name | The company name from the application (used in agent risk logs). | keyword | -| symantec_endpoint.log.computer_name | Name of the host machine (used in agent risk/scan logs). | keyword | -| symantec_endpoint.log.confidence | The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." | keyword | -| symantec_endpoint.log.description | Description of the virus file. | keyword | -| symantec_endpoint.log.detection_score | Score of detection. | keyword | -| symantec_endpoint.log.detection_source | Source of the detection. | keyword | -| symantec_endpoint.log.detection_type | Type of detection (e.g. heuristic). | keyword | -| symantec_endpoint.log.device_id | The GUID of an external device (floppy disk, DVD, USB device, etc.). | keyword | -| symantec_endpoint.log.disposition | Good / Bad / Unknown / Not available. | keyword | -| symantec_endpoint.log.domain_name | SEPM domain name. | keyword | -| symantec_endpoint.log.download_site | The URL determined from where the image was downloaded. | keyword | -| symantec_endpoint.log.downloaded_by | The creator process of the dropper threat. | keyword | -| symantec_endpoint.log.duration_seconds | The length of the scan, in seconds. | keyword | -| symantec_endpoint.log.end | Start time of the event (also see event.end). | keyword | -| symantec_endpoint.log.event_description | Description of the event. Usually, the first line of the description is treated as the summary. | keyword | -| symantec_endpoint.log.event_source | The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. | keyword | -| symantec_endpoint.log.event_time | Time of event occurrence. | date | -| symantec_endpoint.log.file_path | The file path of the attacked file. | keyword | -| symantec_endpoint.log.file_size_bytes | File size of application. | keyword | -| symantec_endpoint.log.first_seen | The first seen date for the convicted application. | keyword | -| symantec_endpoint.log.group | SEPM client group name. | keyword | -| symantec_endpoint.log.hash_type | Application hash type (MD5, SHA1, SHA256 etc). | keyword | -| symantec_endpoint.log.infected | The number of files that the scan found that were infected. | long | -| symantec_endpoint.log.inserted | The time that the event was inserted into the database. | date | -| symantec_endpoint.log.intensive_protection_level | The High Intensity Detection Level. | keyword | -| symantec_endpoint.log.intrusion_id | Intrusion ID. | keyword | -| symantec_endpoint.log.intrusion_payload_url | The URL that hosted the payload. | keyword | -| symantec_endpoint.log.intrusion_url | The URL from the detection. | keyword | -| symantec_endpoint.log.ip_address | IP Address of the machine. | keyword | -| symantec_endpoint.log.last_update_time | The time on the server when the event is logged into the system or updated in the system (GMT). | date | -| symantec_endpoint.log.local_host | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_host_ip | The IP address of the local computer. | keyword | -| symantec_endpoint.log.local_host_mac | The MAC address of the local computer. | keyword | -| symantec_endpoint.log.local_host_name | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_port | The TCP/UDP port of the local computer. | keyword | -| symantec_endpoint.log.location | The location used when the event occurred. | keyword | -| symantec_endpoint.log.md-5 | The MD5 hash value. | keyword | -| symantec_endpoint.log.network_protocol | Localized string for Others/ TCP/ UDP/ ICMP. | keyword | -| symantec_endpoint.log.occurrences | The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. | keyword | -| symantec_endpoint.log.omitted | The number of files that were omitted. | long | -| symantec_endpoint.log.parameters | Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. | keyword | -| symantec_endpoint.log.permitted_application_reason | Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). | keyword | -| symantec_endpoint.log.policy_name | Name of the policy. | keyword | -| symantec_endpoint.log.prevalence | Number of users that have seen this. | keyword | -| symantec_endpoint.log.remote_host_ip | The IP address of the remote computer. | keyword | -| symantec_endpoint.log.remote_host_mac | The MAC address of the remote computer. | keyword | -| symantec_endpoint.log.remote_port | The TCP/UDP port of the remote computer. | keyword | -| symantec_endpoint.log.requested_action | Requested action by policy. | keyword | -| symantec_endpoint.log.risk_level | The risk level (high, med, low) for the convicted threat. | keyword | -| symantec_endpoint.log.risk_name | | keyword | -| symantec_endpoint.log.risk_type | Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. | keyword | -| symantec_endpoint.log.rule | The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. | keyword | -| symantec_endpoint.log.scan_complete | Scan message when scan ended. | keyword | -| symantec_endpoint.log.scan_id | The scan ID provided by the agent. | keyword | -| symantec_endpoint.log.secondary_action | Secondary action requested by policy | keyword | -| symantec_endpoint.log.sensitivity | Engine sensitivity that produced this detection | long | -| symantec_endpoint.log.server | Name of the server. | keyword | -| symantec_endpoint.log.server_name | Name of the server. | keyword | -| symantec_endpoint.log.sha-256 | The SHA-256 hash value. | keyword | -| symantec_endpoint.log.signing_timestamp | The certificate's signature timestamp. | date | -| symantec_endpoint.log.site | SEPM site name. | keyword | -| symantec_endpoint.log.source | Scan source (e.g. scheduled). | keyword | -| symantec_endpoint.log.source_computer | Computer name where this event occurred. | keyword | -| symantec_endpoint.log.source_ip | IP address of the machine on which the event occurred. | keyword | -| symantec_endpoint.log.submission_recommended | Recommendation on whether to submit this detection to Symantec. | boolean | -| symantec_endpoint.log.threats | The number of threats that the scan found. | long | -| symantec_endpoint.log.total_files | The number of files scanned. | long | -| symantec_endpoint.log.traffic_direction | Unknown / Inbound / Outbound | keyword | -| symantec_endpoint.log.url_tracking_status | Network intrusion prevention status | keyword | -| symantec_endpoint.log.user1 | User when scan started. | keyword | -| symantec_endpoint.log.user2 | User when scan ended. | keyword | -| symantec_endpoint.log.user_name | | keyword | -| symantec_endpoint.log.web_domain | The web domain. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "process": { - "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "hash": { - "sha256": "5379732000000000000000000000000000000000000000000000000000000000", - "md5": "53797320000000000000000000000000" - } - }, - "log": { - "syslog": { - "process": { - "name": "myproc", - "pid": 8710 - }, - "hostname": "192.0.2.1", - "priority": 165, - "version": 1 - } - }, - "destination": { - "geo": { - "name": "Default" - }, - "address": "192.168.1.113", - "port": 80, - "mac": "CC-F9-E4-A9-12-26", - "ip": "192.168.1.113" - }, - "rule": { - "name": "Block Unapproved Incoming Ports" - }, - "source": { - "address": "192.168.1.1", - "port": 33424, - "mac": "2C-3A-FD-A7-9E-71", - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "preserve_original_event" - ], - "network": { - "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", - "transport": "tcp", - "type": "ipv4", - "direction": "ingress" - }, - "@timestamp": "2021-11-16T12:14:15.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "53797320000000000000000000000000", - "5379732000000000000000000000000000000000000000000000000000000000" - ], - "ip": [ - "192.168.1.113", - "192.168.1.1" - ] - }, - "host": { - "name": "host-rfc5424", - "hostname": "host-rfc5424", - "mac": [ - "CC-F9-E4-A9-12-26" - ], - "ip": [ - "192.168.1.113" - ] - }, - "symantec_endpoint": { - "log": { - "occurrences": "4", - "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", - "local_port": "80", - "user_name": "sampleuser4", - "remote_port": "33424", - "rule": "Block Unapproved Incoming Ports", - "md-5": "53797320000000000000000000000000", - "network_protocol": "TCP", - "traffic_direction": "Inbound", - "remote_host_ip": "192.168.1.1", - "remote_host_mac": "2C3AFDA79E71", - "domain_name": "SMPL", - "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "local_host_ip": "192.168.1.113", - "action": "blocked", - "end": "2020-11-11 19:25:28", - "location": "Default", - "local_host_mac": "CCF9E4A91226", - "begin": "2020-11-11 19:25:21" - } - }, - "event": { - "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", - "provider": "Agent Traffic Log", - "kind": "event", - "start": "2020-11-11T19:25:21.000Z", - "count": 4, - "action": "blocked", - "end": "2020-11-11T19:25:28.000Z", - "category": [ - "intrusion_detection", - "network", - "process" - ], - "type": [ - "connection", - "denied" - ] - }, - "user": { - "name": "sampleuser4", - "domain": "SMPL" - } -} -``` diff --git a/packages/symantec_endpoint/1.0.1/img/logo.svg b/packages/symantec_endpoint/1.0.1/img/logo.svg deleted file mode 100755 index 1b87d1e578..0000000000 --- a/packages/symantec_endpoint/1.0.1/img/logo.svg +++ /dev/null @@ -1,35 +0,0 @@ - - - -image/svg+xml diff --git a/packages/symantec_endpoint/1.0.1/img/symantec-endpoint-logs-overview.png b/packages/symantec_endpoint/1.0.1/img/symantec-endpoint-logs-overview.png deleted file mode 100755 index e2c8f8f867..0000000000 Binary files a/packages/symantec_endpoint/1.0.1/img/symantec-endpoint-logs-overview.png and /dev/null differ diff --git a/packages/symantec_endpoint/1.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json b/packages/symantec_endpoint/1.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json deleted file mode 100755 index 89e8d78857..0000000000 --- a/packages/symantec_endpoint/1.0.1/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"symantec_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"symantec_endpoint.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c971e3e3-37d5-4171-93af-956925edabb1\":{\"columnOrder\":[\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\",\"5a933de5-3586-4844-88e8-4860130de30b\"],\"columns\":{\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5a933de5-3586-4844-88e8-4860130de30b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Log Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a933de5-3586-4844-88e8-4860130de30b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"5a933de5-3586-4844-88e8-4860130de30b\"],\"layerId\":\"c971e3e3-37d5-4171-93af-956925edabb1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"xAccessor\":\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"title\":\"Log Types over Time\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\":{\"columnOrder\":[\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"5564c2e5-debb-45e0-a159-0e7f229b2b94\",\"d2354973-ded4-4075-8afd-ae1835d1ea18\"],\"columns\":{\"21fba635-b5ea-4d84-af67-d710ec8ad164\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"5564c2e5-debb-45e0-a159-0e7f229b2b94\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"d2354973-ded4-4075-8afd-ae1835d1ea18\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"lens_heatmap_legendConfig\"},\"shape\":\"heatmap\",\"valueAccessor\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"xAccessor\":\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"yAccessor\":\"5564c2e5-debb-45e0-a159-0e7f229b2b94\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"title\":\"Event Category/Type Matrix\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of process.executable\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"process.executable\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"w\":20,\"x\":0,\"y\":15},\"panelIndex\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"title\":\"Process Executables\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of file.path\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"file.path\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false,\"width\":654},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"w\":20,\"x\":20,\"y\":15},\"panelIndex\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"title\":\"File Paths\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028dd220-5ea4-4938-a753-3a833f191e13\":{\"columnOrder\":[\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\"],\"columns\":{\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c10eaf4e-5353-41d6-937d-c45050d15294\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of host.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":100},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"isTransposed\":false},{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"isTransposed\":false}],\"layerId\":\"028dd220-5ea4-4938-a753-3a833f191e13\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"w\":8,\"x\":40,\"y\":15},\"panelIndex\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"title\":\"Hosts\",\"type\":\"lens\",\"version\":\"7.16.0\"}]", - "timeRestore": false, - "title": "[Symantec Endpoint Log] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.1/manifest.yml b/packages/symantec_endpoint/1.0.1/manifest.yml deleted file mode 100755 index 68660eeca8..0000000000 --- a/packages/symantec_endpoint/1.0.1/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: symantec_endpoint -title: Symantec Endpoint Protection -version: 1.0.1 -release: beta -description: Collect logs from Symantec Endpoint Protection with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/logo.svg - title: Symantec - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/symantec-endpoint-logs-overview.png - title: Symantec Endpoint Logs Overview Dashboard - size: 2970x2234 - type: image/png -policy_templates: - - name: symantec - title: Symantec Endpoint Protection logs - description: Collect Symantec Endpoint Protection logs from file or over syslog. - inputs: - - type: logfile - title: Collect logs from file - description: Collect Symantec Endpoint Protection logs from file. - - type: tcp - title: Collect logs over TCP - description: Collect Symantec Endpoint Protection logs over TCP. - - type: udp - title: Collect logs over UDP - description: Collect Symantec Endpoint Protection logs over UDP. -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_abusech/1.3.2/changelog.yml b/packages/ti_abusech/1.3.2/changelog.yml deleted file mode 100755 index 5d3260c6d9..0000000000 --- a/packages/ti_abusech/1.3.2/changelog.yml +++ /dev/null @@ -1,91 +0,0 @@ -# newer versions go on top -- version: "1.3.2" - changes: - - description: Added link to AbuseCH documentation in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3166 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.3" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Fix field mapping conflicts in `threat.indicator.file.x509.not_before/not_after` - type: bugfix - link: https://github.com/elastic/integrations/pull/2893 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2445 -- version: "1.1.5" - changes: - - description: Removes extra tag from dashboards - type: bugfix - link: https://github.com/elastic/integrations/pull/2544 -- version: "1.1.4" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.3" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.2" - changes: - - description: Fixing typo in base-fields.yml - type: enhancement - link: https://github.com/elastic/integrations/pull/2331 -- version: "1.1.1" - changes: - - description: Update ECS fields for threat.feed.name - type: enhancement - link: https://github.com/elastic/integrations/pull/2293 -- version: "1.1.0" - changes: - - description: Adding dashboards and adding minor tweaks to pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/2072 -- version: "1.0.4" - changes: - - description: Bump minimum version in manifest - type: enhancement - link: https://github.com/elastic/integrations/pull/2072 -- version: "1.0.3" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.2" - changes: - - description: Update title and description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 -- version: "1.0.1" - changes: - - description: Fix invisible package icon - type: enhancement - link: https://github.com/elastic/integrations/pull/1939 -- version: "1.0.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/1866 diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.2/data_stream/malware/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 457acc00d6..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Content-Type - value: application/json - -response.split: - target: body.payloads - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.2/data_stream/malware/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f0843a6497..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,156 +0,0 @@ ---- -description: Pipeline for parsing Abuse.ch URL Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: abusech.malware - - fingerprint: - fields: - - abusech.malware.md5_hash - - abusech.malware.sha256_hash - target_field: "_id" - - ##################### - # Threat ECS Fields # - ##################### - - date: - field: abusech.malware.firstseen - target_field: threat.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.abusech?.malware?.firstseen != null" - - set: - field: threat.indicator.type - value: file - - rename: - field: abusech.malware.file_size - target_field: threat.indicator.file.size - ignore_missing: true - - rename: - field: abusech.malware.file_type - target_field: threat.indicator.file.type - ignore_missing: true - # This includes a direct link to malicious files, we do not want them to appear in Kibana - # in case they are accidently clicked. - - remove: - field: abusech.malware.urlhaus_download - ignore_missing: true - - convert: - field: threat.indicator.file.size - type: long - ignore_missing: true - - convert: - field: abusech.malware.virustotal.percent - type: float - ignore_missing: true - - rename: - field: abusech.malware.md5_hash - target_field: threat.indicator.file.hash.md5 - ignore_missing: true - - rename: - field: abusech.malware.sha256_hash - target_field: threat.indicator.file.hash.sha256 - ignore_missing: true - - rename: - field: abusech.malware.imphash - target_field: threat.indicator.file.pe.imphash - ignore_missing: true - - rename: - field: abusech.malware.ssdeep - target_field: threat.indicator.file.hash.ssdeep - ignore_missing: true - - rename: - field: abusech.malware.tlsh - target_field: threat.indicator.file.hash.tlsh - ignore_missing: true - - append: - field: related.hash - value: "{{{threat.indicator.file.hash.md5}}}" - if: ctx?.threat?.indicator?.file?.hash?.md5 != null - - append: - field: related.hash - value: "{{{threat.indicator.file.hash.sha256}}}" - if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - - append: - field: related.hash - value: "{{{threat.indicator.file.hash.ssdeep}}}" - if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - - append: - field: related.hash - value: "{{{threat.indicator.file.pe.imphash}}}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null - - append: - field: related.hash - value: "{{{threat.indicator.file.hash.tlsh}}}" - if: ctx?.threat?.indicator?.file?.hash?.tlsh != null - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx?.threat?.indicator?.type == null - - script: - lang: painless - if: ctx?.abusech != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - abusech.malware.firstseen - - message - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/fields/agent.yml b/packages/ti_abusech/1.3.2/data_stream/malware/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/fields/base-fields.yml b/packages/ti_abusech/1.3.2/data_stream/malware/fields/base-fields.yml deleted file mode 100755 index 6803389c14..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_abusech -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_abusech.malware -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: AbuseCH Malware -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/fields/beats.yml b/packages/ti_abusech/1.3.2/data_stream/malware/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/fields/ecs.yml b/packages/ti_abusech/1.3.2/data_stream/malware/fields/ecs.yml deleted file mode 100755 index b819e36147..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/fields/ecs.yml +++ /dev/null @@ -1,111 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: SSDEEP hash. - name: threat.indicator.file.hash.ssdeep - type: keyword -- description: The file's import tlsh, if available. - name: threat.indicator.file.hash.tlsh - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/fields/fields.yml b/packages/ti_abusech/1.3.2/data_stream/malware/fields/fields.yml deleted file mode 100755 index 970fa42a04..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/fields/fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: abusech.malware - type: group - description: All fields related to AbuseCH URL indicators. - fields: - - name: signature - type: keyword - description: > - Malware familiy. - - - name: virustotal.result - type: keyword - description: > - AV detection ration. - - - name: virustotal.percent - type: float - description: > - AV detection in percent. - - - name: virustotal.link - type: keyword - description: > - Link to the Virustotal report. - diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/manifest.yml b/packages/ti_abusech/1.3.2/data_stream/malware/manifest.yml deleted file mode 100755 index 9b986685b1..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: AbuseCH Malware logs -streams: - - input: httpjson - vars: - - name: url - type: text - title: AbuseCH Malware API endpoint - multi: false - required: true - show_user: false - default: https://urlhaus-api.abuse.ch/v1/payloads/recent/ - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - abusech-malware - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: AbuseCH Malware logs - description: Collect AbuseCH Malware logs diff --git a/packages/ti_abusech/1.3.2/data_stream/malware/sample_event.json b/packages/ti_abusech/1.3.2/data_stream/malware/sample_event.json deleted file mode 100755 index 7f6f1afed4..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malware/sample_event.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "@timestamp": "2022-04-11T08:43:51.252Z", - "abusech": { - "malware": {} - }, - "agent": { - "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_abusech.malware", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:43:51.252Z", - "dataset": "ti_abusech.malware", - "ingested": "2022-04-11T08:43:52Z", - "kind": "enrichment", - "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "9cd5a4f0231a47823c4adba7c8ef370f", - "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", - "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", - "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "abusech-malware" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "md5": "9cd5a4f0231a47823c4adba7c8ef370f", - "sha256": "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", - "ssdeep": "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", - "tlsh": "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" - }, - "pe": {}, - "size": 1563, - "type": "unknown" - }, - "first_seen": "2021-10-05T04:17:02.000Z", - "type": "file" - } - } -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 1684323a35..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "POST" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Content-Type - value: application/x-www-form-urlencoded -- set: - target: url.params.query - value: get_recent -- set: - target: url.params.selector - value: time - -response.split: - target: body.data - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3b5f298c44..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,242 +0,0 @@ ---- -description: Pipeline for parsing Abuse.ch URL Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: abusech.malwarebazaar - - fingerprint: - fields: - - abusech.malwarebazaar.md5_hash - - abusech.malwarebazaar.sha256_hash - target_field: "_id" - - ##################### - # Threat ECS Fields # - ##################### - - date: - field: abusech.malwarebazaar.first_seen - target_field: threat.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.abusech?.malwarebazaar?.first_seen != null" - - date: - field: abusech.malwarebazaar.last_seen - target_field: threat.indicator.last_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.abusech?.malwarebazaar?.last_seen != null" - - set: - field: threat.indicator.type - value: file - - rename: - field: abusech.malwarebazaar.file_name - target_field: threat.indicator.file.name - ignore_missing: true - - rename: - field: abusech.malwarebazaar.file_type_mime - target_field: threat.indicator.file.mime_type - ignore_missing: true - - rename: - field: abusech.malwarebazaar.reporter - target_field: threat.indicator.provider - ignore_missing: true - - rename: - field: abusech.malwarebazaar.origin_country - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - - rename: - field: abusech.malwarebazaar.signature - target_field: threat.software.alias - ignore_missing: true - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.subject_cn - target_field: threat.indicator.file.x509.subject.common_name - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.issuer_cn - target_field: threat.indicator.file.x509.issuer.common_name - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.algorithm - target_field: threat.indicator.file.x509.public_key_algorithm - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.valid_from - target_field: threat.indicator.file.x509.not_before - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.valid_to - target_field: threat.indicator.file.x509.not_after - - foreach: - field: abusech.malwarebazaar.code_sign - ignore_missing: true - processor: - rename: - field: _ingest._value.serial_number - target_field: threat.indicator.file.x509.serial_number - - rename: - field: abusech.malwarebazaar.file_size - target_field: threat.indicator.file.size - ignore_missing: true - - rename: - field: abusech.malwarebazaar.file_type - target_field: threat.indicator.file.extension - ignore_missing: true - - rename: - field: abusech.malwarebazaar.md5_hash - target_field: threat.indicator.file.hash.md5 - ignore_missing: true - - rename: - field: abusech.malwarebazaar.sha256_hash - target_field: threat.indicator.file.hash.sha256 - ignore_missing: true - - rename: - field: abusech.malwarebazaar.sha1_hash - target_field: threat.indicator.file.hash.sha1 - ignore_missing: true - - rename: - field: abusech.malwarebazaar.sha3_384_hash - target_field: threat.indicator.file.hash.sha384 - ignore_missing: true - - rename: - field: abusech.malwarebazaar.imphash - target_field: threat.indicator.file.pe.imphash - ignore_missing: true - - rename: - field: abusech.malwarebazaar.ssdeep - target_field: threat.indicator.file.hash.ssdeep - ignore_missing: true - - rename: - field: abusech.malwarebazaar.tlsh - target_field: threat.indicator.file.hash.tlsh - ignore_missing: true - - rename: - field: abusech.malwarebazaar.telfhash - target_field: threat.indicator.file.elf.telfhash - ignore_missing: true - - append: - field: related.hash - value: "{{ threat.indicator.file.hash.md5 }}" - if: ctx?.threat?.indicator?.file?.hash?.md5 != null - - append: - field: related.hash - value: "{{ threat.indicator.file.hash.sha256 }}" - if: ctx?.threat?.indicator?.file?.hash?.sha256 != null - - append: - field: related.hash - value: "{{ threat.indicator.file.hash.ssdeep }}" - if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null - - append: - field: related.hash - value: "{{ threat.indicator.file.pe.imphash }}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null - - append: - field: related.hash - value: "{{ threat.indicator.file.elf.telfhash }}" - if: ctx?.threat?.indicator?.file?.elf?.telfhash != null - - append: - field: related.hash - value: "{{ threat.indicator.file.hash.tlsh }}" - if: ctx?.threat?.indicator?.file?.hash?.tlsh != null - - convert: - field: threat.indicator.file.size - type: long - ignore_missing: true - - convert: - field: abusech.malwarebazaar.intelligence.downloads - type: long - ignore_missing: true - - convert: - field: abusech.malwarebazaar.intelligence.uploads - type: long - ignore_missing: true - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx?.threat?.indicator?.type == null - - script: - lang: painless - if: ctx?.abusech != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - abusech.malwarebazaar.first_seen - - abusech.malwarebazaar.last_seen - - message - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/agent.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/base-fields.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/base-fields.yml deleted file mode 100755 index d71e6e59d4..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_abusech -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_abusech.malwarebazaar -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: AbuseCH MalwareBazaar -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/beats.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/ecs.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/ecs.yml deleted file mode 100755 index 685f7565cb..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/ecs.yml +++ /dev/null @@ -1,160 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.file.extension - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: threat.indicator.file.mime_type - type: keyword -- description: |- - The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. - While not required, you can use a MITRE ATT&CK® associated software description. - name: threat.software.alias - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SSDEEP hash. - name: threat.indicator.file.hash.ssdeep - type: keyword -- description: The file's sha384 hash, if available. - name: threat.indicator.file.hash.sha384 - type: keyword -- description: The file's import tlsh, if available. - name: threat.indicator.file.hash.tlsh - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: telfhash symbol hash for ELF file. - name: threat.indicator.file.elf.telfhash - type: keyword -- description: List of common names (CN) of subject. - name: threat.indicator.file.x509.subject.common_name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: threat.indicator.file.x509.issuer.common_name - type: keyword -- description: Algorithm used to generate the public key. - name: threat.indicator.file.x509.public_key_algorithm - type: keyword -- description: Time at which the certificate is first considered valid. - name: threat.indicator.file.x509.not_before - type: date -- description: Time at which the certificate is no longer considered valid. - name: threat.indicator.file.x509.not_after - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: threat.indicator.file.x509.serial_number - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/fields.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/fields.yml deleted file mode 100755 index 8fab848b82..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: abusech.malwarebazaar - type: group - description: All fields related to AbuseCH URL indicators. - fields: - - name: tags - type: keyword - description: > - A list of tags associated with the queried malware sample. - - - name: intelligence - type: group - fields: - - name: downloads - type: long - description: > - Number of downloads from MalwareBazaar. - - - name: uploads - type: long - description: > - Number of uploads from MalwareBazaar. - - - name: mail - type: group - fields: - - name: Generic - type: keyword - description: > - Malware seen in generic spam traffic. - - - name: IT - type: keyword - description: > - Malware seen in IT spam traffic. - - - name: anonymous - type: long - description: > - Identifies if the sample was submitted anonymously. - - - name: code_sign - type: keyword - description: > - Code signing information for the sample. - diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/manifest.yml b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/manifest.yml deleted file mode 100755 index 61b6d55edc..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: AbuseCH MalwareBazaar logs -streams: - - input: httpjson - vars: - - name: url - type: text - title: AbuseCH MalwareBazaar API endpoint - multi: false - required: true - show_user: false - default: https://mb-api.abuse.ch/api/v1/ - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - abusech-malwarebazaar - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: AbuseCH MalwareBazaar logs - description: Collect AbuseCH MalwareBazaar logs diff --git a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/sample_event.json deleted file mode 100755 index b4249697f8..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/malwarebazaar/sample_event.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "@timestamp": "2022-04-11T08:44:21.828Z", - "abusech": { - "malwarebazaar": { - "anonymous": 0, - "code_sign": [], - "intelligence": { - "downloads": 11, - "uploads": 1 - }, - "tags": [ - "exe", - "RedLineStealer" - ] - } - }, - "agent": { - "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_abusech.malwarebazaar", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:44:21.828Z", - "dataset": "ti_abusech.malwarebazaar", - "ingested": "2022-04-11T08:44:22Z", - "kind": "enrichment", - "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "related": { - "hash": [ - "1fc1c2997c8f55ac10496b88e23f5320", - "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", - "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", - "f34d5f2d4577ed6d9ceec516c1f5a744", - "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "abusech-malwarebazaar" - ], - "threat": { - "indicator": { - "file": { - "elf": {}, - "extension": "exe", - "hash": { - "md5": "1fc1c2997c8f55ac10496b88e23f5320", - "sha1": "42c7153680d7402e56fe022d1024aab49a9901a0", - "sha256": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", - "sha384": "d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955", - "ssdeep": "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", - "tlsh": "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" - }, - "mime_type": "application/x-dosexec", - "name": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe", - "pe": { - "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744" - }, - "size": 432640 - }, - "first_seen": "2021-10-05T14:02:45.000Z", - "geo": { - "country_iso_code": "FR" - }, - "provider": "abuse_ch", - "type": "file" - }, - "software": { - "alias": "RedLineStealer" - } - } -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.3.2/data_stream/url/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 92be22f0b6..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,38 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Content-Type - value: application/json - -response.split: - target: body.urls - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_abusech/1.3.2/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.3.2/data_stream/url/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1765d7608a..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,123 +0,0 @@ ---- -description: Pipeline for parsing Abuse.ch URL Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.0.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: abusech.url - - fingerprint: - fields: - - abusech.url.id - target_field: "_id" - - ##################### - # Threat ECS Fields # - ##################### - - set: - field: threat.indicator.type - value: url - - date: - field: abusech.url.date_added - target_field: threat.indicator.first_seen - formats: - - "yyyy-MM-dd HH:mm:ss z" - - "yyyy-MM-dd HH:mm:ss Z" - if: "ctx.abusech?.url?.date_added != null" - - uri_parts: - field: abusech.url.url - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - - rename: - field: abusech.url.urlhaus_reference - target_field: threat.indicator.reference - ignore_missing: true - - # Host can be both IP addresses and domain names - - grok: - field: abusech.url.host - patterns: - - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" - ignore_failure: true - - rename: - field: abusech.url.reporter - target_field: threat.indicator.provider - ignore_missing: true - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx?.threat?.indicator?.type == null - - convert: - field: abusech.url.larted - type: boolean - ignore_missing: true - - script: - lang: painless - if: ctx?.abusech != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - abusech.url.date_added - - abusech.url.url - - abusech.url.host - - message - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.3.2/data_stream/url/fields/agent.yml b/packages/ti_abusech/1.3.2/data_stream/url/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_abusech/1.3.2/data_stream/url/fields/base-fields.yml b/packages/ti_abusech/1.3.2/data_stream/url/fields/base-fields.yml deleted file mode 100755 index 516451aa4c..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_abusech -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_abusech.url -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: AbuseCH URL -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_abusech/1.3.2/data_stream/url/fields/beats.yml b/packages/ti_abusech/1.3.2/data_stream/url/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_abusech/1.3.2/data_stream/url/fields/ecs.yml b/packages/ti_abusech/1.3.2/data_stream/url/fields/ecs.yml deleted file mode 100755 index 40047f4b1f..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/fields/ecs.yml +++ /dev/null @@ -1,133 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Reference URL linking to additional information about this indicator. - name: threat.indicator.reference - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword diff --git a/packages/ti_abusech/1.3.2/data_stream/url/fields/fields.yml b/packages/ti_abusech/1.3.2/data_stream/url/fields/fields.yml deleted file mode 100755 index 63f361d48e..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/fields/fields.yml +++ /dev/null @@ -1,49 +0,0 @@ -- name: abusech.url - type: group - description: All fields related to AbuseCH URL indicators. - fields: - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: urlhaus_reference - type: keyword - description: > - Link to URLhaus entry. - - - name: url_status - type: keyword - description: > - The current status of the URL. Possible values are: online, offline and unknown. - - - name: threat - type: keyword - description: > - The threat corresponding to this malware URL. - - - name: reporter - type: keyword - description: > - The Twitter handle of the reporter that has reported this malware URL (or anonymous). - - - name: larted - type: boolean - description: > - Indicates whether the malware URL has been reported to the hosting provider (true or false) - - - name: tags - type: keyword - description: > - A list of tags associated with the queried malware URL - - - name: blacklists.spamhaus_dbl - type: keyword - description: > - If the indicator is listed on the spamhaus blacklist. - - - name: blacklists.surbl - type: keyword - description: > - If the indicator is listed on the surbl blacklist. - diff --git a/packages/ti_abusech/1.3.2/data_stream/url/manifest.yml b/packages/ti_abusech/1.3.2/data_stream/url/manifest.yml deleted file mode 100755 index d138d7f3ac..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: AbuseCH URL logs -streams: - - input: httpjson - vars: - - name: url - type: text - title: AbuseCH URL API endpoint - multi: false - required: true - show_user: false - default: https://urlhaus-api.abuse.ch/v1/urls/recent/ - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - abusech-url - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: AbuseCH URL logs - description: Collect AbuseCH URL logs diff --git a/packages/ti_abusech/1.3.2/data_stream/url/sample_event.json b/packages/ti_abusech/1.3.2/data_stream/url/sample_event.json deleted file mode 100755 index 2ed40825e3..0000000000 --- a/packages/ti_abusech/1.3.2/data_stream/url/sample_event.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "@timestamp": "2022-04-11T08:44:51.227Z", - "abusech": { - "url": { - "blacklists": { - "spamhaus_dbl": "not listed", - "surbl": "not listed" - }, - "id": "1656008", - "larted": true, - "threat": "malware_download", - "url_status": "online" - } - }, - "agent": { - "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd", - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_abusech.url", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:44:51.227Z", - "dataset": "ti_abusech.url", - "ingested": "2022-04-11T08:44:52Z", - "kind": "enrichment", - "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "abusech-url" - ], - "threat": { - "indicator": { - "first_seen": "2021-10-05T13:57:05.000Z", - "ip": "120.85.169.98", - "provider": "tammeto", - "reference": "https://urlhaus.abuse.ch/url/1656008/", - "type": "url", - "url": { - "domain": "120.85.169.98", - "extension": "m", - "full": "http://120.85.169.98:55871/mozi.m", - "original": "http://120.85.169.98:55871/mozi.m", - "path": "/mozi.m", - "port": 55871, - "scheme": "http" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/docs/README.md b/packages/ti_abusech/1.3.2/docs/README.md deleted file mode 100755 index 9f5d41ed7c..0000000000 --- a/packages/ti_abusech/1.3.2/docs/README.md +++ /dev/null @@ -1,262 +0,0 @@ -# AbuseCH integration - -This integration is for [AbuseCH](https://urlhaus-api.abuse.ch/) logs. It includes the following datasets for retrieving logs from the AbuseCH API: - -- `url` dataset: Supports URL based indicators from AbuseCH API. -- `malware` dataset: Supports Malware based indicators from AbuseCH API. -- `malwarebazaar` dataset: Supports indicators from the MalwareBazaar from AbuseCH. - -## Logs - -### URL - -The AbuseCH URL data_stream retrieves threat intelligence indicators from the URL API endpoint `https://urlhaus-api.abuse.ch/v1/urls/recent/`. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| abusech.url.blacklists.spamhaus_dbl | If the indicator is listed on the spamhaus blacklist. | keyword | -| abusech.url.blacklists.surbl | If the indicator is listed on the surbl blacklist. | keyword | -| abusech.url.id | The ID of the indicator. | keyword | -| abusech.url.larted | Indicates whether the malware URL has been reported to the hosting provider (true or false) | boolean | -| abusech.url.reporter | The Twitter handle of the reporter that has reported this malware URL (or anonymous). | keyword | -| abusech.url.tags | A list of tags associated with the queried malware URL | keyword | -| abusech.url.threat | The threat corresponding to this malware URL. | keyword | -| abusech.url.url_status | The current status of the URL. Possible values are: online, offline and unknown. | keyword | -| abusech.url.urlhaus_reference | Link to URLhaus entry. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -The AbuseCH malware data_stream retrieves threat intelligence indicators from the payload API endpoint `https://urlhaus-api.abuse.ch/v1/payloads/recent/`. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| abusech.malware.signature | Malware familiy. | keyword | -| abusech.malware.virustotal.link | Link to the Virustotal report. | keyword | -| abusech.malware.virustotal.percent | AV detection in percent. | float | -| abusech.malware.virustotal.result | AV detection ration. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | - - -The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| abusech.malwarebazaar.anonymous | Identifies if the sample was submitted anonymously. | long | -| abusech.malwarebazaar.code_sign | Code signing information for the sample. | keyword | -| abusech.malwarebazaar.intelligence.downloads | Number of downloads from MalwareBazaar. | long | -| abusech.malwarebazaar.intelligence.mail.Generic | Malware seen in generic spam traffic. | keyword | -| abusech.malwarebazaar.intelligence.mail.IT | Malware seen in IT spam traffic. | keyword | -| abusech.malwarebazaar.intelligence.uploads | Number of uploads from MalwareBazaar. | long | -| abusech.malwarebazaar.tags | A list of tags associated with the queried malware sample. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha384 | The file's sha384 hash, if available. | keyword | -| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | -| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | -| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| threat.indicator.file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| threat.indicator.file.x509.not_before | Time at which the certificate is first considered valid. | date | -| threat.indicator.file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| threat.indicator.file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| threat.indicator.file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | diff --git a/packages/ti_abusech/1.3.2/img/abusech2.svg b/packages/ti_abusech/1.3.2/img/abusech2.svg deleted file mode 100755 index 6a0c76dd2c..0000000000 --- a/packages/ti_abusech/1.3.2/img/abusech2.svg +++ /dev/null @@ -1,76 +0,0 @@ - - - - diff --git a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json b/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json deleted file mode 100755 index 59a4a7e24c..0000000000 --- a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the AbuseCH integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH URLs (This Page)](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420)** \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\":{\"columnOrder\":[\"0389e125-4ae6-412a-a4af-2fa28f18c412\"],\"columns\":{\"0389e125-4ae6-412a-a4af-2fa28f18c412\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.spamhaus_dbl: * and not abusech.url.blacklists.spamhaus_dbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on Spamhaus DBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0389e125-4ae6-412a-a4af-2fa28f18c412\",\"layerId\":\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"title\":\"Spamhaus Count [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\":{\"columnOrder\":[\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\"],\"columns\":{\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.surbl: * and not abusech.url.blacklists.surbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on SURBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\",\"layerId\":\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"title\":\"Surbl Counter [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8f36a8c1-19df-4eba-8fa5-4f259d349375\":{\"columnOrder\":[\"efd6bc64-ffcd-42fe-8218-0795986addc4\"],\"columns\":{\"efd6bc64-ffcd-42fe-8218-0795986addc4\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status: \\\"online\\\" \"},\"isBucketed\":false,\"label\":\"URL's Online\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"efd6bc64-ffcd-42fe-8218-0795986addc4\",\"layerId\":\"8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"title\":\"URLs Online [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471ad94f-c181-4ffb-a640-1666974adb33\":{\"columnOrder\":[\"8cd8034f-16bf-4a7a-b816-950498dc1f90\"],\"columns\":{\"8cd8034f-16bf-4a7a-b816-950498dc1f90\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status:\\\"offline\\\" \"},\"isBucketed\":false,\"label\":\"URL's Offline\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8cd8034f-16bf-4a7a-b816-950498dc1f90\",\"layerId\":\"471ad94f-c181-4ffb-a640-1666974adb33\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"title\":\"URLs Offline [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs AbuseCH] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json deleted file mode 100755 index c27db69f53..0000000000 --- a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the AbuseCH integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH Files (This Page)](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":46,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Based on count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Most seen indicator tags\",\"field\":\"abusech.malwarebazaar.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Most seen indicator tags [Logs AbuseCH]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"w\":20,\"x\":7,\"y\":27},\"panelIndex\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs AbuseCH] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d1788a2e-c400-4d7b-9251-a8e5a806b6ef:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json deleted file mode 100755 index 103067d9d5..0000000000 --- a/packages/ti_abusech/1.3.2/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the AbuseCH integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[AbuseCH Overview (This Page)](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the AbuseCH integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from AbuseCH. \\n\\nIt shows how many parts has been enabled (URL, Malware and MalwareBazaar), the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from AbuseCH.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs AbuseCH] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.3.2/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json deleted file mode 100755 index 7cf7c3514a..0000000000 --- a/packages/ti_abusech/1.3.2/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "AbuseCH" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_abusech/1.3.2/manifest.yml b/packages/ti_abusech/1.3.2/manifest.yml deleted file mode 100755 index 49eb53186d..0000000000 --- a/packages/ti_abusech/1.3.2/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_abusech -title: AbuseCH -version: 1.3.2 -release: ga -description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/abusech2.svg - title: AbuseCH - size: 512x512 - type: image/svg+xml -policy_templates: - - name: ti_abusech - title: AbuseCH API - description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. - inputs: - - type: httpjson - title: "Collect AbuseCH logs via API" - description: "Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_anomali/1.3.3/changelog.yml b/packages/ti_anomali/1.3.3/changelog.yml deleted file mode 100755 index 4405fd27c6..0000000000 --- a/packages/ti_anomali/1.3.3/changelog.yml +++ /dev/null @@ -1,76 +0,0 @@ -# newer versions go on top -- version: "1.3.3" - changes: - - description: added links to Anomoli documentation in readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3167 -- version: "1.3.2" - changes: - - description: Fix threatstream - type: bugfix - link: https://github.com/elastic/integrations/pull/3437 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.3" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Adding first interval to Anomali Limo policy UI - type: bugfix - link: https://github.com/elastic/integrations/pull/2677 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2446 -- version: "1.1.3" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.1" - changes: - - description: Fixing typo in base-fields.yml - type: enhancement - link: https://github.com/elastic/integrations/pull/2330 -- version: "1.1.0" - changes: - - description: Adding dashboards and threat.feed ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2292 -- version: "1.0.2" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.1" - changes: - - description: Update title and description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1911 diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/agent/stream/httpjson.yml.hbs b/packages/ti_anomali/1.3.3/data_stream/limo/agent/stream/httpjson.yml.hbs deleted file mode 100755 index eabe1ecfca..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -auth.basic.user: guest -auth.basic.password: guest - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.redirect.forward_headers: true - -request.transforms: - - set: - target: header.Content-Type - value: application/vnd.oasis.taxii+json - - set: - target: header.Accept - value: application/vnd.oasis.taxii+json - - set: - target: header.Range - value: items 0-10000 - - set: - target: url.params.match[type] - value: indicator - - set: - target: url.params.added_after - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{first_interval}}")) "2006-01-02T15:04:05.000Z" ]]' - -response.split: - target: body.objects - -cursor: - timestamp: - value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.3.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fb63658f31..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -description: Pipeline for parsing Anomali Limo indicators -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: anomali.limo - - fingerprint: - fields: - - anomali.limo.id - target_field: "_id" - ignore_missing: true - - ##################### - # Threat ECS Fields # - ##################### - ## File indicator operations - - date: - field: anomali.limo.created - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.created != null" - - date: - field: anomali.limo.modified - target_field: anomali.limo.modified - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.modified != null" - - date: - field: anomali.limo.valid_from - target_field: threat.indicator.first_seen - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.valid_from != null" - - grok: - field: anomali.limo.pattern - patterns: - - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" - if: ctx.anomali?.limo?.pattern != null - - rename: - field: _tmp.threattype - target_field: threat.indicator.type - ignore_missing: true - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.ip - ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - - uri_parts: - field: _tmp.threatvalue - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.url.domain - ignore_missing: true - if: ctx.threat?.indicator?.type == 'domain-name' - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - foreach: - field: anomali.limo.labels - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false - - grok: - field: anomali.limo.description - patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" - ignore_missing: true - ignore_failure: true - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - anomali.limo.pattern - ignore_missing: true - if: ctx.threat?.indicator?.pattern != null && ctx.threat?.indicator?.pattern != 'unknown' - - remove: - field: - - anomali.limo.created - - anomali.limo.pattern - - message - - _tmp - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/fields/agent.yml b/packages/ti_anomali/1.3.3/data_stream/limo/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/fields/base-fields.yml b/packages/ti_anomali/1.3.3/data_stream/limo/fields/base-fields.yml deleted file mode 100755 index 126260c5af..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_anomali -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_anomali.limo -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Anomali Limo -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/fields/beats.yml b/packages/ti_anomali/1.3.3/data_stream/limo/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/fields/ecs.yml b/packages/ti_anomali/1.3.3/data_stream/limo/fields/ecs.yml deleted file mode 100755 index 339e97eba8..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/fields/ecs.yml +++ /dev/null @@ -1,133 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/fields/fields.yml b/packages/ti_anomali/1.3.3/data_stream/limo/fields/fields.yml deleted file mode 100755 index 1b2ca9057f..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/fields/fields.yml +++ /dev/null @@ -1,73 +0,0 @@ -- name: anomali.limo - type: group - description: > - Fields for Anomali Threat Intel - - fields: - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: name - type: keyword - description: > - The name of the indicator. - - - name: pattern - type: keyword - description: > - The pattern ID of the indicator. - - - name: valid_from - type: date - description: > - When the indicator was first found or is considered valid. - - - name: modified - type: date - description: > - When the indicator was last modified - - - name: labels - type: keyword - description: > - The labels related to the indicator - - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is domain, this would be the value. - - - name: description - type: keyword - description: > - A description of the indicator. - - - name: title - type: keyword - description: > - Title describing the indicator. - - - name: content - type: keyword - description: > - Extra text or descriptive content related to the indicator. - - - name: type - type: keyword - description: > - The indicator type, can for example be "domain, email, FileHash-SHA256". - - - name: object_marking_refs - type: keyword - description: >- - The STIX reference object. - - name: definition_type - type: keyword - description: >- - Indicator tlp/definition type - - name: definition.tlp - type: keyword - description: >- - Indicator tlp/definition value diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/manifest.yml b/packages/ti_anomali/1.3.3/data_stream/limo/manifest.yml deleted file mode 100755 index 278b84f0e7..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -type: logs -title: Anomali Limo -streams: - - input: httpjson - vars: - - name: url - type: text - title: Anomali Limo API URL - multi: false - required: true - show_user: false - default: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - anomali-limo - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Anomali Limo API - description: Collect indicators from the Anomali Limo API diff --git a/packages/ti_anomali/1.3.3/data_stream/limo/sample_event.json b/packages/ti_anomali/1.3.3/data_stream/limo/sample_event.json deleted file mode 100755 index 2043f8e5c8..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/limo/sample_event.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "@timestamp": "2017-01-20T00:00:00.000Z", - "agent": { - "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "limo": { - "definition": { - "tlp": "green" - }, - "definition_type": "tlp", - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "type": "marking-definition" - } - }, - "data_stream": { - "dataset": "ti_anomali.limo", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:51:02.140Z", - "dataset": "ti_anomali.limo", - "ingested": "2022-04-11T08:51:03Z", - "kind": "enrichment", - "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-limo" - ], - "threat": { - "indicator": { - "type": "unknown" - } - } -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs b/packages/ti_anomali/1.3.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index a38e42a199..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: http_endpoint -enabled: true - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} -prefix: json -{{#if content_type}} -content_type: {{content_type}} -{{/if}} - -{{#if secret}} -hmac: - header: X-Filebeat-Signature - key: {{secret}} - type: sha256 - prefix: sha256= -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a65647332..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,428 +0,0 @@ ---- -description: Pipeline for parsing Anomali ThreatStream -processors: - # - # Set basic ECS fields. - # - - set: - field: ecs.version - value: "8.2.0" - - fingerprint: - fields: - - event.dataset - - json.id - target_field: "_id" - ignore_missing: true - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - # - # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). - # - - script: - lang: painless - if: "ctx.json.itype != null" - description: > - Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). - params: - actor_ip: ipv4-addr - adware_domain: domain-name - anon_proxy: ipv4-addr - anon_vpn: ipv4-addr - apt_domain: domain-name - apt_email: email-addr - apt_ip: ipv4-addr - apt_md5: file - apt_subject: email - apt_ua: url - apt_url: url - bot_ip: ipv4-addr - brute_ip: ipv4-addr - c2_domain: domain-name - c2_ip: ipv4-addr - c2_url: url - comm_proxy_domain: domain-name - comm_proxy_ip: ipv4-addr - compromised_domain: domain-name - compromised_ip: ipv4-addr - compromised_url: url - crypto_hash: file - crypto_ip: ipv4-addr - crypto_pool: domain - crypto_url: url - crypto_wallet: file - ddos_ip: ipv4-addr - disposable_email_domain: domain-name - dyn_dns: domain-name - exfil_domain: domain-name - exfil_ip: ipv4-addr - exfil_url: url - exploit_domain: domain-name - exploit_ip: ipv4-addr - exploit_url: url - free_email_domain: domain-name - geolocation_url: url - hack_tool: file - i2p_ip: ipv4-addr - ipcheck_url: url - mal_domain: domain-name - mal_email: email-addr - mal_ip: ipv4-addr - mal_md5: file - mal_sslcert_sh1: x509-certificate - mal_sslcert_sha1: x509-certificate - mal_ua: url - mal_url: url - p2pcnc: ipv4-addr - parked_domain: domain-name - parked_ip: ipv4-addr - parked_url: url - pastesite_url: url - phish_domain: domain-name - phish_email: email-addr - phish_ip: ipv4-addr - phish_url: url - proxy_ip: ipv4-addr - scan_ip: ipv4-addr - sinkhole_domain: domain-name - sinkhole_ip: ipv4-addr - spam_domain: domain-name - spam_email: email-addr - spam_ip: ipv4-addr - spam_url: url - speedtest_url: url - ssh_ip: ipv4-addr - suppress: suppress - suspicious_domain: domain-name - suspicious_email: email-addr - suspicious_ip: ipv4-addr - suspicious_reg_email: email-addr - suspicious_url: url - tor_ip: ipv4-addr - torrent_tracker_url: url - vpn_domain: domain-name - vps_ip: ipv4-addr - whois_bulk_reg_email: email-addr - whois_privacy_domain: domain-name - whois_privacy_email: email-addr - source: > - String mapping = params[ctx.json.itype]; - if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; - } - on_failure: - - append: - field: error.message - value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' - - - rename: - field: threatintel_indicator_type - target_field: threat.indicator.type - ignore_missing: true - - # - # Detect ipv6 for ipv4-addr types. - # - - set: - field: threat.indicator.type - value: ipv6-addr - if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")' - - # - # Map first and last seen dates. - # - - date: - field: json.date_first - target_field: threat.indicator.first_seen - formats: - - ISO8601 - if: "ctx.json?.date_first != null" - on_failure: - - append: - field: error.message - value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' - - - date: - field: json.date_last - target_field: threat.indicator.last_seen - formats: - - ISO8601 - if: "ctx.json?.date_last != null" - on_failure: - - append: - field: error.message - value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' - - # - # Map IP geolocation fields. - # - - convert: - field: json.lat - target_field: threat.indicator.geo.location.lat - type: double - if: "ctx.json?.lat != null && ctx.json?.lon != null" - on_failure: - - append: - field: error.message - value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' - - convert: - field: json.lon - target_field: threat.indicator.geo.location.lon - type: double - if: "ctx.json?.lat != null && ctx.json?.lon != null" - on_failure: - - append: - field: error.message - value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' - - # - # Map classification field to Traffic Light Protocol (TLP). - # Currently: - # public => White ("Disclosure is not limited.") - # private => Amber ("Limited disclosure, restricted to participants’ organizations."). - # - - append: - field: threat.indicator.marking.tlp - value: Amber - if: 'ctx.json?.classification == "private"' - - append: - field: threat.indicator.marking.tlp - value: White - if: 'ctx.json?.classification == "public"' - - # - # Convert confidence field (-1..100) to ECS confidence (0..10). - # - - script: - lang: painless - if: ctx.json?.confidence != null - description: > - Normalize confidence level. - source: > - def value = ctx.json.confidence; - if (value <= 0.0 || value > 100.0) { - ctx["threatintel_indicator_confidence"] = "None"; - return; - } - if (value >= 1.0 && value <= 29.0) { - ctx["threatintel_indicator_confidence"] = "Low"; - return; - } - if (value >= 30.0 && value <= 69.0) { - ctx["threatintel_indicator_confidence"] = "Med"; - return; - } - if (value >= 70 && value <= 100) { - ctx["threatintel_indicator_confidence"] = "High"; - return; - } - on_failure: - - append: - field: error.message - value: "failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}" - - - rename: - field: threatintel_indicator_confidence - target_field: threat.indicator.confidence - ignore_missing: true - - # - # Convert asn field. - # - - convert: - field: json.asn - target_field: threat.indicator.as.number - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: "Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}" - - - rename: - field: json.org - target_field: threat.indicator.as.organization.name - ignore_missing: true - - - rename: - field: json.email - target_field: threat.indicator.email.address - ignore_missing: true - - - rename: - field: json.srcip - target_field: threat.indicator.ip - ignore_missing: true - - - uri_parts: - field: json.url - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: "ctx.json?.url != null" - on_failure: - - append: - field: error.message - value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - - rename: - field: json.domain - target_field: threat.indicator.url.domain - ignore_missing: true - if: ctx.threat?.indicator?.url?.domain == null - - rename: - field: json.country - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - - # - # md5 field can actually contain different kinds of hash. - # Map to file.hash.* depending on hash length. - # - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.md5 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha1 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha256 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha512 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128" - - - rename: - field: json.source - target_field: threat.indicator.provider - ignore_missing: true - - # - # Map field severity to event severity as follows: - # low => 3 - # medium => 5 - # high => 7 - # very-high => 9 - # - - set: - field: event.severity - value: 3 - if: 'ctx.json?.severity == "low"' - - - set: - field: event.severity - value: 5 - if: 'ctx.json?.severity == "medium"' - - - set: - field: event.severity - value: 7 - if: 'ctx.json?.severity == "high"' - - - set: - field: event.severity - value: 9 - if: 'ctx.json?.severity == "very-high"' - - # - # Field trusted_circles_ids is a comma-separated string - # that can contain leading and trailing separators (i.e. ",123,"). - # Need a script processor as split processor doesn't support - # removing non-trailing separators. - # - - script: - lang: painless - if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String" - description: > - Convert trusted_circles_ids from CSV to an array. - source: > - def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList()); - if (lst.size() > 0) { - ctx.json.trusted_circle_ids = lst; - } else { - ctx.json.remove('trusted_circle_ids'); - } - # - # Split detail field and append each component to ECS tags field. - # - - split: - field: json.detail - separator: '(? - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/base-fields.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/base-fields.yml deleted file mode 100755 index 378e9e1a15..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_anomali -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_anomali.threatstream -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Anomali ThreatStream -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/beats.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/ecs.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/ecs.yml deleted file mode 100755 index 58614d889b..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/ecs.yml +++ /dev/null @@ -1,188 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: |- - Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - Expected values are: - * Not Specified - * None - * Low - * Medium - * High - name: threat.indicator.confidence - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/fields.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/fields.yml deleted file mode 100755 index 5d8e4e57d9..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/fields/fields.yml +++ /dev/null @@ -1,94 +0,0 @@ -- name: anomali.threatstream - type: group - description: > - Fields for Anomali Threatstream - - fields: - - name: classification - type: keyword - description: > - Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. - - example: private - - name: confidence - type: short - description: > - The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. - - - name: detail2 - type: text - description: > - Detail text for indicator. - - example: Imported by user 42. - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: import_session_id - type: keyword - description: > - ID of the import session that created the indicator on ThreatStream. - - - name: itype - type: keyword - description: > - Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". - - - name: maltype - type: wildcard - description: > - Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. - - - name: md5 - type: keyword - description: > - Hash for the indicator. - - - name: resource_uri - type: keyword - description: > - Relative URI for the indicator details. - - - name: severity - type: keyword - description: > - Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. - - - name: source - type: keyword - description: > - Source for the indicator. - - example: Analyst - - name: source_feed_id - type: keyword - description: > - ID for the integrator source. - - - name: state - type: keyword - description: > - State for this indicator. - - example: active - - name: trusted_circle_ids - type: keyword - description: > - ID of the trusted circle that imported the indicator. - - - name: update_id - type: keyword - description: > - Update ID. - - - name: url - type: keyword - description: > - URL for the indicator. - - - name: value_type - type: keyword - description: >- - Data type of the indicator. Possible values: ip, domain, url, email, md5. diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/manifest.yml b/packages/ti_anomali/1.3.3/data_stream/threatstream/manifest.yml deleted file mode 100755 index 445a6b6e06..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/manifest.yml +++ /dev/null @@ -1,83 +0,0 @@ -type: logs -title: Anomali Threatstream -streams: - - input: http_endpoint - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8181 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: / - - name: content_type - type: text - title: Content Type - description: Expected Content-Type in HTTP request. - multi: false - required: true - show_user: false - default: application/x-ndjson - - name: secret - type: text - title: HMAC secret key - description: Secret key to authenticate requests from the SDK. - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - anomali-threatstream - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: http_endpoint.yml.hbs - title: Anomali Threatstream - description: Receives indicators from Anomali Threatstream diff --git a/packages/ti_anomali/1.3.3/data_stream/threatstream/sample_event.json b/packages/ti_anomali/1.3.3/data_stream/threatstream/sample_event.json deleted file mode 100755 index 98ed754e7f..0000000000 --- a/packages/ti_anomali/1.3.3/data_stream/threatstream/sample_event.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "@timestamp": "2022-04-11T08:52:31.294Z", - "agent": { - "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "threatstream": { - "classification": "public", - "confidence": 56, - "detail2": "imported by user 723", - "id": "1785659799", - "import_session_id": "244", - "itype": "mal_md5", - "md5": "6466e2", - "resource_uri": "/api/v1/intelligence/P44706407813/", - "severity": "very-high", - "source_feed_id": "3759", - "state": "active", - "trusted_circle_ids": [ - "439", - "942", - "801" - ], - "update_id": "3898969521", - "value_type": "md5" - } - }, - "data_stream": { - "dataset": "ti_anomali.threatstream", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_anomali.threatstream", - "ingested": "2022-04-11T08:52:32Z", - "kind": "enrichment", - "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}", - "severity": 9, - "type": "indicator" - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-threatstream" - ], - "threat": { - "indicator": { - "confidence": "Med", - "first_seen": "2020-10-08T12:22:16.000Z", - "last_seen": "2020-10-08T12:24:42.000Z", - "marking": { - "tlp": [ - "White" - ] - }, - "provider": "Default Organization", - "type": "file" - } - } -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/docs/README.md b/packages/ti_anomali/1.3.3/docs/README.md deleted file mode 100755 index ebd87ebba4..0000000000 --- a/packages/ti_anomali/1.3.3/docs/README.md +++ /dev/null @@ -1,359 +0,0 @@ -# Anomali Integration - -The Anomali integration supports the following datasets. - -- `limo` dataset: Support for [Anomali Limo](https://www.anomali.com/resources/limo), a freely available Threat Intelligence service -- `threatstream` dataset: Support for [Anomali ThreatStream](https://www.anomali.com/products/threatstream), a commercial Threat Intelligence service. - -## Logs - -### Anomali Limo - -Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which -then fits into the url used in this configuration. A list of different collections can be found using the default guest/guest credentials at [Limo Collections](https://limo.anomali.com/api/v1/taxii2/feeds/collections/). - -An example if you want to use the feed with ID 42, the URL to configure would end up like this: -`https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects` - -An example event for `limo` looks as following: - -```json -{ - "@timestamp": "2017-01-20T00:00:00.000Z", - "agent": { - "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "limo": { - "definition": { - "tlp": "green" - }, - "definition_type": "tlp", - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "type": "marking-definition" - } - }, - "data_stream": { - "dataset": "ti_anomali.limo", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:51:02.140Z", - "dataset": "ti_anomali.limo", - "ingested": "2022-04-11T08:51:03Z", - "kind": "enrichment", - "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-limo" - ], - "threat": { - "indicator": { - "type": "unknown" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| anomali.limo.content | Extra text or descriptive content related to the indicator. | keyword | -| anomali.limo.definition.tlp | Indicator tlp/definition value | keyword | -| anomali.limo.definition_type | Indicator tlp/definition type | keyword | -| anomali.limo.description | A description of the indicator. | keyword | -| anomali.limo.id | The ID of the indicator. | keyword | -| anomali.limo.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword | -| anomali.limo.labels | The labels related to the indicator | keyword | -| anomali.limo.modified | When the indicator was last modified | date | -| anomali.limo.name | The name of the indicator. | keyword | -| anomali.limo.object_marking_refs | The STIX reference object. | keyword | -| anomali.limo.pattern | The pattern ID of the indicator. | keyword | -| anomali.limo.title | Title describing the indicator. | keyword | -| anomali.limo.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | -| anomali.limo.valid_from | When the indicator was first found or is considered valid. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -### Anomali Threatstream - -This integration requires additional software, the _Elastic_ _Extension,_ -to connect the Anomali ThreatStream with this integration. It's available -at the [ThreatStream download page.](https://ui.threatstream.com/downloads) - -Please refer to the documentation included with the Extension for a detailed -explanation on how to configure the Anomali ThreatStream to send indicator -to this integration. - -An example event for `threatstream` looks as following: - -```json -{ - "@timestamp": "2022-04-11T08:52:31.294Z", - "agent": { - "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "threatstream": { - "classification": "public", - "confidence": 56, - "detail2": "imported by user 723", - "id": "1785659799", - "import_session_id": "244", - "itype": "mal_md5", - "md5": "6466e2", - "resource_uri": "/api/v1/intelligence/P44706407813/", - "severity": "very-high", - "source_feed_id": "3759", - "state": "active", - "trusted_circle_ids": [ - "439", - "942", - "801" - ], - "update_id": "3898969521", - "value_type": "md5" - } - }, - "data_stream": { - "dataset": "ti_anomali.threatstream", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_anomali.threatstream", - "ingested": "2022-04-11T08:52:32Z", - "kind": "enrichment", - "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}", - "severity": 9, - "type": "indicator" - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-threatstream" - ], - "threat": { - "indicator": { - "confidence": "Med", - "first_seen": "2020-10-08T12:22:16.000Z", - "last_seen": "2020-10-08T12:24:42.000Z", - "marking": { - "tlp": [ - "White" - ] - }, - "provider": "Default Organization", - "type": "file" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| anomali.threatstream.classification | Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. | keyword | -| anomali.threatstream.confidence | The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. | short | -| anomali.threatstream.detail2 | Detail text for indicator. | text | -| anomali.threatstream.id | The ID of the indicator. | keyword | -| anomali.threatstream.import_session_id | ID of the import session that created the indicator on ThreatStream. | keyword | -| anomali.threatstream.itype | Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". | keyword | -| anomali.threatstream.maltype | Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. | wildcard | -| anomali.threatstream.md5 | Hash for the indicator. | keyword | -| anomali.threatstream.resource_uri | Relative URI for the indicator details. | keyword | -| anomali.threatstream.severity | Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. | keyword | -| anomali.threatstream.source | Source for the indicator. | keyword | -| anomali.threatstream.source_feed_id | ID for the integrator source. | keyword | -| anomali.threatstream.state | State for this indicator. | keyword | -| anomali.threatstream.trusted_circle_ids | ID of the trusted circle that imported the indicator. | keyword | -| anomali.threatstream.update_id | Update ID. | keyword | -| anomali.threatstream.url | URL for the indicator. | keyword | -| anomali.threatstream.value_type | Data type of the indicator. Possible values: ip, domain, url, email, md5. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - diff --git a/packages/ti_anomali/1.3.3/img/anomali.svg b/packages/ti_anomali/1.3.3/img/anomali.svg deleted file mode 100755 index e9cade7e61..0000000000 --- a/packages/ti_anomali/1.3.3/img/anomali.svg +++ /dev/null @@ -1,4950 +0,0 @@ - - - - - - - - - - -]> - - - - - - - - - - - - - - - - - KLUv/QBYXLED3pfECAouwBJtEAMqCRKl1LDjOBKj/J0501ZeRf1779cPGkmZnTJLqVG5ZocJgiCA -AACcB9QLFAr5COXYIpM8JEXyOPDAKpiovaqiSorLItMAUX+ItI5IR02zrWKdYuKRic6n9jxkMhHp -7HQXjUh4Do2t9tgOmT3K3dTvmn40NN3CzV1COntvrrNlqHrIYOXdqkb0kyKdqf76oaHRZdMh3czs -mBk0LuVQ5EiSunrhuoLP55EkXIeHi1h8aNL3tApihxVHlhSihwcdVgWTS46SqGRLEyM2fCB6OhJJ -wqCj0JFIjMNADOMo0tCbUcywUYmCjKRIFEiBFEWRR4zcLJsoEmsUWyQoZNgoZYepW45TLAUWaBwW -SKKcUY5i3MSSYdkqSt0KZmrZokAQOo6jmJGtJBOJpJFGVhKCiGLR5ElB97P87s4JJG9oVpU4io8j -x0FHYiRY9tAthYGUpMolRnnC7ka5ccyiIAaSHBZIknB5liIxEgNJ+DKxxUEu03sxDkSThO202Epx -FEiiENNSJFcghmHsFlt0b6aytVj4Ov7OSlUlnEC25MsuyWEo0iUKkoiRRRabmplnRQliFIrHM6wE -crwcN554NyPFLR5eoUtYkkXNoEIpy6bBnQ+ZOmSeRlv0q7WSldpYimtaXzKj1X/IpL2W1Hbek5Dy -Dpk8vB0aUV1F69LCNdvbTbKtyy6zItWd6ZJZM/OUGtUX3qlMWJu2aYm+cQ8ZuzPMvENNPBrZMfGu -dslUKKB72M8qkUjcxepmIsEiAXIYheLZ6RoJJIstjORIjBRZLmGJ2sKQKkfJcsLEkyM/Fv8XOhar -LFpSWEG2CiaMUkdxFIpXLig5SrGrm4vfq3UCMVY1FW9L4q8kkGIUq1l+Vi6lILtAnJREJWqtQCyp -s+8VxThyRAkP0pJQWheIj6JHchBixJDLg56gE5W4xBNHhxRqYsTX2sSwaJGwhC9PjSOxvdjvx6vx -I/HkZGiIqbhHApPirKy8tExNzUUycanp9YqqhaGIJjRRWlqvyVRHOiGmbkkUl125z8cXXiK0Q+Z1 -yOx/LxHe+CJKLVveeU2t28lpzdw8trOwlGzq4y35W5hG/5lald2JNhWXaGtPmTtk0EfUtPV0hi4l -QzQ9Ujzb0TX0QsW1GZoOb6wrQjLb7ES7l56MRPE8vJ9dnYkS68IKLLQ4jOMoEpgBCiYWpZg8gSRI -ORADMRbRvCHmxJE4kgM5Ci1XhBjHGorGjRtnWJFxW9C4kX0VLqhIbFGJFkQPNbTQVb2eWmJkYr4S -mCCCh1Y5PVES5DAuQeSEEpQk5TgMo0AkNJOLiFynLOighBJkl813uqgLH05M5bJ64WE07LDE6Hym -V/j2O15fvBAW3iZI6cxNpLX0CjW8tl88NlkqqtjvFxc3C6Mgi2yyiaXCXqAWWxRHgZBhw0Y5XfJR -P/AMmdLABoK5wGFCw8PDA77OPJvGCPXYDJpf+Xjs7k7ebCUdNMYYY2xHh0pZpEPlNn1co57R9FDx -72SpdhEeHiqKrlxTNTRaPB9e+V5WMmNTGjhERDg8QIgAAaOBBw0SDBNxAQgLDAUHDDKwwGgplW91 -d14dT3Hr1NDMjLZKR4sOGVS8azex0ArJDFH3v2rSGuL5RrtaRIhJa9eDWL4fMqp7Sqi3aae609Mn -ahXuUv6W8qp2mEd1b3XIlCbdIbNV/no1lQ7Xzmpl+CyfHjJa5TK7tablIWOFrzxKf9WUd62RLv2y -6pCxXR0ymoRr2nuleQ8Z1LQj9cmIiA4Zs/7QV4g2PWReN1T785u0h8zNZNI1u13RoUKBoyDkMp/P -91GtXq8LFzZ8uBxGjDihonJVVVkdVm4VRyGVVKLIbLYys7MbWpraWmGGpR5FtzAOMmJDrKCBGAiS -UOLESV3yBJPcpEiM5EiQREIJJyphiVI2sZuaSLzEJSiRJEZS6BNL6kAKRJG8lZ+VJRKkjGIrS19W -qihheJ1XJieEEEIGFbSkpDfZyh2TlHQTlhhihxlWpKHdzszKio0sUUkhdZRRRW1pZWFhva6sqlxU -CSdGfNhw4bU6jb7vs7lskxOUEEIH0XprbW+/uLm6u8UaeyyyyZbEUuGiCiuueIFFFlpsURRGgRRJ -kSjIsFGGGWfcQCMNNdYoDMM4DMRIjIRBh4867LjjBx552BVM3cIoEhQqDgRBEogvwSSTTDApmWxi -JEiSJJSghBP2xBOYyMQmDCNJIAeSOBJGwkgcCS21kiYSySOL3NTEvLR0UpYEImhggYuJiIeGhcbE -kRsvrs//d3vdT1xyyBlXnF7e787OR5cYYoatqaWVMqsDSRQXCzTwQAQTTCCls9Ly8omZqblZpJFI -JplIUmup6ekVNVV1tVBDD0U00YTSIkkiIZcligTFAImkIlogxSZmHoZhFIYaaaBxhhllkJEokuIo -jKIotMgCiyusoCJZZI81dlcX93tr66VNKKKGrqainv6uyMjoqEhggFJYYaUwDkssYYXOV2d398PL -09srzrjjkEsucXS/fv/xef2+uPHjyJMnTmgsNDw8IiYqbrJJ2cI4kIQOOaRc2R2RRDTJpGDy5BJL -KqnECSUJJEEQ5EAMZBFFEkHkyCGFGCGEkORAjuMwjuLQIw88fthRhw86EkZiIMZhFAmKAQoSUkFK -QsKjO56KBDdkSgMOQEiQ4DABMwAHCA8NFBpwwUOCGKWCYciuYBiGhWKBwbBgiGzoBg2ZMsYYCgbD -grlyW3mobP1QuZXqKQ/TPh8qVKjkVZ7pdvevHSpVuUpU60PdPFQoUC4wTBkypYEHNGCBgfAQ4YKG -BAQmgogHhwgXNFA4wINhqBw4uOAhYbjDBiIooMIFDw4SDIMBC0wDBwwaMGCBueAhAwgMJkAcDhER -MrDAUHC44CHCBTAQ0UCBBCIcHhokUBDxEKFBARQaHhokUACBaYABhASHDTwkEyhAXMAB2UCEiAcO -GFSg4EABBKYBhIcIDxooOMBAYBpEPHDIgAUaYC5w+EAEChARDxwg8CACBjBooAAhggQJDYcDhQYJ -iQcTHCIqeMACBwkPIkRQaKBgQoUIEiAsMMEDFlSwQAQFYOBBRAMHLDAUICIiXJCYCApFAwwiNBwJ -EBAOiKBQQGAamAYSICAcYDBQIQMKhsFARAMFDw14oOAQEdFAAQQF4gIPE2CQAQSFAzxEgJCBBAoY -lAEFwkOEiIcIFCh4gGAAAwYZRDhYAAFCAgQFCh4iQHAwFhZKhYgHhwkTII4LHpKFhWLBAg7RAg6G -8oNDRESDhESd9cbcraVam/SoqbwgAoUDMGSdA2MtBxE8RIAQgUIDHCA0ULCwUJIDDhEg8OCAQQOc -Z1ZtfDVaZ6PmyhgdQADCAQ8OGDSgAgUHDzQoYEIGDNCIDCRAVHCoIMIBAoUGB9iQIdMgIRFBoWC4 -BIcLIBawExQLxSYCBwkNDyxwgEChQQEMVyaCChERHh5AwUFCBhUQ3VkQQaFweIBggImAAw4RNuBg -N2M2YzUHxrAcSIjgAAfm5w4RDRIwmODgAAYzdEN3YMhEUEEDFBomYABBoUEFHiAiRIDgUAEFIDBk -bnp1Wnd4l3XI/NLsRnh55zpkrqqeaPSs8yGXXe9IUQ81D5laM9o2b4u/Q4ZMBMYBKsB7CmBhoTQ4 -zInMJAxogAMYUFAAgYmgwgSIiAoZHGQiqADhIUJEhIMFDhAaJkzAkBMUC8VE4AChocIDbIJioeCe -iYCCgwUmZMCACyREyMBgKE9Q2EQ0TKAAkXCQECHB8AmKhRJBhQoVHB5AUKAg4sFhQgYPIJCFhVJX -iL9e635HHRjTO7oWfY9OnjE6u/M5fz8+BwaT/j3nHn1PBYcKIiBgYaGoA6Nn6hyYMhF0AMKA8BDh -gocMIIyFhWJqaBOBwwciVKjQsIGHhmNhoSyAAmMVwRkyAZIIQEVlInCIaEAeICI0iNBwyElUVAzG -ASpgoAAhAeJg0ACFhgVEkNAwAeKhYHiAeDABBCYCBwkRERywsFAaQGAaUHCQcMFDAwYO8wBRoSEB -EJgIKEAkFhaKT50rE8EDRIQKFBwgwKATFAsLhc6VaVABBBQgIhooRFTIQIKECYyJgAJERIMDhWNh -oRg65sDBAhAXFA4soAAACwGJaeyeqD6aeGhNUvm29Jx1nmisrLRyafMnyab0jmZ6zDt6PEVS514R -HtsGzUs+pTU6W8iwUCAgxngzLJQMAhABCZgGEBisCyRgzOAgwQMRO0HBUIAGEyhAXMABExQHBIZh -oXQgAoWIhgVIaHCogAAXOFxAAeKBQwUREAwggCGAYVxAL+25R6tHjdSYzuTNSjyamA4MSrQmHTtS -Y+RSTSW1g4jpQE1fxFSfc2C+ubUur7dO2QHDQnlgGFO1KnPasZ/K+PCVVYXnTlt79tu2DvllB6au -5tuIjivRHDAslAkSMGbpul1rzx2pOcq18Xt7CDEdmDzpYd36Dsyt3dEuoR7P2jzxjLi7lLYnHRj8 -+niZl1vHygHDQoFgGBv73cE6u0H9D2GtGTtQ+zJJa7+J6mO0IVOkPjrkwDS4WcBgWChHolkWbp7M -Uq/+Md2gC/Pu2NnUX5SpapsHzWqHesowzyT58nCr8mfN5pR+uUfzjC3aDe9s0pJMU3Gdx89KTL3l -ntQzesYXronq6NnoUmYtOU3Xd5VbpJp1eizP525TpnpWXTxTiZvG9W3OsFZTb7HO5hlNVxGuGu/k -bZxr0jylt3pFuHe3kyetTEzbMzFTtVzn9Mwl6n2dx6NpY7VPtd7He7unc9qapmqmHeuZK7u6r2b5 -+EfPc3vGSF/6tVudo00R4p9azp/aU8Tbr+l3CG0sFct0ds+kGiu/qOmzaKNXpZf688/3jN4t3TfR -eaw2pYZbqVSppyhtqw4+tSjpeM9g5vPK9VtLrdQ9umcU7XdfVZvDXKw9Rmf7xDyJNpaar1zLIsLV -29imXqXqn+foRu9ujfs6PHQbPKx16mnuQbqTDVfxCBH3MHeJZre46XOVdirV9yzd3BHVb9NqD7oM -knlR9UdHvWt0vEXDPHYZxdwz+9mft0ll0Iyr1ySyo7+pp3lvVc2OqUw9z2FZpdIXnXdubUr3h1cy -qqN4c8UjxXMqg5hfvFpZHcSbXKX9La19zmWSrqw3nmGhPDBlt7t4XGW0qsyo9O/Ru1E8vm7PbqlK -aaiZ9LOZ51sTolmZ2s3W9nQ+dGWMEuuouTd2P7cya7se9dZ0rHrUKtpDpKZ1a886WGXW1n5UNNYp -u7ntGfmYDBHV7PZk3Tzrim5T7wdLqxLVmD/PJS21vbOduzJmJkqsm9/m2trKNp+beMp83z79YytF -tSU8Lpu07NZeP1dl/h+VnaubyzOsWyKlk1Wm0rWoZJQnfXO2Nt9Sap2yMn7RKdU3nvJtXVv966iV -USMrpX1lWCgXYFgoEzCWP7MvkuI5tdEtq6MaBMyuE++LZHc2bXZP71Dvdk6f7Vuqdw== - - - rjalWJVHT39UbfZKVqhJp/O70bX9ft5QKY0O3c2/Z9dzmXaGhXIYKzyHNqildqi5pntm/ZfKey5t -XKQ/1OvpoN2kutS++s1TaoPeQ5Z2Um0ULStRD9fO6wwLpUECNjXj6Ra3zJxlpjOqQpPh2q0NYFgo -BWBYKAOogAHCQwQNPGgwGBgmKCAwEiAgDAIYMyyUCIwHKDQ8QESIeBABiaBQEIBhoTwwLBQFKEAB -hmGhTDAMC6UCCVxgqAIUMAswZMMBY5MBQyYBHpCAIVOhMMewUDJgWCgOBQckUBhiWCiGtne0Z6Sj -aQbzZ7pWro/tTaYetc0d5hbu8z94NqWBA4SGCBIgEhCYCB4iQHAwzORD+btatFvcOqEaHt1S1/Au -sZRSSqGGloIYxg1DiqLQKqhAkjYpqdfMJxbTxx1WDNvCrDAXSDHkSpVWQgUxFi2K6TAK46hQsbXS -YAAOEREwEAEfMvhFU6VeEnr3lya8KlW9pzfPGRoWKR3aETkPafGI1qn6fVJRUikFyok0QkhSl0bd -D022TE1zyw6VwTod543nzNj2MRo0x6NLx69cwpvKarVSbYpWq6drP2WLYhwIWepfjqSsbFLHbfKC -FHK5Y74U5ZBEwZJatjiQJJEYR+ohd0tKYhxGJUYhRqkkS5JIrrfY0e1xO4qiWG5VkqPISMTXLYGQ -UQVCqld1iO5sC19Wr1rmrmJarRLtIZ3m6n0vrWyXzlglkYmL0+UKLUZ8NZKSbCm7Y+oW5UCSRFHq -ytdAinEchOSRPnzkGSnylpQtmsVshXEnWEUeGVmSFFoSXY7VJ4qWe5rRsVTF1dtVCY+LRj/77g6Z -xKvLq5JpPZ11dofM7y+jNRfq+Zqp+L/oFUdS7rhjallki+K6o9hKHi5M3cJAkOSl3FGQJFHljqlb -lAM5KyrFXvIjpBhViUKQoihaeFWUQIqyLhJ/pTKBxSUIVpFnZDZKSlFGFZlOSuLDyHEYxZbUzCyL -t6USh5a1NX1BK4n7vjz4X9n2Tnmqv1Wr7qpdr1TzKlOrTmit1NfxuHRruukhc5f9IkXSq2nukdBV -h0zVmeKu6uvgT8mualllS3eXe0b0VDNSokCdC22WxMtZESLIQQkVSYEUmxSrbYLFyowiQdk79EQJ -alOr9FBSneoyC3HvPB8q1tLvQ0aPftxbuWiyRyYlDyPxWmikGEW5Op+PvMgW5JBcLnGpW5zKHWWN -K7YYW5T0ZatQLFVmH4q/oyQlbdFiVXW3ZTtWPoR1znKT6sq4ezLd9c8tFQy0pIOZeK+zUdc21fbI -UK+ofmRaShMllFQiQQ4DSZIkcUleqW63qqo1qkNmz3rfTdXUMjzTu1GtPOYfnrvUMvPmEV0R2vZO -n6p0okN90ZqP4nGJ4gcmlyhyHKUoB1LumKVYI1HOio+yiVdHURTFHkWxUiQomFicLgpaIsmrQ7G2 -HMhRtNTaWEXFcr1pJZhAygQiZY18PjHDCjvQTxhlqjuWBNlm04StYGFpogqk/LBADqkXiUOnZdk8 -MsnD9jaxVZBRmzBsHCWhKk+yoZaEbI0tZktEXa48ZEoPmcOnEhoZie7OdrrKu/OvZapmSkayk/dD -Jo/X9DCV1me0ls/WKrL7oUKBcqUgxGV3LLqFcSBJIZddYRTbHVO3QEqC5LI7FgkKKVK+IuEsiCXM -ZwcaiZTnM1OPRK4H2dpugRhbLDmynNDQgr8q3ga7Z/uQ+THJpfembzONdb9c9X1rxk1EXSUrWzvX -77mVLAnDhwtiCFLu/29V2LHFFZp6LaWkSR5ZJHhgcYkhd2BZS0NbAssqsiUTh5Y9ztiXo4oqyjDQ -OIojUYxUGTFzAinGceyhxY2ORDkvnouiFKKaec6YDZpSwUD/hXsvFxpW1moebTpkbhOzCLPW0DDx -9Bte2deFSimFStkVTF2j2K6kbmEk1iOBUFIvWXRLYSSObC9IoqQxy1Fw89BjF6k8MKFbiiqMglAp -O9OyxVjlDhuVRlF6kTiMiCJFInHCEkfKlZW5kBWZCmLB01mVlyuEkJJIkGKTvBkpkqNkkcWNNRJN -9ChoiUxkkofZMPJy/DCuSGxaSVRi7/KRTkuoVXFJkMPQxOLFOIq8Inqmw/1hHtutnMe9rDw3X56m -nW4ZKikulksPs2y07iOyM2PiUlFduRQPyVbK5+VmKb5sNG2Gp0po1pmoVjTmQcJFl80d7ZUtyam4 -VjaIP8zMpSxrnTDV9Mc6aljmk/Ye5+6xBw/o9qDhMTv+aN3PPLV3akqXemp3dE/JUk3XTlEdtZyK -9s/Sn6SLakQ791W9qXbWWLh1acS6W6rCQ6W1d5lUf/c0D7eSiPDW/CDP1PYU00XPNVHd6e1t7lKZ -fdLS9VYfgvDjItU5TYt7PzxVZuVc3NvqWVs0lViW1/yeVFKqLCXcPaZFJ9rSLNWDiUbRtZRrSD63 -zcuJ5ltalJtneNI2iLtn05ygdMQyvVs7hQ1MMWBcYAI261oaolLpN0+2aKW5tk0sVdz66a9LZ9NE -tF076UrpfAcXv2TyUUpbC48uvjSfPrTosiUtUtybku3MdI8bMLVd27Qi2+2rbumoTtlbtHr7xDpF -dS3CtZn/TJ/ZybWpS2ve3uEPUl3W2q2r7tS/RRvmLZW/ZPSxdVJembouZqIP76y9C5GWvnqzc+vE -6/c21XyTir43+eTaRzWrPNFzXaa3dvw5qjzh2TWW9fZUSXpVeWvyHqWbLupZMnh7rsI8vLWN5ZJ9 -T1Hh0iWdXV9rcW/Xu3aia29NhaevKuL52hwdWhcd1fd6elad3qX6rhrXdSyyb93tuXrt1bX6otYd -VZvu1hd/OqguvK8h4dn0nf8+jbdp+15t6vQyOlfn7V9MH+V576tpl5ZfM8ujmJlGuHinB++f6n71 -NhZunvX2q5p2KJfI9ODpq/JbLjuLxjJS/NLtHkqbpbONa7emj7i09lN2flbvoZvIuHe/Ul24t+LZ -s+H9jtZWpZOMWmKt1palou2WjHu3ruGeCXHtvXOmezTcq+uxs9GIe19Nn+mxtbF65t7eWY+uU1XR -jq7ra5d1cG32qudvrb337119ML2U52hj3J/t+X109kx+7ReP7BhtCvdbeS59TrLvEfNc/bv/e55W -Onr7ERpuOenc+W6XhXubd/JcxqX6HbtLV/VrU55CW21q4VrdHjwb/G0fMj2bFdd8Hyxj/hT3Squo -DpdOeXymPTrcs+3U2V/DLVw8dTZWikZcrdpjtmr0xMUbHq0rrURcQspjM+c6PFw13LPmRR/RD1aW -E9GWRE6yvdtLXC1TS4tO1dPhwTvzG9om/bpN1dt6LmnS6R5T7fSO6m2p3Xqte5aa+DxEN8ZXWW6h -7gvvKFXT9JSPuOpcyqtju4z26zrnTy7LxSpMNeue1cu12mektalW1JN5BokyLZdseoz0mPmT3eHV -wT26O1+D13WlmmnPjw6u+eZN1dZz7r16yjZJqIhaNjpZirveq+ULDdG+0u0XUqpu+ZR/u+PRdt2b -Kap5fVw/OS+vrrqUarZ4yLcvmrpeiOhFLaM96V8xF9V8NW9Sqn20ulNt+aP0smGlnqrP0c8oi07u -6VOvbsd7iuqtNPoZKmrdrrTMR+tHSXeodJcH7d+iJaT/q2WG6rvZCu/c/l0yVF3v8X3tqap5Vbyf -wh/1i5q7iVfLrzpTv/+uGRL6xzojvfG+zfz1cPVQHtN51+/SeV5x62ovOqUnJNQ8a4S5ebWpTuFx -DfXqy5/980eyGq9HsrP4P594vbU9iK9VNaqS8+Bd0+7ODuGv8GqIdBZ//5pX3MRT+LPRqEfWk3fv -M22ohXq/nrqbHq1QfaXn7gwLZQNLZiVUpNxD/6Ie7fNHpMsr/XcOb5Zm+/twsVB//9j9Xia0Q/Yz -ferP+oaopzrlOxVx6Szd0IeUeod0ys9cF6XaWR7z8Rb1rzzom+/k1NvukH9HVXpOP9HTeJL+qzor -Xa8O+rciMzpkr6t0oebqz++bmb6jn3pVMp/9yxS39uQdCZHsdycv6vlp9d2f1/89GSpp0qm7lhKh -llGP3errXf57iL7e1CdVt5Lqev0d0hWr6nh/w1OWkf2VdxUu3pg/2qw8pU61X713pxIPvXQ93Sv0 -NX12Uk9GV1P8qb3eL+taSHtKj3m692Rj1zrac/vXXe/cjBHe87RUT7+Hzqii7p4aS4/t0eARsU67 -vkNnXgf3NpNqtHdaeXvs3AgNIuahMq9DpvT+nO6dGc1h/eSNT2m1DhlNGtmhNLZ4uKfq9Pne1iCp -S4nQLKkdTYNYqKdKrrN7k75jd79jb1p9c9GurdLuDKKi2afMvI6eDp05k3nXV/UxM1bkVNM8vKP2 -81EzqGv3ZeEpM1dGRad4/ynbModqq+mR9NBpnR4to6jqMy1DS9WTZTCRkuxQotHfsTKmiqp3kur4 -7lSrnpfZRCUtveal1ZZq4Z4nJh41c2cpmSqisTKmk8i0Es2W66iZMkOsPGjGdle1NHXrSqfOIB7l -lpbZa+fJM2qz25SeehDttCfP7GnWUaL56BnDI91vHjpT+rOFuKTHN2unWqfm2+NCg4UHr3x6a3e0 -Xnb2zG3mrVkuHt84X5umRfnjQ3M8H73x/djd7xQa8/dppw7NfaduDDdRTfX6o4bGbvHUzRra1Vnh -GR2jse7RnZKWnXXP3WDmqU/1jg4WGiOts0c1nUVD2kNqzIpOTW+KZw2N0+TPNPOsmuP1zOfso5PG -tNpDibazRfu0MM1HH9ZtdVpfnys0us+DaNBsdadoNFalx9QUWVmektPOEZ7qXOdkU2v5n9podtNO -rfm50WRhHlSjia86zdedK6S1Y2rweVzTPOc5Q2OVdFTNvb5P8Wcnc02m9+yU0n7WuWqVSzaIPlRo -Es/OrSktutNjhQbXmKssD55Pj6IpqnXaHRrj5TE13kS80fFr9oWLv6N5LRcL6xjZmFVtb2hOV4+t -cT3pTK+sB/c8jX+qNzU6nj2kvbM39lKa6dHseo8d2jTLXG2PmjmttCxTVDtrXzTPvOMz5etLnWhn -FU268vxMUp1SRPwxmtKTicaOTqVZI/qWqmvPJZpL67EadO6WHk/Hcs1qRTLTRDSWdwfTJF7Zpq69 -o4jmrugYGt+laXbXPb7ZOrQeo9Fda5mWNY8RzS7i2cRSPLZmnZr6c0ezBv+v7YhGTXZOzZaiYZ0L -VWf7VTuEhaeuiGdbZzx6W1XfOaptS+Y7lfYstS2arVnLx7N9KR79JtquTX2dstlpc33ShuQyl23k -KiUrG5Iq0Qm9dtsps9pDddmRDqn2ZpWbriVz8AARIaIhAqKCCRk8eFAYBgQGwkMEChEWEMA0MHMA -QdVV/nw1F8tK9+zykGqa3Ui7q6XnvEfTeQ7ykH5j297nUjeNfD+bei4aFf7Gp72ZraZvU59n/7KT -+MO0s7MvS9Lb/ZVodLO83RZT9fxZmXW2ZOhDaKtodg4xL33D0/6Gty3NPHct07P8yw== - - - 1MyWivIYFm2pbdEw68zWsH4M636Oq3q2tWp325rpHsqbbWstj7NoTanItmiHZmhb9W01Nw9eD6+m -WdpaUh3TbEt0d+q8d3U+287a1qEP15ZeNcPLNDvjz5vndOGe8a6a/1E+rXj14X9JuL/3hN/KzHPo -s6K0r0nPaGe6k+bPq+gQy2zaRLTZ+XKPFhmi2e/ks2b776CV+Yj0eDuq2VpnpfV57bJDnw+RDBfP -LkPj+i5bjXdeme2++7bsUoswb7V1oY/H/Y1eLPQaTfTvl9A31xEevI+ZJp/Vx2vc3Dz+8+Arj2Il -w0KZsLeTeUprnp81S7Ps5FntXIXrsy9trXQPXq2tr3DViG7vt5MPfOu6OmRlt1d1Mrtbqtr73cWw -UCbwfa1tbR1t/WJYKBvQxaKro6pNWrSzV6g+VD3GujqrU1u/yldLV5Sv/VWecm3gWNIzLJQJTOAB -nR4fw0LZgH3uPnjYqVQ6O3bPqmMrH3vzJwnrrN3PJenJqJJs65XeudPVO8cr/ecSL/dk0jlU37l0 -ZuniQbRNz2HZHuPm/aQd+l2R76Czau9Yb+RDe1aztDSyd9U263zvRcc2Kff2V3Nx10YydB0q6+HZ -yemj0l1GRsUr4+apnZuSVxWtcJGUco/w5z7lzbC+Trvq7liKr0Uql6nycom8lLS4VYg2q1v0MSWa -+ugyLJQNHJqdI9t+WlGmr7y66cNzNNadY2JuHrM6e7RTeEl4FrH29uim2rQv01b5Ltdk0z36cW7a -nW+aqeokXZZiZu2p3d1tJe5W3el8ddqqStwyw0I5XJqKeyU9L+Pqf4d0ttWen3HRfElneOdF/KHh -LaZ+01q4d+flnvXsSKcyI8x7UxF1EdWaR/RRfwx9mnmFq+fVI+Neav6MW7eZstRrd6uF+XwhJpru -ZKS8s1T23V+vSX2fkf3qW+ftUuHq6ceq0Gd1rjTfWmXqMSvbqrKzVUh6tFurSizaur01HayykV7d -mveULH1kZa87WWUf2t1S1ZLzlgp/06V9S11PY1rS5XGpGp/0W2vqi75GdIR1diffe7zGeqaTVPF7 -qXgojVpHtvbWGdouFXPpFr+UfhHRfUtdevdVMyyUB96f/810FVL+LHrtJty8626vs1Q0ZqZP9err -sx2p1Z5p++0t1Vp1E/UYlW1d0rrqai+57k69zSU6RmWiKzx23bqWjPQqbavojl75WHnqqtYQC3Vd -VlpVtbTWn6vq6nnq+pq56GyVl46/u0iTKg817/YKf9SVVYZ039rqqm6VSvXGsFAmbFWtfU39rcVj -SnlIp2aXdra85sDgWqWRmrTI6Ivr0zyVnqvrVk/Tult3X/VS2ZbhK+215r+UdmX11R5+f1Wn0vZZ -mdreNpcZ1+4b2p7QinSaWGu9c7TWz7LojEupeereOxXZ3fXsGZ2ZaMzDxK/Taq7/a4p0MG2bR9cM -C2XCmkpvsUjPVrnqeYV7Z9f3Jfsdq4nO01iI+HX6a1Y/lt7cvWs6/c01UdlpzKRiWCgH+uyOtVh5 -q+m1Sn3eJpX3yoi2eheV0Vw3nn+LWki1erd3VYf53971Oq3dVhXeGiurrLQKb8taB6ly0VBvjape -tptZ6bfeyvvernXJtGcqW/qut5WLx6hsu8pbpcrU05+r7LtMy7R/zJu3O1XTO9LvVUZnzFqrC83f -VTta+7LMwj1WR5hWtnPVtAOjvmthLh3dq5vIMA9N1XrcOrZNB8Zod8VarURVQifdgUFVPN+XVbh3 -qbq5dawOrZu4hPYyw7LLZ0tYpmc9W9/o6Gvx1tD2VeX7bKkQD2HZvbTsWFl4KMvw67Mt1DuEtVfk -2+LLT0rbq7/udp22+P3RK339Sm3zymfqusvdujp3laY33Vql01avdjG9RlfWvVWl3en2Vrfa/dpl -dZNa3WoqHa3KYCkUDBc4RDQ4YOBQAUOFCb56pWPayj1DOkmmd6tnKdeKhrenbHh6zLt65yrhnfLR -53Ous8yidCbl3qZcdelp7s9aol037TCtfvrTtK+25LN6TKMmnp/qK5H+oF4J945qki2R/nQ1Et7S -qY6uaUtmerqIa9a925sTZWLZHu5pcTXvp8yITI/Q9lZ1UfdYWU9ztwwt0XrWkoxnpXp636TdiPb4 -dd0y4pf2Ze8ppZbhUiYZz7tFp+zUiKdJvmOj64p01Ttrmz9zOTVt577p/Qnt0Lb0nB0YE9Eq1vfO -Pplk+J+uEDdPlX8H5mn20jWtUeoh3DQ3pdVjtqj7OzCKtpuZpkg+Wg5M7TnF34Gx3e+i1WEsjexL -pGdhmilR+ZBoj319u1UmrVV6442i82oRzfRlmbaZeAevfPLapk/HdJbXQ9OtPXP1WVm++xbitWw/ -iTdFqrX256+2hVbHrsx6Le2Kdb8IferKGBKpb7dwbX+5d/o0I1I7q+Od5/M83flGvqXyHbMyZ3e0 -65XM7O6+PVxzrtPXRNyDutb1Watb9dYt/XtrLn31mXYqaTFvhLe+s9s81WNVJsmEeb0rHsMb9NaR -zVD1Jly16PqAAJSSEdnJyifvuodZpKfy6eCFh3bHzH5wLu1411znNo1kuUhEdmkyWf/ZTd3zxX3V -5RoWnSJzdJrdOen66ty0umObWVUunfcsmbWXVW7u/Sz9enTurfqUTdlYzmP+2ZJyba/n1meVc++r -x3xk/6lo9f+l2tZ5u27erpo/09+fN8qz6zGfWtfT2in9khbVlfDyXG960/opvb+49VK1df3q3PRR -9aTmb0WqX93UU3hFhos/0S0Ny6R6qoupiGmkq7c3tzQ8LppNqi1anl2lo5pNnxuoRDGNEmoWZhky -yBCVSZIEAzMSwDAoGA6IReOREXlqfhSABIJqQGpIMJEGJJGQeCQEGUOEAAIAAEAGAABkBiQUAAAU -zwSAMh82shkSoMqktk12QtGCafDa6sGEI0CvRTVwigB1seKv9dOjpicCdK8zc2OBaIgkGbPK/f+n -lqcIVvH/5zL9Q9v4f+69/2e/yJOL8v1zBYP1Rtw/D71iogusAaBdnJm9he6foKTobYfdPwEUgQm5 -fxZRlYhRrvO1ex+WjuuyUh8KLU84+ZwpcCl8M0QlYH8edw4D35tK50bGioz6lQegxZtm4TtI/d6b -2EwU76XjaQ4Te0k75jKwG+Vi069HIXfPk9Ovlu71JfYKY/otond5JaPwWop8pn6RpygE1dVZ/QrF -tdmr3+S8ZFS/BNd6hrQaQOJWk/rVYepT4OXXdaekFX4D3MG3jaKQDtW8Ffg19/umXIJcg9hRefx9 -ZbX+9u8r1QKofdvItuGcd7D/vqN6XDTI2P2+40bLKu4Lz1vbV/b7tjr5npgUwZ8Df98NMBUlre/L -fEe1v4CUYoIvt7WvwXiH2V/78g/AjrWv838dfrhkBYoihogbCSZpgthNPaiF9y3WrtOWSBq3r26H -GHnRCN4DuKGFz8qdlBqr7RdXKx4h4WusG75XrsOFqBuofGlW9IrowMfA8XAvcKif4Ug5tbkKgV5F -9SH01EG2zODC1dgKwdUbofSAm54Q6X+bMmAj+y2dqKr2PYlnY/K5MN52WJ1SB3OYc+ZAOC2qwCkO -F0XrQkWkyTnJL1XEoJcAm4oYf/gI7dr6jQRca0qhBZdAVG5PR6qbllD6hJ0NZ0AuQ+eDhNB2qcZb -BgdcioiP329aArxoSg71cKaINbT/qUYjZfGmazBFhJrEUHezYhWx34BjKCAuT0XEfJhbunBR9w+D -a/0EoMAZka2D0kJbNFuQj7OVTseMGB9khSAyB484/R2uzBizI4+4Gehxg+569Q2P6I4iSjD3RUGD -WNOXJGqNv2S5XxI9MyL0WhuyqMaPTBtAFp0bR6LCOxi034wWPqENPzgRtiNIoBolIfApELjj0MGH -Yif2as84e3zTEPNaO6j2yL+pviykZAGxml7wTuRNdXfj0gxqiaVCCjERSAQ25GH0qyagI8qtLSYu -1AcI6DtQrmNPrT5BRjY2T29XU3Y792IkfDlHjFbOboIId6bUhKhEXysq6WC/xHwA9aSXMWNGw1qU -gETKUiWJAJIVSjJyPcPkDsw8Nd/4CvD6xszuTUn2kAbqrtJmV/RIZiXi2JIWED9s6F3s1XQERGWR -u53BeqGN4rX3To7C0ZWcd/E+k7KEnwq+yqnVTL2iOsyZ8yAWrceuJ+VMb6B3mb31LoCMGqpo2atF -amII2UqHB3g4oE0h+iNFDlJxL9tSrd0XK4dfw9aiqPK0GCSfiZK7woEyE1VqOmQUOpxMwk4qyBPJ -VCaKr5npXJCJVstkpGMeTz9xruSl09GTJxYMJwrgD8WF2ExhudOpSO+gTrdVMtETqpkBLL+suIg4 -NrZltC12+v1Hyd9KYY95sRVM6QwAuvkSRQWammuuWkkpBKeoThlpqIDhdi1TYM659ZdcwQuitLij -WNAOQGYu5W4q9gm6EMdUY3xD3Koo7hc3i957AhItX4BXJYBUE54JSQEqMjhQjMZyw/3TsVCRW+qD -UecBugQnOc3qXw6LwR82rYqs5ai78BU2BjEXCUxrb4/GS/B8+AiYX/PzLd4bxXTYrCcF6gX4pHHO -0uZZpY2P1Mjjk8dw7dgYf4vlYKBAAzgNjZj0i7adKZggrYVllBWTGqqBUtOSXF65uCCx5ComXQJa -o5s3Tc/8rLRr4s2M6NQgjUthg3IXLAlP6lGINCoQZF6SIVVMkOw+PiEA00ldZncYwJnUVQ9PJCOY -swkTJGDHK4/NSSSLo5mJc6drekThVVJdiKSwSnrQiIv/M7RWDMhwd5aJEqmSRutOHQOwloTj9K+k -4LswEKj9Ps8b0Nn5bKS5EGkG5smI8tjzxdO/yWTSPaqoYnR11knvBNVELk/12ftpZoxsH9sSYkr7 -9yQEKy3EsPhVhaErHSsIlE9TyZ0wbgFI5oWI2w6/K6Xt/vSQgpiEPUPTW1rxKzoCT+3soE2EGefM -0p9gslhWLGOL3XLAXuW5W2kKZxRXCGTyIFQh3GpW0QsjNs0JY9hB2iCRICOudpJ+EhjN8aoXk822 -1w46ynQbQEg6jQxjy9J8/sU/aTjBS01UdiG44hbW7dA63y4OhAXltOim1aNcCTuVbVJl6NQGFAV1 -o/St6S5+Ct2k3n3Tl13ENDDhfBB/KN21j3hEshx3MqbRfnBQdyJxqTlNhsJdmKYl6JRZKHgfpEmh -Kj3HpxKZt+PcQ1JzzkY7oA6OQNL4vG3imkWH7u3ASFDKMojcBnoa5jsJMraLKxYkTS0DEwFYtSKr -9sNFyp+pw3OCCIrmsgCVNDI4SWoEw2E/Yfn2ngPlpTn6QIRfkHhDhbAVrjNgorVpX8TnlCbPzXXO -LFHowFKylEKkHWP4CBe6kPt/wNR838ChWXSMheH3sv1CCsVOlikhYGRXizMINaWmGnsEoGcqlgVy -TRxFuxsAJj2V5S+Cm2jVJ55ebrL9llGocD5GRaL6fUHWuP31DRT8iY7PDTpOviYYXA== - - - Pvg6+dlCt/DbRZ4dOMWD4/rLVUOcaW41xsrnMdrWvS5zK7Vp5EF1FufiTXWRZsKC3xOG34C0xdbu -Z7cLfbeoYCluMThbwR/D/cpIttT/q6O+0QrUJT0QH6XC9v/1hFoReBvq5NV3u2aKBc4TV9ojr79H -8g9rqRzVcwPy/dcUDyjCUjWsQ8fMQcTR6B+W5e4pOtK0Ldbl6n/gdP8u2987KViMFqjSaFPZMyYm -kd5YKos6C7etWMXVSZlJqhXs3LgTs+REmCUhzM0xdeS8qtlAh2LlTEwAcmUxMxAP6XnZfDjUpGWw -avYoKyE+Jn9SkuSluQQswEzp7gxBqS0jw5lkkQqJaF3E+7GbH/3cEZ05VL8xQzMIshlrt4LruxjR -I7ZyVc0eLAGKmMnQGCQyOKHAQNylA3p0CCoFks1w3AQMwMIy/2MSCRdNX4kcPJ+etgsuH76NQpCX -1q+MQNCWryrA58NZHfzr7EZS9FvEZPS+swHpnJ3vJMocfq/4DSM0iej1Zv1u7c7jWu2jyIMV7McD -7+CqXJW7cpEyDbvV6DTYp7ulktuem8yxVw2kSXFEHh4ST7+h5iSuzaub5EpDvTxMMVcr26hKFMe1 -nVfgTW2VmR6cBq7IWx2hF332+CZnalsDL8x25KJiT/ZshpDIBAyCv8a2WYbcR+yZEaxH2IgT4gkw -phR4d74A9F7l8dphuXrpgiBbVoZr6WZ9swV+YZFJa/m4iqksGF2V3GBtwum5K+hQanBa7ZTok6uA -A1QCqjaxs16hAq4mx0yt90uqScFWpTcXtSElyQkFWZCsPXXZjVfwBH8X3cZp4xG71ATlGRJSTJt3 -kK+WIA6ojVWX4KK0SSCEixOrYiwv6aMn2/qojY4DemwXUZ+ovBOJVHeDH3rDKmVa6AQ2Vx5EYod+ -dyDxByf+56X4tfBzXxfbBQD0QtzRA/aJh+EB5MGbX2dHLh1fSEeS33gHU45kCUyiVe7kNa13UcoF -qWhlK/3QEkPdVmrQkVaAydDUFxCWaGaadq4RqhwZtJL8kFyRowqhLUzVjuHm565rxXFXb3fwiifK -qwe90uhZOXK519KNOsW9Yo/SgiEi7jrqDzqmyegQoQZwjOZeUL4pfh/AKppJlE2wOEG+xMkMLBKW -7r10XO7ATzjQvmFnAWL5/knsfk+f1WKXMhBC/v2kEz5HSr2+jsWJBiwS+V2FQvaGgCeYr9iXnD+q -/91GVu2JYg0uhBgDbp597HoL7SwX4Nhu2CuTcMHqPSP6x1DZDLslRKE78yT6TJJfJansyxcfi1T2 -+n7hVFH04evB1FTWsughy71eNWuJwbrpCxzHh4WNbnAUKhyNLEsD8Exlv3UL4/++koRpK4hsFMZI -tQuY+hD6txMtYdo6YqDAh3vx7QVlty4R7ArKVgUyWp/tZWg5dXrtFD4WhBzQlHtIHQPG1UL1JKG+ -GTSD4dYOZ/SgFrQa2INz+JidkrnUzxLOxjHbDbdg/pXb+QylopQFAdqgieCJZgNQYTxdMgDisYL9 -fSpd/PSzZ0vX4+LHtBHkuCW0gQrSmOYtncya5mqk+zKLWKtZe5pZEGQ4raTiaJmSWxXUnu1nmnoy -0Vxq10xrwMIutbDBcPUO0SCFfsoBEVwtkpzCyayV17e2g9/2oGL1q+ABKGUxyOf78oPUQtOrLwbk -wRkzcZK/HRbBmxko7w1nTL4TQqYegEpjt+Dirk+6n/oMUS43n/o6BLaTTrjeefl2zdSF/nmBLauW -wMKovEk30OYX+lciRsWCZwW7NoycgmSI3QK2wgHACRZgK0V35QJXhdoB2xADVzv7Uc72ln20PKhM -GuVhGXmdoSgWz7rg/9w2WAI3z9GuvWhH2OvV29VynFVmt7bWBkWOU6sm7z6eqIz5buix4qp6sLRa -4rgQhQVKoVu1Wnr9Jp1aq+2YuqFVUqFtYHVoqI1K/Z0slVYLFDACmmKr1abAvtnvl/bETNuRipQa -jz6uftucSLuccA4U1RbWsVZHtYn7HAo/dPrFC9NqO6vjPmPtPaqeJv63O9ZOp8dZ5cZaB9z4pXwr -tBvPloaihhprC2Br/bq+2u7jfFM0oQs0FDpba55RUW2ZzTNoZWJi8+ibzA4g9eUlVE6Jv+V+WojW -Fct0qL0gWbs61VgNr23sVmuOSenW70vaSVJAyoCvA5dcV3CmjQTfapfSnlFMaHnhVtulIzVdg0yW -4lJp6IBUmz1vSUm1QQeoqPHLieHPKdVqhEf9ajH6/izTRaqHxivSdFVy2lp9A6EMhV2iPCCItuzq -sTYc5AwgEMyLHSYKYC0nzP1jVwg5C+SwIQm/f9OaDgprYVx+0/xq9fPZ/r7a0XB6d/PI/S0QtXKR -War2k0YcsvKpDVUrUdJU7Y2sY0Kg26lajrr+q5g+1/epKphaAda2VbWNX//ONYPtcj3Sdp3ee7Uz -OGZ9bXm95x57QFISHx7OQQ2HXy2/jUOIJlEuX21nNtilXnB8KV+tRUudsnDaV4vAh710PYdXvqW+ -2itZrhJJ5ABXrZByXl3+LrZMXJmMNyXIhFMbqYG7gvOpdGqPEBpKyN26IikCtGrD+9ZqjZkUtZ0c -g7xUx1aVVp+da8f3RETU+dy2aiND0JUxk5aCVftfaEEkLfP81VYJ5OhfrSouYsl0JX61Mktcv+yL -DukcHNhBaD7pq+0T1y1AR7M/AavDXjhsPyBNMX/eo5o5TSzwxH2ipk3CdEpNDadLeO64gv+vK8aa -tHd0LKDTW7xZWTNmrQmyC3EXrmVzzV7u/aFHm9dUszUxcm6l72sejqSIyF+zcU5TFK859uIW6GvC -6Tcd7L6mSdSs1cZ19tdETGjOa1Z6IuMdEp8YCaPXPHRk0WGR1+zKLQRWrymVODSv11TbylUGbGqm -lZitVrEZbWspPjZpB9VqXVuhILRcbDLqUYzP3hCbJW0uQXpiQi4YSnQqNVVDXpIGhZ6a5ftid7Pu -jNONskUsIpefuGCF1Xrb/swE5/m2wVtmZiXKhZwviNJ8u4stMOZbphqTXjdG32rwfFH1LYuqHXsi -05RR33KVxBTSv60A95LO/REoPAU7EOmWkCe5yFx7B8uZgesbE0uVVsZk4AqFsk3x9TbmBm6R1atZ -DVxW25zZNT5UfAOXk0dADFzisGAmFUJxZuBKeLsdTgN3qADJxwK3cXvzYoHr0mfMfmtKEmlDwgvc -veHndHu6wFU0X6uxwAUKHnMqJ3B7QVpQP4FrShktFARu4JUAKPdbijKrPTRiApdJnNHG/bb2FM7y -t9/GXBbfTTD7AWOa5cYasF/tFQT1ARBdxKETfF0JVWBuIy/D4arASxj1vV7JX94Lh5pqb5YmHLIJ -c1Aq4azYjWOGt2OXBr0VQTic3sisc/AMCIelBJwQvbf+w+FYgb6Jn9+tVTdctHwCUShJNwyW143d -DQ+oqnNDLViwbNgeKMkSyolnQ5c6M3VVUpQNdWPTBSwbgjrO4t3QIx2rj7vh863HZ0MjPtz04w37 -qhuqPv9w+I6EFMscjmgOQ1QLeskcNkBuh/vNHCKG0B4sc6hQXhIMc5iDArQ3aGE+c6jNgFgHmcOs -hpaxp6QXZA5bB6SZModlnR0qEXI1OWWHVdChMsla/4DB+fPhjIAk91o55o5RcLBDBRo/LAvLYWsP -0cFonnFoJ7jwuN2D3NRMX9FXbP446P9RUgsl8or8934fa6BWy6WwsuS3FguF6lhHKBtskPSGSuJ4 -PL1ATZPc2jmMBYYXlU7zeMq0R6mVAU9oNmEzwE0XwC9iO8ZqOaQhG57laX6P/VaujcaArzn8CyuI -FKK6UImlKmVheQJ2IJvUYRoYmgzSpxMAFD3f968ABRfQdxrUUZIQ2qdwqkGJXwHLhQI2O0ZY6r4W -XLAtAa1zmdqWkBCVFDKpbkQokGg7vnwgeZ4BKC634PhGiRDSg7twI/baLgOKhI9AqW7bKiKlHvGp -whTeCLEsXF/0iEq6Trv71M4s0x/LAyqIYF3MtkdyeugkOxkNscIe8DxHXue3m/kccM4UsPZuUi94 -07io1PNcfCrr4toN+mOCQt8Yb9EnjnJCxTzjDqJcaVZ2HZd/I6KWcpvJTiIA5OsU1ylvjgOap6P3 -idMnxiEpMTHHW2ab8iSyYg3f5cYuyUKlbLZ+T7hlPG3hLP+Qxx9MnYrF3UlK1Ld17z2Q3Hvx5EmN -jfYvqVE/TO5svS+L9KRngn2ycG0pQ2qDzC3d1vnLZkgo0a4+ZYDkXXOg3SCcUMZkoifwe8V9baLr -ihNfz7/NGzFM7nS1TKF/LvzziCMsVEQcGc5oTRl72ZoslyJRwhwPKm6X1eSz6fVwKlue95dxQcAK -gEuyrrTrhNR+DqfFHgf+hY3id9A6gBc9cuGvhh3YJrzdSsBuh1cvARMV8E0z5H7ZCuTdeSVgA+iB -ksOJ33HrKJhFYr1YXHoPI0j+ww1akdZ5SAuSsKCFL9x8IBSsd320auRWMGzMhFSrvAyTCa15RuLP -kAkcYloYE8Uyw8cBGznreQjbrk31q7i/KH4rJMlC0kg12N/enSYc4xq+8fTMjl+AWiPJRZ6GuB0A -OECV+MJ5KVE8pfe2BKOzOhTlScikm2HpIJbmqFu96xpvafvLdyVcZhCEJkraVpmRzj1w+66cQb0J -FtRVMjGIWxTk/3PdM0T+4upOPtOj43Oo+IKnhFLQFFeBeMoiI/3FffQUpQfftjrh2GAAxrBuDCIu -q68eZHME8AEkeb5dK3SGHrqsmY+A6pb03yu1oKmftOhR7cLDzB8mu5GQXtqg6b/vg3vVn1u97/VW -18cCK90whqZruRdXIR7NaQ8TJMdj1G5KtkCfUEV8tTN2w3Vh6smJ3yQT5lHN8jIKpVb/B0FDeqx6 -WFbEPTwnNtyLxdi+xeIkv7XkzFXTMWL3kdnFv+GHC42OhfYIHzhe8UhLX/3DShXhW1wbAdqcKmpe -n4V1X5csSv6C39Xxf5G2SzAL9P1Ok70JlhnJj4fOVwam7MtnUST/Ifrm5JvEZPNskdGxAlEaAF+7 -9UQIzg9/f7DXGKBRSe5pqP5Wy8Z3ao1GaI/sz0742D/Kkc/yV6mGRuat/GAFPLXTmI7Kn/b9WZsB -vZHE4oODdMMHL6YqZ2Dt81rtZgq0wnJIT3j3q7Al9MiHXkzlmPNn0k0yg/1siBYfNXkAsGYIfXKw -VvvTA2k+/yMmBtQDrih0bX7/V+hwWv8BvW3XAzXKRepIrMgX+5D2tKy3TXBX9BguZzedQeIvhcUM -Z+zAil1eQSMBD1SP1LAqd5ryCr+0JkB1BdoSIaNMQKDWfbAFo/9HBswU1yo+vKWXXSxneLjyJFEv -FaG6cgXqzWpULpMGKfKFu7DcvXozBLyTEOtxiHZRtfH+9LB3FQFwYAjusq88Tb3qvsetIyHcwLCT -nStBiq9jlafqKO6YrfIkz7fL80Vj2ds2kS76U8iP1go0UA7Azp/xSNPsFe8r0wnN9A== - - - fzW8RMAWbP7vwgoL8PsNMqBHa6keJD8YlsVSVjz7IvPIxTRBjfQUiMho4RJElKYlnGVZOWAbSzCh -MYVrCQdX8fm4Vdu+SjBNdNQ4wKnWLipo8DH9cuAxOCoPKCnUgQBwzwsB3d/7Ql65R070buenSNPN -Lr/5+/xSkG0dRYUpz1TcXATx+YkfcU9yvJ2Q35I2GqlG9VYLa916yDUTn5nezbCrGwv0On8W7HBC -KYtNdUajwYvVnZskC1YjsvUZ6EjmaulV2xiXOBlQvotoO/lteg/YFsBeer/mKm39B3zilI9gfomL -0jWfpcaeEOap8TRa9szEX3E0lhAbUXEkecMNs7mxRSd8hIksFbQJhbMRuI1AvPanZ32/si9NkNdy -7t0hHRuaB05wnHx31djkiJ0jogUydAMnw6lyqomwNwwXrVwd8Xb7WHRiG8yQisTX7hNKzqi5Q1M0 -RdsgSVDWTJ+KzkFZ9hHqfca+6x5SKAy0cijA1yNqBEyXLRMm8mzNKQtalCV+KJ/tKiqStAdWJwmh -DlQIzkFgpP5lGOIHysEnApHT7EBAoUm1Z7jelqIPoX9Jeje9UUcQpQL/eK0VQdc+FRwyUe+EemFh -5z7fZfz2FOOad8CD1XM+MzrNLGaJOH/I97TSkqu1gCI4VreYJvijGSfGitekRS+4H3mZWhqWyMCt -3JKAbzGltHeJfQIruLqTSUL75NbZXUVS3hdPVOQ1AjSvLi0Ia5/06QNlSV23I+UD0os3TovDODRC -LyYRYRhiKGRlgUGQ907RLQ1ea+KiirhlEbWFENkeMPbfSTb0/jsXX0gN4Ch8AuJF+yMILe2XcTFI -4SuKR4AhoYZVoF97JLcAKdQHcP1sy4aBifMrZ61TtPfTJVisM1+xOr/47s2iQOb6uBZu9Zzpg0qU -fDDCRzN4NJnNNrd3q2STPTSIoVUd82WOIe3nSQT8vNV3vN0ANAuLYcLJdrtFOhYrqFV/uH4wyACM -IseYpzlTdb2M6vvzW+9SeEOsI3mT1G8D5IzKH7DtAWWGqqlGRKc6NfWyuZueuWusbCHPLlvWUNbf -7dTU6N3KXSZnXkscwZo01cfY/W0wXt7PvLhEfroQiHpqaafuaa0aCZMb84sHMjkvAwLrtoE0tQPn -k3A18jt5kUMQUJIVqlviXDJ4XNCMYJpxy01Ikm/lAFNqefG1HMJua2bSrRjA/CXkdDUKMWivxrcU -4Ndiwc//qqv5JRwWdqxpU4dJui35FgGfPvdhbcaEGRxTsOaQJtqwK0YRBbrMadPoPigOJufEu3pU -H27Ods69oXLW+Rc2JUTcmIT6MfnXRS4zI+uksfOC+KxiCxZgjVxp3KYmKKvCmXQ/JMkm5EVy5JOh -Dr+SC1gZLPyLylgwLtL4IIklr8l0dwCVoWAdFqzvV1yJA5e1FjgbGJjs2pNB+hr+Wa1J58o9wttr -jX/v2eydduauBbo+mVDu6+lOwP9cW5FX89W02QSyCA3Sv8nMkRFL2sHMDivFzAD4uexXJEHWk5jG -ynyiW8vYGMoFXjCov9NUalo9ObKcwqnk6GPFOzqwa4NU1wDuzafDYDvXmpsLK6oGsRkJDil6JPC7 -kQUi1zc5U3Ss/wObqr9UyWbpnHZCzLwvg0XoOJV0vZ9Rva1vmDY/j+L84aZlhiEF4AvpZvulIFHI -Mz3rDjlFY+FG8Y2KE/kSC7CkRtYgsniDC/ynMjIvqxKU+B3qOMvFAnwHVDRYNIrcWcKDMGlOu2xC -JJYy/QGjEGQSbVJVO5UIBj7yQ73GlF/UgFoTUklUGVw34RZVvryeOsVVJf+8CsxPfk+UU0j3ejr4 -GU+8OREu9fkt4ddOv09Q89MpF52FdQep9/CIMCn8PzO/mR5Aza/Mb0pVpkND0NWGIqN6CQl9fRAe -qnlv9PQazJFJ9L3o6J2LEZsnQPpy6oUdBe3WV8wRFw/YLwIcFMjPsnV/4ZPSy0BGXYmcsMreXgOh -mEglGeZbjdxsC+IHKNaOkUxCXHJ8SlIT7PV2ZmN18N2qdwdmEOQ2Bo0Zo288uSBulFCYcuDGu9v3 -AvFBDpRkhFwPxxI71hvOScKIId8mzynZC6GJQMxLZPFXW5jyH0tAKiFUTi7JaCGSR/oKgqxo2Ycy -6xhFoDFU2XgBfS2GpDXG3faUTqzm1Vnaglhas2FkqDDTXh/T94D5Sv3Fi2DBStWCCXDXTtWF+T76 -ev5Q2Kk+lvc3jzcCMfQHKcMvG3y9f4OdqjZWXs7Iuj4tl+Z3D5oKQIYCWjAJj5BTEuaYe4ZKixLR -bGwueAYm67+LV4lLXdkE0uagFykh089EIocOEI9kwyXu2AzIXWrfdndnMxsdZ90Sv6w0gc8kKewH -EwT06QjXrVitFfOq3BaIqpNbOfjRhrkowDaIGgc1lOskUGXZAkIz4sLldHYyvDfnQOCQADfc4HCZ -YkPjcBfMNpumUfFgDn3Aw+A5V7rXH3c6Vu1fxjvuT5StugfaSGfJ08KFRLENb8n01H9Y/c7OGxMm -+4AEJDro9EdhSrMrQqoDdZQ2PplIrekacB2F7B4WtC5F1PnfzGX2bgpKBYvPARr2B2o1gmgrBlOz -W/DYEhcEftUQS4SG69tLeAmVoVlRhiifeJTtRhIHGp1OrVcdkKRC/MOPGXMxtaDQ5PIW3aG9iM3T -zoNhyLw41hCQ0g9otYGuF5nkvkPeis+Yi4I5WvRN97uiaDO5rjgsdX+vvmOTYlPeI9QlFg2gXDHZ -apPYOezrplz9NOF+sE4CFO/ao5iZMBA9h+Xvxm0NAFGCIzZ9VV4USB+THtKrkK0JTUjrKCIv43sA -A4RmCg3MPTYlhQx0Jq4b2uNRwki1teq1eZnvFlJ0SlywsUThb2gAgQ79lQSbV2LonikbQSEX65v1 -rSPPLOKHud4Si7wmTVeFPSWOmDIZ1aH8QCEZw1e7hxUvKjeXleuJjQ2TDPm2n2ek4W0VJjoKwo3B -8vahSUHyDz/VRm/5P8BhAPTn8Pl1KlwJlm6BGT6sEz7ypHnql4mw3B4YIxXO/GcnGNDcikicCpnm -cQlKxQwIRoVoFryuyiu7weuQUwa1y2FEiY2D8P/4/0lC1+e+RaPx6cdf3ZPAzBgZxKWuzVRpPo43 -ao+XenyDXCY9RRHbyHd6MbBbU3Kjbe9ljIGU+tibRs6a3bk76P1XQiRoj7MKGauH3Mx3elybAJBL -7T+aSAo9cpvOuGhDR1Vu8uDw170ZLceYNy2oKjquGVL+E6yEjneViYCasK7/DmpT3ee3U45S4peJ -ptA2awLlwFbGvao9SE5BJOpWc1EVM/07v6KHe5xYRbP+wc/T5jCLm8Pt7TJlbjgEdmt1XxqEa6Rm -rIZgVN/UvaqxpdcVN7x309J4bsa5NwcfAgVJKGdtxG0jAjmsxU03CsdgsCm4dNI5JDQ/YB5wk4Z5 -JX303klWIE080viJYXs54OrsK26G+md0YEUAIQgBzfJD9NnOWP7BmfFHefCiXb2Mx7aVul5blHIK -B0a97GqBrdtRNPAfmac40X0OdECitPpRKbvLSgBTaUupICcu/MmuNe5s7GR7OWR4Mm5V0hn/OyPm -3uL4R29RSQPef1zZ/+u/wn+CoD6oVHHpgQIOrNjZSkPMr0E8kvRNhB5U1lynKxXv14TW+6O0syrb -bhiIZYXGPHrQbIs42sBcrOxHqPuKvHeT2EmcejW3JcIavBa3MRPmNBhQ25pX8jdkUK95EHf4tIk2 -pu3fB7ZBwYpN/EaWOf8AvstKifvVXSh6UC0eCZSYMoHnPkjaiGC9rnVroCDdnfxj3JAjXT13is6V -LDlT7jwAJWgwoO3D8tYuIUsz6rnRWW01cdA8xoRO6OpD2tZGF97hQfDRWzx2IBJd5FCujsV/tP4j -F/4NqMqL2SDf+zntlxOP053Dzh0dwt62JQowLKDB9bZdO8DM0ZWrXhq1ZcyJmOwrqMO3U//odxb4 -YYLoy+KjpPgquKzqFi0uzNUdLjO1vtqgC2zPz9Uy1fL0sTGVb+gx7LM+oStpqCyL+8FdHPTDVKMH -3IXlrbmL9hlKt2lMb9Nz2y4Ml0dKBTH2W5uaUZu2ey9Rzh2hjDU6ryOB3OS8xE0EuWyuUF6mRiL4 -/2G8HO/qN0uS9zOlz0Iz3ip4+9C8y6PlYKDFf2T65CXjDOe0IcHExUL1HAiLrwRmRVm7XJ56CwtB -WLKbglA0fF8fiBrKgrh54vgZ67aC7Jhf16RMxEAOYTH4X1bOivI9Qr5f48+Qud1QGZXf0C311tp8 -VvNcNhlEK95lHdWdBLzhlmr7DkQxKaP13PgCIRC7a3HP77vxFXs9dydG/ixIlnlbc6+7Ig/5juxi -8jXeof2j4dApZ0pvkrsCjV6vdUqobka3b/25RlYXMnbPgm0XmrEunHrnnrgulFcTmva3UhfEVsjS -Oe95Fr9Kn++lrQwJ6qJvng9A9XR+2OG95UssnetuDM8BK1eW5Yq2+vbeVttHa6T323TOpq6iH9/T -3Z7YEYG/2eS2M4GK3rqVzKvaRU4f7Dpu7zw6NSTSTXRX7IcNnqAmv4UKxBPu3jbHeG0d9h/f2yHH -Ns+fR5ESfDhz5Pd5ed6V6H5TWHK9JK2T36gqHi9FcPluWVH7Dp+B4rO+DZLshGCLF6NyLge0PIxo -YUA3Or/7UX6vPi877dnWF8L+1ZXcsDSfwH6F7CgIfBiWekHF26t8xshI4FfIfCKF/1XlZWr+GVjt -26iSnwZ3Xz96JnCM4zCwgpvEm9wSPMj0+UKVqeqp3F5+lYhVYnNzuzyHgSg9XTU84Mga/n+gOevE -HFvnLkxwSDTYImHXUPo65//fq1XhgxgA9WI4xLkQLLjrb5Xg5Wes0iduAguguCVCxPpXFctnJ0cY -Rn/EXNi3cBy+SeP/jHTTfn4AbGBv+dhxu6GfyyIBfEBkwlimOGdKubTqbKwtpOxed+H3gvR/Um6z -yV66D5vc9JfBEJlGpxVXm1PGTNggSBB0+TnzsZah42UigV6UbikowzccmPkNP0NR3pPEhe2LmfM1 -cRCQsVqYijZAA/UfRTXdFaMC8hZTBSgFSUeBODJHwPpN1kY8EZUYdg8gZPXVCQhQ7FWxoYNqrqSP -Sj0Q5VcBrUt9mFYotyxdPTLZlWrife0v9ZxVlAQkQu5QFJaBlqN7Y0uJ8vasFtZ0sTo65CrA25Bb -j/aBqN0suJyCMAow1e+o+quqZyiQ5siq08CZYFPtzFmdqbhfG4gBmjhMSiCJQF4A7ftSoT8X4ABD -5WWIxSSs2owVPhiq7jX77igZwRHhqzmq6EEm9UKdxTGirVKKeir4EEAEjpv408hEzmfXQ5/V99ht -OZTCY+WuqUBPl3zck+4GwTNIzjzHVkfYe9XT1K0X3ktS9mQC38TnGfX5ExxM0DG6WnS85ROQ2AkJ -0/F+5ESzEOqGEJVjfIlI7/KXTc3sSopbWUGVZOW55LYqi/Rxyf4tSTZdjOS+I5tcHQ== - - - lXwLgm0AMU0KThlpUDWmbG0ntMjHgrj48x07S7op3xgxjIP7umfzBLESOGJUysxjAB9Q3ZBcvSoB -PB2MozL3yyfN3O+E8/wH3TK4EGVwkrWJ7udwIi3R3iet6pma0Gq2epZV93ZDTXK1bLfvc5HKf/x/ -naQWdEh4aiWcSVaqagq1WmGpV9g7WxhH9p3Esws6YAyqcga9IEND+Eoka7mPKxA7SjmS0oW0QN9z -HKjAt1CCPuwKW7jlBNeNMKHnzYHVg+cKNkOOyO2NLUqlSAzxniulFz4FVFJ9+ye7UAqV+g3wQ0JO -fNdFZe2EyGYjK5Ayin2eI1yzdfTFJlIjfyh3JvaAbqdy9q3jrVc37ajOO/qca3447Cf6fl2+1KLt -u1Wl/f2Nrt+/mdUhXnpxp+A0QbAE8FhPo0Cf6kxzZqvlD3fJEsWajyjyZf2SAc+/TjDcyJY9sK3s -R9RyccB3mL9WLk3vUrPanz/nTlXnxlW9JXqReEVb1TE09jOj4FdfY1/kLuLlYHbKm45eP8QaKrqt -P4ii3fflAKFqO01roYz8jw4QFrhYPyqebLHHnDXA+KVUv7IxqtZ9TVxZ+RTKdqiFW5DS3slfs5h6 -yFMMQrw3JRp9zxaeA3v06dPjhKVLb/El5yHXvrjOjWD9WT4GFwbsCngAHgB/IOwwwECi1WDouEOW -asfHPoH//uT65kx24bogAyFTXIyGy1WWUuwucDyWOA0onH5VBs07iTwAydoaPF6Ys6A1Cz7flD3z -sHSPl6o049Qz/vJPyK5YoK4+WVkeuH1PEFaihDwWhUbAIMR6wi4QKxZqSEqv/6ch+Hd40xhM9vT9 -D9j7JVoSdOWaVQMU2u8jl4wvkHaHttEE7awI7fHmLTrR9dzxKZcznTzTZ6Zt22ZLJBZTBHUsWfGy -PjrS4g4TidH9OQq9798mD0iCx0Dmru8pXfV9mTYT8pCLFIP/XFw50FChxazDzueFNfcLWO/pGPSf -9zixDHoNUY8Mxw5G0Pveb0BJtNWpSGd25j8kFq/pPScbTKYHfS0kQs1um57S03l4THo7nZ7u6Uea -UEjAN/VIgjgQ48VBp0tGOXU2hWe3GY7tVtjQ5HmcKEmyjpk19PKHmTkUVUFS0N323NT2fEZAln06 -do75tlBysnZ3PIXRATXnS785wlpVVK2f5rcgcPNKdZw5zXbYcJ6Uc9Y8ScrcCinxqeObVleajTzH -+AudRo1x1CdgpxMmHpHM90i0JeOV557yUQHTDI3A4Z5pfPKKFkp/CpUcl5ekmeQNzpVCNEMAiCBc -Q50ygKmIkU3EVBjI82/In92ykfeQyF8q2pLnd2AadtgCgrZbLpmwnV+vGoyM7TIohg87q/L6JKIS -7SulqswIpWCxwSos9dJs1yCPBOJTvkJpo6XPAaEoUNTRThq0SxiyVxLoEMJ8SI07asEiBubFRHEt -wbHslYBiB5mos+t6ZD/+ewuQHZjttextb3gn70Yq+nqnPHez8f1vbMhtxnv25KXiGDV665Dz1rzY -nsEyaw4YOoTDdkT+p/gCVQRdMKjRhSunYPc7VpKCpk/ng6XpprB2w8uPcT5Du37M3BsqdUll4Zt1 -z9KO0K7oI6Cl/gteqW523hazd4KeZrN7n27vvQ1/NBICNq9Hwy+bGO1K6A/ArwgRdBSf4uNqqf9j -DU2Wq98yAnMUrWTbTmaBK9aRn2OBMV9OMAtWrehxosu5WQdgW07+aY8KHDTzIIpH1H11x0xIh8u+ -IxnEr9YF97iu9jgr0N0BnbYrqd4106BDeIWGjtc4AT2k63xAPnPWu1poaDkVT6BpRXV2eaeTSSQR -lUjyiCxgXVVSuBhEqgZYAVrqbsKrV5q5RkH/G1JfffRItzs5mEGRDJuHvhbmNtcq1uSNLvQMNdcT -ri61rdQwC4iJ3yHZqjLy2BKQ4ewHWmCPR91kBFrh6z13e5zRtoEbVPeg00vr9sHZzylUuXUqaOr6 -W8wRhJv9lPsXkd7mtG7mRiBnp1OBtg6QAybPTZlXdMe2kRuZyQmh64PjIP2XIAz5R7G98L4TNKK2 -4BK1YZUTYhD5Z9WCWk79hjS7hxwIgO3Ht+76Chbmg0jhDyB0URQ4Rtz9tMHBXXIufoZJHc3YgrBV -xLhASF1uRWAlhOzCKK1NOBVF0YZsEKLgvOYdzRoqbwmqk7lC8MG7UDTmIgnnQUjMwgZJ3RsZ3dP1 -ubeqNvcWYGP3JGWyxAzsKFSWnyjzEoQy2o+yRPcN5HKy6LYzWc7mBhYdA1KI1QItp59QlG8pp4+1 -KJ+OwA0BVCOl2gOoKRvhzSSzlvbk0oVbk4lmbdSTD2AFhXZcikC3A/PoIcF0uYBKDYR4t8DU5SE8 -JLZMPQCLJUx0AzChh4ZRiGjicK3pRwG5EwYBAIIRKhJqIop4anwqGLbESCaY2RmxLoPAkkEwJZdI -KD8OiBhPVHgD1GTEhJ0Fr/81EO3AFACwrDnlZ3PB8tHxoAnQ7BD2niaH4Pi5kmxydRrlVPKnnSAH -flBiHHebY2QMOO4+QFPImprB45amMpByVkWfq1HELcU0XGYy2Gjnykum/5vesWTu5P2bXRbHse8Q -XNdE2hnP1vyXQb2e/fSXiX7uqUpgJtJFYW2GqvUSG1BKv8RT65U2UbJlAF48ohSadI1CwO0q4NVh -7MOPl5GYkwfx6aeAcz7HaGh1ZS4rYBmJ5CIxLgcD4cfKvcac77q6IBytwcTR8CoKrwhK5itMJ5Zc -JLH0nV+LZ+3jabj81J+aKrDjGa/ozufn2QMXf2z9usMilgFe/BSSX3DaWBILBmLcVYRwa8E2TneV -lPspRBnD2gskbDl9oIyHrlC/ceuiDpD1ANZ7JVvQ+JeJnlEg4YG0xZqo0J+N8veu122KjzXirRZW -puB+YWWTz4GCL7PbCEZMQoLECMwnPx/EZ9YRiaL0gCNhjV3oL7hXIAXDwNEKeAmpZ6dL4ArqbjMQ -jjndZheRF9TDaJ4a6tx/pvlcLxOePCvxaWVbXWvqnZRR7Nz4Z71ldjINRWev+ej/QJF7zDB2EP1k -Htn4q6GhTI4PJ8ExjjLJpZ7HJRXqW05jrp/B0eUE5QeG424hGv4x5n/sqHHF21YK0r2l5BPOV/hx -r+D14y7A5LVEnhxEKU5xN9Dr3BjaBCt4fzi04BY51er9TDVxttR4FNNG6l+s2QujtcS6CcyqNtBZ -Navh2IWJnZkGRlhpFdLavrLW0kqjWrWuYjReFCe1ffiL1qo8A3lnHQlU7Kqz+PqzWG9/m1MkWnJR -NBerEknMMWc7sFQcJKHkMIormho/INg2CXa5KNjsJlICJGZYhArZC1iD5T/s2wPQYN9oRF4e4L4J -kD4Sob9Pgy/FQ9aJEB/iYQKtKA8iJJlZ1WvoJc3uxwwSZlWp3BAjNgsGSI4BoM261JLcraSzGckm -fl8gYaaREN4ht3LDM8jaiu2N3oOPhXyoBSZLArXm3hhZPjVDzIqv3bJjzGyU412Kublmu5y3Ax45 -SKAwvW9rd6EMsCsTrivD1SWTUcaN0ZJy42aLdUDFLe1WxSbu4o+bDbmtoS5ntmVJhAuEYxnKTWap -3Gus8wE1Q68ycnsYQPImyl9yYwiLK3E/l4SsmApPKVKetx0I6hyo55ZHAnY/4C1ybzrKQOcG8TZL -vNG/x8BavGQJ491/Gm/wgFmyrAyGskbDJelmzACi58FCkzxlZZDpmuFjWT52Fgzcd0GR05ZNeKKz -A1YmsX5A6TIJNRc/S2SqySxqSVARGDQRyxd52wJI6V4SC0qt8AAnksKGSb3Ltlr2F4mTFIdSQp96 -JrRSyKNmw1LOZlQ6GaDnqm2SFToL17Gcedgj+l3t5KO79nzC3Uq3Kg/lKl7f7ORg1aWXOUMGlJSk -FUdJshkfI+tmCzeVK1JxZ9jKx1s7WFcPeE0nXjIxhjE7tK+7pTPa9cKVFhtKz6oeAjWMDbUQgIKy -2lDfZ5qle/lVRA9+a9jn1Pk4AElgWibfug4ycDAYYTuyI2l6FRRTk42kSDbBEgCl35w97IEuofVq -fJis6z+CvaTcIlqj15m69lGLsedvHF1P21vRnNRhYm3+GupvwY8+evbNL9yfPRqRzftGazt+eaXA -v6x/phPx4T0GXx17SLncNBcwr4TaG1A+8YFWCyJtVKjA6WCaWhYZ9x2RKlEi7cDhYlHkMUR0NIBP -DDoniNLAINPy56+LQOqHLHQ8eLEpeeUVww4l5o2MmWH4NjGuhijFC350FhT6i/PvHxBErGxFo+9v -7S5z3U3dODkDhzEQd3/gbr63W+bGHDaeTNRY3Muu2fD5wzKWD2EtvffO+0J5f7nB4uF9991PRf3p -Or1C2n2NANka3Wmoqq/gxP2+gkC3uu5ap4ISjBmr+Hv6+LrZvEuVwSzFVU+oBq5a2QKi0LAs5csw -JTFHsFEEm2+/V8rEhwEFgntmfFDfGwcGxL0lN/URj/1eagU9FLrJL7B1gY1bB/rABfrzVoGehVTi -VSoE4UvFoHooFWU8tnd+glak3XYF6yqp8xMMNyC/jTXgTsWxLJgQaZY95uewcj4efAV0BUGrXrjz -dDQXRf6EpShyi0ANUaLa1bNoTIqy1aHrS9xuk9gTiwH5OMqgHYtxX7LcIUx31vCu0u4ux9iH7hyI -/e5veRcm0SZZfZ5xUDS8yLbyTigBD2IWlvJuUETXMHgcJC0sGpR95jZBb2iD3hyHxYXCxdMbuunR -0DDNmb9bcAucXwSfrNCR3kZ4v4s//sFgxuj24cPyyWqAFMRIPtCtpB/ZvdgpWylZX8QMEXyuXZKI -9tyQFTrsc3UGuMQD9CIgH6N+c841dGdA2ipSHynpNA4AfOtcO9dtaHMY37AhKgi2x79Z+LbuvlpQ -OCs2WHN9E6YdCWqZMCBTox2o70T0h0LddFl0WvXXfrEpuab/LUsfVFbZVj1zq4iCktadNaWBpvyZ -qcr4b+qeY8mlHrglxQINBa6tmk3+mUYpQUjU24hrLi31JFr0GirDuaFh+LpeioumtOVx4RaDKjfN -RrRGTwRV/K0ItawKIDiYUQAaJQSyIl8G/u2meLH62EalJ8inOz6qlu9i8AEupFlCnpUfTP0b2p2J -d18nSOrNV6MHHo7/wyRc5ACDXsLDPVyeX26NA2NDA1B9rgJsvoo+c4APIBzXkQl9xgRGlWD4JdAg -SmNeCwxrSKDR0LjWZxxbCCxuxkVzYrBOjEEBpifKPxAJnyhVZ+jlQ8DcBHCSvgYnEI/4hN5AeLyE -dAl3wI9Jb14w4o88KdX6oI22S+Heewrd0rKVkolWh6X5+bYYWDrnM6beBetF/OMBVCulWVRS3pfm -o8rfAB8boKoX1nOGHAdvG2Yp+tKOghYy1ikKByp6GeM8xRi/jrHPLFbZGMerHmrFntVnUjCN6U0N -DApOOERFpfavsDhr7NQ1LFecq16O5GpVIX54xc8qEakNMYW9jJ1WkDpM329cePPsSw== - - - QXsGwJ8i5DRPdp2aTtMYIhd0IQVCs1T+AZvyg1iv5nmiC6xbTyeqzQgELyF86yomTyYce2WeEl2a -NsE05uouKmLgZCP2HntWJBQEQDxqBZW0PU74DSx84HVmRwxguwehq/kecCZ53mFYxJVlAJS5K1ah -wQ3rJoXK2cghdb5+gJ30Lbf053b23jJipPzjwOaUXObrfPufI6onUL0c626HOASadR8vYAn2al3k -JupuWpFmza1/bbaH3i6vOxYcEtCT7qSzj4B0evvdDkZsEAaJhGl8u3oz37QHA0UPcc7tYaWHabh9 -qCjzbwfWZOOLyaOSXSjkNCM7gMQ8LxZixiFHHDt/eU68/lxHWlYw4lFar6V1zEDlOW1E06z/eDUS -xP8i/+MpUJv/A3AbAW4ReRvo6CRkdSAJk2aIZHovZlHOTkO/S4uG+iG5HZ+GYum41vMyRB+HsuEn -OfpWQ1ZLykORJ9qTBM8CRdJri0eCSdc88S7qq9aklZ+YrOyl9yi5zEAJertn8CiKtFY9rhZUcwmO -hYHcc8siRQHR13sgTi5e6RfgkGYo6SYk/cYmZyXmROwYXSeKvBZ5bmklrOiS5U8yHDqbyxQv7NNP -qaD5pI1lon9PnAY3yIJT0QygULYpx/d04d/+25Md59xEgzzcCR20T9ZLKFtRBcI4wwqYQfwKsMgH -EWfFiN2dF42oQh1LPw+wRykFjxaP98ZujblUJCzCIYr0CF081fdgObeotkyH7b8ePpeqkXskHCw3 -M7rtOTYKn92migCnZgkBki5Cx9JFUz+UkqN/zH8mEwPmDWQQ9mbGJKkylEyepiToiEjWEHUJxp9H -bZgf3dRwlDnsrAX1v4TMQv08KVzc5i0WXMlw2WvILTjq8uTWNOD8BbmTZyaGW4Pyer04CnaiChap -KdVofwEpUKobqX5EIfou9C7xtL51kF4QH9wZBfhZGcOTC1ixPwZVY6XWviwILfes6yvonhgdnIfe -b7qRXUFYgJYZum5H6WvsKo8hMcNRLs8UrZiB8p3SWfu4cvGWZ8CRHNgBaHgG7biwnZE6B19E9SBl -K4uXYsaiZbAwS5COMjGNiabFNIUAgQFKsfeCkrELmfT0kg3eDlkBItTYgKhiicX0W2PEQ4iIj1xS -jKFZfGzYkgzUEfhuHvcg/lijazWdOlpVvjPlBY/ag6NfPgbopq0ybcG0geUtrRRqr04LgjEyLd7S -HsSGcQ2P5N5Od3K1J65QbQ7WRq9jlpZRHIxZFxt+1CuOWShkpnaChu9mrJ83Dmz03bgj5epnaSOQ -0jY0e0OxAUgxB6ZTkrzDUApKdRNytWdgKAUShX4ZB9b73lPfPKIwG1XacDTZNoGEmxb5QSGK3JLw -yW2GGflvnMh7U34FwaRgoY8tYEFR+Ds/gA698wPdFWidSQWeAt3P3BoJvM8bxQiuhBHkMoLSCKoR -nDPnmQt6BFGxUfWh1Re2wR5408NqZWE/16tp5POXraq4VeL+8OcqSF3lv6toZfRY9VX8u161YUVA -CowaPl8wVt5XUfCFn4AFAMISkxg2I5SqN+X6PkDLyWpSc1vKSZoE/JDb8/EqyLws5tV6C95k6b4B -hTVpQO2ImbLiYxnN+gbgaxjHsaXRBoU5YPyhvdCyc+ZDcXiNeT5h/k7aiyXAphn5daf/Q5iYY9e0 -r/sGMRvd7D6SaeYFSzBiUbjQr5E+OrFNVHkEC7x282fBKzpzdYz0o+X9YQwj4FdAKemZIbBlSoAy -T9D/v24HLStFm4xrEy7gk8+Vm6ahREz1vYdzoQMqo5iowB3tErftybepmmwOSsYsJ458P0H1yR0+ -lbI53HVk6qtFl10ZtUeq0yuQ3V2VdZWsuT70VgPfEj/m/8u12BjWKMkK8dyMMXjIQ/h4yvwRYjFT -/WBiPMCLwXmfMbKapHyThHBS+MRO3T7J8DMzy8M5UTp0mNjcjBYLC57q6lQNIGP80wiEsxIu28Ko -iLhMWVFVCaXSQ0H0HRT5HI3CLpZ2JCz8yakeT7Q3suRtci+eSvEBZYXkKm8pMhlSLAhPfs6nS4oo -9oIok+a/XsX+xjXfPBZyXw3g1xH4oHxvhPqrTDwCJX6DPV2CBipxJRosEyHLyWPshA2crENSdoiY -ohFXCK9QYJXaLDgFcmWhdBSVK+mi3KWk7iQj0CCEpmmc6C9Q/w9cqago+E81zRC2FrvQcAGEg0uK -K0CWGiGusQwEcVYCcjIIAxm29T2UnI58Fe+576CDSLy+iQH88A8RkH5Ajtd7cDH8Rd80f/8HTdXC -a10n6Bh02af7ohxAE6L+2IZg/Z6ckRRXBtWGyILjgKE+X9bPvmG/g1keNZG7Q/ntHtHUDk7ZlgYz -2pHAv+HVERonCdARQ+WItHVABw8EAFHjnU8MntXOuuNzb0jCBR+a3yMjRjrXkiow74p7urNHstij -BjQUOHKEfUAb2bVKHRABbjuPtc9rXAyJ9wPQMGwTpSGd7pHlITdPTJfxQFSw/8HGI5oOPglDpDmH -4UOGaGxdLglASK+INwiBPBCZQ+KID8pF4byKm48wAhKylK33IAYhYT4NFEJSONCY3aewHxiEYYra -S9nxTfZbY9L243HKlrRs9Btmy5u8d5xZxnMQJ6C5TqB4mgUowPshxyAA5hOEGEPxcuARWH6U3o1L -MhztPhEWNNyAZjmdP636+8xX8bxdUAhJtqEapAHF53+LQNJe4JHxOEJwtxbyrhxGBvQtVMOt7J/H -fQmSWiX9FtzHV0oeRLJPy+wS9PChHQ5y+JDxgUI91Mf0rXRSIcNlLacKfHDNqBkaJg5Zd+8vRg/j -9MAQHwL48fZr+rz6G/jHRK3JBQj9ZvL54+2NH7VUoYLsE0beGx+sAGgV2HEFgFvUup0R7EtrAVup -6AVmA1AwtSRg5gSRpylYjZTX/Gkzj21uuHGrmwG8eanZ6tybYOKbgx286ehmnw4RGC9GIxwF1s/4 -uza/h5Yv030Jl2cD7sBYPsJYLh4kCiwS5EZIaI9yfijkT9Cnk6iVix6K0YOBLQAcv0lwAbduyGvg -IMRQyNmgk4t8OBwPi00m5EDk5JH9hSpP8SIQkcSCJDXaJSJdL1skhmmJXfABwNZvHexh9BES8Sg2 -ir+v+KzhoRX7foVlsIdhHm039k5JHFzacc+S2xkJKDjHULpl6i5yur3VYbNvmxFOnQm8pRAhxQJB -6jYMBsgzxwtd6qf73TczKQn+AQI4HiQDZGSv4cSnRuemEgZXVIGKXtQhaHhljVkqW468xGquvNKZ -PiW0xmr5Z3KDhnEtCp0uD6djq5YOFqEF0z2vZTHSCpPmVUsLDBqaJ0Vi/BsCsTA7Z6RhPWJBL3vo -butdWLH7QZ3gU+bWClQFX2Qav/0JA6izSbU1+UBNZ9Dk3UykZfKFTMs8i2FTBBZOr7y6YulLFHV4 -Wpa04gVqGerbVFTSlwJADMt0hnfZ5Pe+p4Kjju+ZpqQpARlNVREwmqdExn8ixJS9x5mdNiOM7Tya -2DZmxvgyMnUIyrFlubgYv/cU3DpWN7hCDBcbMacdZh/m+F4mfyRz1cf8xdIWNw4ChRhLBL01auGz -AnBi8PWNmqBcSvsIZ1HZGM0YbsEKmIFpGjHDdhgAulyIZUubLmz5DgWjJK9qrWUSqsjHjYyTtnd8 -N6s9Yjkk9SQrfrQt30NnX/KxP3xoVT6Srw+vvI/XqKhx+rGsAHL/kF6iMEm0e0TN7WaBaha8lFhk -lhmYRbB2J88+gbdPZu6DDHdfV5LaWpSHS/Ho+jwJpbzl20sxihkgO58Qyy4UM60Q7wwC1WGqnb+f -Zxd5sbrAcVlgBm1iRleGq8LofVC8WCMOFKNxLOpVBTFITWVYOcAsoXmH6wAtQ9ne7AIiwPfqrzMq -OzMNfHiA3ocGYMAANBXZ9RfLvn+/+E/S+vhYHHuEFpWO3Y3sU8mv1+aCt6L1DcagZm07e7cgI1YA -tx8iHrh7TDmtfzzs3RUCdx50WBCHNkmINsS9xYuOPxaTY4JCcCe2ECblNny4fOxk5lTTYV/Jq0U1 -qdRdNkr0ikKSJ9EX9ibg0L2t4nE4DrKdpTv0KahZbqlVxFxpzrecGxoJ4xElmIZd45yVAy3OhUmx -AMYPsILgACz1V8LY0hgDOCFnPi8T4n7/FyNapgLPQUSkKj9KMeC/E7USFNiCZPXTeCgI+yhEdf2x -O7dNPp0TUCilb+JlF4X9mw6aFPTbVTFx3rdEfI2EV31zyLe3ALOIIquSbyIS35/9kEeXrw1LJAqm -HuvI2AQVMcJEdwlaAUPpkIgT7+Wm8EJ3jAnQeUoxSocn90mCIS7uJMjZQuHZy+NVgCbWhaY8dPlY -Kb+vh8j8kpaW3lho1iP5MPmu9mFU0OFhO/ZjIvgPSHUFnHq+y1EF8H50oXbzw1HHlMARkA69Bj9t -LcEM81OGOvZkiCMSkEhmjXUHsJABDJn/qyMke6AwIyh6AiU5QHH9yZkNSH0S1/HBiYNwP3ew1GJT -RCJyUOyRimoXx8Bq6dWnbWd+LS2Sk5BeHlIwke4XwsKR9XE+mKuSNH5OgG6SxXjNqwyN/u0v5raY -l0atubsftdjgcZ0MszsiwP6VC4DBZV84sFplKakJgTZ/WfFmA1UUE4lNHUr9wRwIlHmv0G/eU0Wu -5q91RxYsk7mLFaUIgVzk4uVJkDxCOKj/CCYqoER26i6Olei7zDCRcGjAB9j6g8QWESTAoN8Bpx0o -HgRiGyRZtVYeBIK52dCuiVUvQO007eNnyoDsGYgZOIM2rwdZXrA98EUflv9hlJtJr2hGV3wbYhAQ -yxW2oreC5Q0v+O1ChOwyzrpoRF2kpQt26SA6F8VctL0cqWYOI83xmn3PlXVScj8nZKoU7LvCHxzT -SSbOx7EAQBoOfHCfDBL16RGBXwx8tzosYsFnz50j+PvWp+jACu7Vm1ibB7ciXMRab9M6NRQYnphf -5hIs2XSdPyrnbe8mJD/lQQaaasaMGlmdeMiHfx4rwm8fIPwowTeuCvv7ZLYz5vdjOn48+gHGhS2/ -EhxYmL6K0YNvElB/GD8vmAeByh89SfrwFn2+h0f5iahLN0l4NiaMyKaJG50cVO+BxYRUcPI7IFwF -Uyalvn2w88ycCCg4oCK/vA/+TdxEMdTjdT5GJGaTvuXcUbTbrKyOW851gstoulwEeBn70wPgXAtn -UOOMQcgZtJxRirdGPzn85IcFMOqeEGWpgT+Ifim1nYI4+KSCX7LVtAJwXgEOsaBm3FLk1ii3UHNL -fW41WenRnZnuk9Ut6WJjyj7F2WXYC3in1OsqFW+l+LAUTEv9uJaa0e8kbsuUhi8DBON4XzHSS2ym -7K1PvGjdvo2UfluCUn4FFc6vSFz6XcovaayH45db+L3+VNM1xaR9ID9BVKSFsnxFprOocOkpmMKW -QoFlTKIcIy8J4RNePMGUTthXhJBOOVGEWZUJsc9Iy+f6C65I3zU65zr8pTgnWZvvUQ== - - - tN4aDsexHYWPXiJosJV0Ldmmg15pLiw8aiHiWCilHqrNiISXKb9WdeC6cJiiGCZbCVz69nSh3NWF -TrWHY1RWxYQqA1JhOBH4mGw3lCb1bLEpZ4B5PNINVCkDmU9rKMx2mukUFPuwlfrA5OjDSgYS16Sd -c9+Mairnt5RYhxRuYBp90OrlvFUYdjupyPRgBuMOKWY9ArPbPBDw1Zv0Phb+oni5u96WTFlBASt3 -7eqY3fNqdlfOmCLORj2RyepcKVCIwv7Eq4Uc8IwT/vGGLmmqvcP87wyBX91GoDAZy3Ln1uUdah0w -ldpmpwc3MNV0CVHDtpdt90fE0nTYcchtPRvEMEXnQIJWawCoIFr9giVQG1xDDjiBzH6Okx59PfYl -uHo1PK+piJJzYNdEZvAWV30KAjO9GFvLwoIErRPrZ8g+0lj1YdUYi/TqEgjMWxU6p4AiOsQVGb8D -fAi2PnfOwKYsqqkE6cknego+T//O0715MjNP7S9PJfJUejyJ78aTQ3jya5IIk9SVJQkkSdCQJLaR -hEUS+8xrBpUUQjretXsg/++e4+pazecngsyU2oDpFjZt2SX0cGpNf0NDkIF5wcfiMRAyWBGDdMQW -JVVxPI4Ax8ul2rdaneIMd08wLqN5Hb9shmT1UTDIQyL3mUbCwjBVHsTERIopYkxOg6O8OFJEjvzM -kXzoaJeo3jVOniagooMUJdDkovBXBCoiCBJVENxmRg+wtIPLkjVswBk1UC0DdRhI8QWqVGAKKtb3 -BAfX5QjCFwEWBDBUNwCJmCsfy1EviHqNQRn7jWm7eR5VMJRuKLl/QRx45A3XXJi1Zg+P6vEbuEk9 -2O8DWuY0CIpiaCsOIUBIJZBWHJvRHxcntZxVIPwdH0a1vHi/J6o64PpmrBlIgIvzGHgDTi5A6gzI -8L0PGeecCDVVObzQdSQ0Sdx3qBcypdGYSQ4N0eDthWSGE44iGVJxjFZcNlZenVgYc/QYg6w1pzju -hLInWAXEhYcM345C6jFTA0cinlNAyu3PfRJiBRsSFyjRi1pWs1RPvBK8jbV5BbiY5SYwrUFzPtLD -68z4CbI+Xf8jKM6K4FVY7oigMGC4MXSoFTIFeSOZzndHwcIr8bMQPCzNdv3NeD/0nIJyWV03WE5o -YrKs1ucKshWHmaaTe1Ja0cxmDAfxk455z53EtwBJvmMalvJKZIRbj2xcTkcFb8pm7wBXSDu4Mqi5 -YEUJFp2nUX2PasZa0z6j8EPhjruCpUyCty3LSUQ4MtqOAeTMHy5duNEP2Z9O2gha1/oycB8nxNi5 -kLHMMrkuADZRmOiD/6xfoKSmVMYbV507kk0jNuN9J+N6vYlhCugT/6gSWUcjQSqe0no4La7XRSYn -F2Hy7bf0LN8ul0ZliVm5tBSjNARmTsnyHBgN/8VfZR9thfYA1Nqj2BgDXfr/vQ7oZIKpNIs6hHAx -CVNVYi6+N3KDnOSoiTOZr5obhG5v41LkkCB4TpCdfRP9paN7wxIzviDyBhl7EJt9Gsns/DfgvZJt -K0zfSViHHFVA8d5zV0aJWWXksctzz1BohD4ruQXp2SYZB7OL94CyClt75NR9z8qdedSEoOCNk3de -zDOY2bXGhBGwI8LH1/yqiQxEK3fitREBAoiz76yKNyVzROYY4vQKZMfjxiYC9YSth2ISsd2GoWVl -B15JHIwSKar4WDspVtJDLivhHWuVkoY7TMMyWdYFcf/lTIFL2jByWG798wrRj5BqzAQmYzGylqPW -8bopAYyu9uRckTqGL3V44yRIfBXFH58owH2KjKsv02sPGLs9V+xaSbOQaF/GQhBgbJVQlHO15eET -YE1Ku+UczJShso01mPQoC4Xz029M3dWVgpHOKjO81ixEcJUl//KQMSSZojeqkpXeGlKxkarD9Hij -5XfrnwV6hI1YajZdISI7Uy6yYqp0V0D1UpVd2tgi1nGGiRmYhyX+nQIsueCqPfm/f/EBTJa0lpAa -eT7OZbtA8MB+KyvK+oX2aZ2KeccKUf1Wa+nKoRTPFCOfGV8ZpO4ACKtd8teVcrBo6nILQSO0oMGO -mjIIRdw+YzHlqF/rKXEbv7NvUhdiRGyZEC09RwBurCsVekmjRS9OQqHXrIXeydOXXnRkBA6ehHMI -IRB3QeFGa9P7HaFtVLzsC67UpSlJmVKSSiQinQIAKgDAA0cIOgjWCA5BQ2+zF82j1RGiTGrCaTjs -Yt+cr/ESpsbz17RC0cgnPBb+Fi7u8cjnaVWlxv5QyNe1hoZK0sb5IaJW3Io5Yqq19I8kijW5cGKZ -HXhaHlJWm1RIyfqV8m1WtSpx1QzxM47E+KuOK+YyFxrrpTjHJEM3daQaR8jYdgSR0YpXKKyRNhNj -Gy4SbkXjOKQkTvBnhg2JHdR0P2g2Ximug15yGkdF0Q42F5oDcgXFfKsZTZL5sBJCJvNtooyoyHjB -GNPMYipiTlnOWIm85oTxGGkalLGoI/Mr5pMdvK2IEvWP+XjlmYpVzT+5UEWYGGXyl8RpOiFO5dWM -12xGVL/2neZVgaY6NFkn3H8pODg35QkTl0R1HBXIM/1GQtUtVF4He0xcRvVQUUXBwbnOEOXkmlpI -xUT4/3xERIIzY0ZML1MxorZ+RqrIPChJOEVVUfwVe2UPqzmo/WzHubBqDqi6qvLM+YSDVGZsVjPP -q1JhnoOhZVpufErCVTXzoKZscjlEWkOeg9JLcY6nonKFxMwQuZhMnbpGZU4xFUJoI0ken4OJhijO -wdgkUqpsF/Wx+bBmB4VfQhUmXxjzlrBCNeGqlJjsmRJehhdU4xHaVEU15RnapfAcsOGiTeXez0GR -XlvKF1+lWirIHKOgqPZ/jTC0d+DaTITS5fOF35DoDo4dUkES0Wemimi/V13w/fdUEXGTDX3EiY0w -r6JPnG6ccaqw/FNVEm4sPntq1fhU7anGVw6JScR3Lhj4kN/00nbP0IIAAOAD+9AOnXDFuBu7hZAt -NjV0IBWmuEjByCgnkTCezrjCInwgJpqHVxLqJbQ9iJODCZFczvCLJMSKJN8cnlKNRBmpSuYVUrnJ -kLKm06SBQcqFhnhvKrPO9GE6zV9JJYoecpqQHmRFGRNyBxx5xWt02orkIlZCPlMKnSlIxguLkNpX -EnKhKjlGSAInpCAnEt3BWhKijSLkY5+jUh+6iWO0GirLVnGh8Urc+LjTOItyx1jkpUY4R/NSVjVi -kqBIpUYSti4v2YSaO4JGVEQyLMt+JUyNQhqKUEiRbmqsVuFVxhJrsOaomkPvcI+oC/E+8XkVL0/Q -G6rPYnWnRtPi5JU7Y7ydKopESaBXHXwjCpFNbhly/CCvOvDnPpB8ZJ9O0cFH+AqZikMWTEQhinem -YiYhXnUw3MLkTw2FzKe1GamGUQ05oB+O8UQzoT1NIipkHWkznNA85PUbphMxN3txhLj6JsNJhXJV -wSqGbw3fhOQU1PdiWahslwlZY0ges1NOG0lMSc1oMSeZCZVVQhaTucjkETEkI2mSz0gdKd5m6Qgn -0p1UrnrfCNxGkUfnTYWsKwWNa+3xqVVwJ6SbaDlukQlCE6G74kUbxefV1aJ4/Qin0WmKr1Kj1dW4 -uK69pNV4iCOsqkYRZlp3SRsa9D3BCEqcvtBP6hMp3xGMeEwe+E1kYg1yoYnTSEM9iZc3mfDoUWIW -nyeriVe/vdFX4nsuphiiJeyCGlk6p0+YT3mm8XK5FQ4v/y+32GnYCz5MXcDWw8sJI9K8SOyYWjBx -fgnjtHXCLsTbMB6vCK+AEao2gTWywozPxTTEBzppHFW55gWaJA9bihyDENmSRqJNZYUSL6XLLEoQ -U8hRL3tKAhVrVRkiVh2mlPO3/ZFqZuamIS1CtrA2YxpWlsNtpIM8gdqxZeNAYmnX7EDliFRRGpvE -KeLOEpv4CCZWIpwY9oohdvnFCLGleGBTTcIQuaHtkrZ0FlyWuGUIYpjlQQVJySeHpEY4OdoQOZg8 -mKmsaFk7Stmc7CJnWnbJeQWPwYl7MwPH0zgNJFesKltGse+OtoP6IOTp8XaNr2+5bbknOPEgX0IO -hTdHDReSybeHUzWTm8wNhSEV5Hu1gcHw6A5hfNp7QilycPCA/sqnYqJc+viuecME6y6WabXcROfY -QpUwoQilvierIEGbjdhp8R1ehAUPOqQ9xLBGu1ZWKaRdJzG09EiQXSUTpJQg0dzdHTikZVIJFXY1 -wcFiq3bHsPKwkfqWTVLuirhjRkLHx2uaUDLie8FAwYPerVIYoal2kCHrFPRHsnC3NHHTavEn6FXR -lB8i6DuKI1T0LcGIfZ6RmY5EfB6R/N5X6sQ3p1BPIr7bEhPlbf4vXkvYZ1Bt4nQK01pDwaiKOxZD -infGEDUv2lpVfDKK02LBtA8/jpckwmgVEeEEdrQGTci3TWgXQVEjp9w7n6jw0NOWAl8ljNguY09O -vGvsbT2w5vMqf0z3VN7ZLGb5L7dIBZIVyedm+EymE2+KtVmo3cT4fq4VlWd2ODfN4Z+LkF4Ncv6Z -j8shmxO9QT4URKc5+drUWObFilCuKYxj775ANfP6NV9RhJqxVeerH/ZpcT5DDvWZn4pz13ChPsTp -PEQeem/OqAkSOyiR4sxZd6BYxWYqNrMM558FjTKP/iFk01PEobGQBsco8xI7hGy+PGQLJSuWKcis -Yh6ZNya9v2rI5fQVWVby4OqgvGItVynvJ8EbaRFzrlM2qiCSzyEhNkWhZuxLJbPLSRFhXMX3L5Am -UhYR6Q4mFDRyMR/KuZxcWg3DtS/qhOIOTOMHdZRTmHYKucwa1lF6iVI3KfFsaNrkFHsYrhjyyhfY -xcVkGNq6TmeVl5bQrV4sCpbRPtycDAmLcST4E6xy/hEhBidGX33mUvHAWCvEjDOSc8PWkyDcREa+ -36G4yktGoZtMmJl8MneUBJHJ/FG8OeRicpiOGM6Ja2YyrtQKt839wzmugmgN2SgedoWoPWSfog3N -56VECNe8r6nnx2keNQu3zBtBoY938yoxTIzm8pmvxGFcJsaEVjjVn4US335BSChElQJkCHVnx4wH -vV3Q5t40ikUkBm3zaWPjE0XVXjMJ52Ix7xL3GEOHKBkVEXHeKpMgxbZMQ4pibItUJktHCg7akc2l -pnNVuOgVLMrBHjNUofM6kMv7EkciJfM6oKiaQj2wlLwg9yk4eEhRhSc6QfEIlUwPSB40FpEMl47H -cVPByziCOKypjyjCxiPyIlMyIX7CS4kEEuKL0hNjYtvYEpTVUlL9lCe2Kp7kC3t/KNRSoWGwFwtr -+hJxjPtfpPig1PngBBlSDbXkdXBqueLMECGOH1rFqEKZPyLDT4ydh02hrBNq0VDCF3NXENYb99ce -Y/r4xQkay9VBFgfzK/9BDantP+Rs7Ufn8VKDRB6ndegu9yALlT6iqYqX4hUsUZxWEZr5tIo0IUpW -0yhPuPg9K00ZVfuqO4tYsj57adMQHm8X6lpiUBSdawVrWlvmT7SobWSiLGzHKdbQ5Q== - - - ZDGPSNI5eCMYl/nD691FyrDOqnSDKNyJNCV0Vw76X4S+ygXzqY+i4bxKUuQyglypYJf9NPsZaw3v -81OXqJJAns0M5yOKQJ9LcEBKm4q8WiOlL9hN8sWi8XgliVXlI5lwMTYjdFD8JkyJrNNegdg0PKh9 -hsYmGgUSu6HZQWYMW9csHjlVtlacA5HKy+MH1nDcHi9wwWs9maSzeKo85+qQMKsOy8IQhxwl+WJZ -khlesWJCTRpzbJa2VOPUOH2bBytG0EQ4EpLPU2wJzabfVGwirAeaVS5VCbTdUnLkXG/KqVaiJcxM -PJuY+lTFUFiJVE3ih82GFTqiWBRotsona7l0K+fm016FW4u1kUnx5o5Mxo1Zkei8WtkwGwXP6NvW -2mxf5pLODi6XbWJzTLishGZkT0xlDiGZTGWWeawqf4WMoexgaKQxlM0ptnjIAc0dI9KIc6Gas8ZA -HkrN67A/r/qJRXOSerhLpHPPMNA7/tBK4YaIHVyo5pmrtpewtcYCKzyez50XUYjpruqlP0TqPEtH -NiWXeawOaE7kgtxDdahYP5bNDmi1KPGsZhOX2qyxM4Kdl8RCf8B6/XnNKLhEJqU5i7HptpjKprGD -Fc1q7tiDRGEVsc+YTs+8IPmE+SaUGNXB9+7r2mK/ksWD1D8Z2RSdSjUT3Fr8m9CB7KfuvZj1TYh7 -ubcHZVrRXrQytXQ3U7URUdT3Bc0XMyKhNp9XDYOdae5xP4fgHHzaGrMloikG39HsIUSBaDZ2Di6z -kDHOGdmQfZfxnRB/uBl9RppUs/liUqGSNDaM0YQsTA81GOVgj/gUM46N0qqPhxGogZ/NVTSvZaaY -Gntq6pkixic8FRVWMzPN5zXlGR363MXYOeOYyWa+yoyc3AuZy+q0rKMjhoQxyksz4StxcGVpN/IM -kp55mWJsIiKNxqhFCksblUBbSa0VTkrvCP/Tl8njQmHcLN9QXtulShSKGso3mzNakWsul64fS5CZ -BQEAQAlaz5S8ppwnL06CcK5pVT6SzzyvpBE1t9CDPa4K9TRq7BnRPD7lzqfBsE95fiHPW+OhR15b -KdQTNPPpzD1SgWJ2+dRZlOSUKZLKu1XRX3LOWrd08ypeXtUKlpiUM3IYDVG8qCol8nM0QiGTQ6aN -efwNi9weCSfDccpEIFGQPO5S3LShKfqcpFbhoJaqPm6JUzlFSV0UEuPNyiKN6qPkoKZmVJIvgiQW -ojLTNyjim9Wnpi9zdsCTbm8oKIruKN2IpXTVGEbjjTu0LHF7PckkpMj3qfk5IcqlorwSVDZ9TqNU -T6T4aPcdkkNV+VjxloXoUX9w5V3S+utwlIRZttBYaNG4XaF86CXhQNTTbsniTJSuFt13vlLtKaOG -hlMmRquPmpuUIxyKFOS++rksEMn6aoyopyraq8gmnvxOQSUhwqAXrU5BVv75HbKDb2ZH7ga/3f0n -iEU4nY3eHUNTehOjZaOPvo/y0FI7YkqM+LaSKwdbSmOh4MvPECXmSVZ0zH8TTQJ9JXupCXYawSCp -IiOGvlsNLi71RU9EitiLXi0uNKYg57I+XmoeMd8BuW6myLcEeyFKrIJukgclIu514oo+r3QgD8eP -xS5jMYvdG0qVo1lBu4cVCgoh2hzz8fUXw5wqO+6LsfGAMgrzJW9ozNw0dFA5EpcoGhl5IOxwJcrE -45nDUixqiYgYs0i1tIns4LIs47yEvCVGeWSRmiTNdJExEmzZwUnptNlDfoQ9LTWulyS9PMhubndS -fExuGQ/KVHpCanaVXo6Mg+yNEzPfkRxSxJgR6bk6ghVD/fTSeoMbGGUTEUOPitBD3NAKWaR9KNyT -iOnyEfoqHcWMQimkd7IoGRpbFBO5WChYdM5cylR6lMR8NJRhqaZO6B+xWBrsxUKzdwm5PCW7pbwx -zKV1bX1ZuLJ/CanGM6q6DOB5jIs+LBZxEhEo7lFwMN68VRNkrgOhYFiqXJqHxqmLJRre0RRv1P4z -ztiKSJIVF9MC0STq+NBGoqWH08qKG4+Pw9TKQXHXGPOiBtNKhrPD0Dplxkhhx+duiCXkrrGbVjAq -aOQR8s4rKSV3z7DqZvD2S4pSDrzN+unluCRDrzeFn29IJDHyGOVDr457rNVKqEjkMcpQzRpqJGnU -TWOQFjKo9S2UYAzZUQ6ZitIV5a4EhQ+n0uClCxx+vIX7hq0ES6Ohh1okqnF8RtnGS+uoz06s2B8k -XhQsyH7FjFTPTcqjkWpJhZ4xByOJDxeyMKbL0s5pFBCtbL4yNIF2UXBAwRFFBAW2yFy/x4XMXSpz -6uOaepDbu2IYzfm/W+dDwu7DGc8U9/0zr2vnNFK0c6YhOq7Fay/nJVzXIenIPbyGdzg7zT+PB7Mh -k6WSOD3koWw0IrZ9mSr8jqdMTgVVXazDfHBF66oFOcgtUUscRKIjx2WmSnO4/CPoRSJLxFvnUHUq -XXFR5mfCSrqoYp4okXjWcxGPaqNqNeMqKgtF2S6qimEU1VCUR4RSUqYaVaaCE2TR8ETxmG/NSPmB -+GK2yIQDCA+I7YqXkUOQvGZ70GpJbXXKUXkQ24O5qMock8Pr5zOny1SjHDULIyH1FlWg7FIO9lH3 -dI5UqmI+wqQt+fVgFdoWRalahX0oC2+KclJpROMai32it7zOZWvnKo32csmvexvXTQe0Vm3VGRQU -XS3BmZEZizEapz1kPiNDD6YqCXp1LRWRBFVdpqhS+REMkaBWhTiCVe6rEfeMUAiJ4IFD4u8nqynO -f5pKcuYlYqsk5OSMVBexhSZMqkLv50GXqFYeQ1E5KEVCbtbMhqRKeFsoNTfHJDGJ9PJGdkpj1Z8k -alMnVKkSKqeqrXivEamCQkqTt3Bbdsm2iGURoW6Ka2sZskw8eSF7UimyLLxdI70LuWV0SW1VXW4X -q/KZEFLZJNdvYbcsIW7BIU5JjBsjzaUg1UShjkTUhinp+ljUqKLSeiEhS12qPZXqCNWeklt7SlLm -rfCR0tQdUjI1qtMHvV2f1+zVYmWZNfxEZUsdQlLDeJFQyBP+g9YMN3LH5dfkmS6o1cWlOaRWc5Gm -FYNotDiNLKm5TnbMoJqD+B/8U6I7z1iX8OmpCilWZUS70zVou1H1ZRVInDpLWBMiP5AJJ9LIcD54 -LXeYD42BEfXKxpHbX5AwuCOfwTUk9dFMZOQQJWmVReRzRtZY5PG06jOlevifbUT7blfQocbqzvoL -FgZ9BvlBwZJ0mcTtj6Z0yLg/0vnx8f6lg0UfiW+mdxSyyiOka8nJSU2dJhEc8vLBqIan0mF8wIm5 -JsSpu2UYwgdF/HnXEVwHDKKYhakOZGc4SB3MZvjVkS7h2xM5qKBodTvF7jkCueRTOqhQlNwelqN8 -iLhcZU6rfLIIpQOKmsr9EJNFVTRC8k8gHZg8DDqgGMdKkEUTZQdjZg7ljz2qmkB0MNF5O6hiiHlA -rJiwxWuwDypKXKagCWMe1MUQPuBIoguth9Oi+orWXEBbWKqiPhgRVZzDNcgcCHkVOSiK/VMkd/Lh -hFyoNEGcBJED131wUZD/Tedg6jNSl+0VRA65KBrIhhmyigLZmFdR4MgPIgcrTeRkk0OmTQdTIkJy -bA7oaitwBzM7qFfQyOcOXpcgF8uvOxDv7NcDm6ZG1Sl5pU2RverHXUU0OA1tQ9QBbUKo4hQpu0bC -owfkg1ckRNF6QDLNqi/yTHGIJM50gkaVEGHtASPISKmmj08omVA9ebSpsQvHJl8aqAcjeZn8d3yS -7CTJAq3cmkSnTNSD+axMvjy8JwqWkssQCnF9iMXgaHDRyhFezadOoCdB9rCGKHvIY6XkrWpyCbmR -JfEIiuuQH7BcopEaKsWQpOxonSqsoomfMBVtRI6Fe0KVTCMR1kYPhIrViCDChYaNH4pCSsoYHpDF -NOTRFYiGxj7I0VA7KHJFkE1pQ+zAxTYcog1DI+TFJXzRUCXkjhKKuHiMRzhbJng2/3GKhVwRLpeQ -2eCWkKc2odjgOeB8QzuY2A3tXIsbckA8oGLHJsp8i7pIgvScqFA0ZbHnICmxi3pQu/saFKH0sUc8 -DzwSZ1PJYXWGV72Z0ai2Iyj1pkSVCZ/xQD4Tcw8txHAcxilVIpjjGcki5q6pd8/UCN0UFhJTMB3U -TaRppjDU0BA9oIzrVVXCoaB5bgnLg3Ex04SOJ0J5MMVQHrQtW2EOaFHjO1g8mHMohMUTJEixUFgU -0UjVS+5JaeoJbE2EqH9g39Q7RC485xQTZPUt45oecDUUcSFa2HcQfuCNTMT7HTw4e8MOWjOukoPf -9LVhB/+FRA3jz00pnCrsYEqCv5QEmQM/wpZ5bwolQxI4jvpWPWGvSAqeFT0H4VXLwbAnwbCKevAw -7BU3B+TikHmSqXxxVgl0CY1oFi4n/KTRPfRyRC38tKJxWeI7Guosfq08p4afE6/8Ypk+GWKZ4lOX -I1YaugwZJ/Ss1tEt5GVpMaJKVWUmp7KvIFNNbKpcB7FjOysasVOuKZ0qs+4aOpFQxRktWTYrHDKx -qnaAAyEXZXSZSYQKlojvBd8Z6lZRnS1edRlXyLoQWtGHZoRYKzpLZi4nk/CXjRRXXP3bVGdFw3cz -oxPDH4gr09Ck3MjHiw6ZhCEfShWt9JJHqKrrDKkwXHx2PyRcdRKGE5FK9dHWPWfKX8srFXNLLXYj -nZIrTLA4i+MLMgSNRKruoJkF+d9MTcVM3LSq0HTiEVSs0KeyoJe0Yc249NGDGkMvryZDztoraowN -Uxz0ochEpNHqXkqN2lMpOJ66E6IhmWo8I1X/pKhfx7/L0IXtQoKCKAJJxTAJFzUVRTKX7wiSI8oy -VDejxsT43oupRLMhDSn3qqQWC+LCc5AxiGqOIcRoTyLOcc+E6Nsdl5WYSnK2f2lKuu9S2JB+iIGK -HHUHve4KvrGKVAyJ24RDmOXYDOpMvutQQk4T9Wqd5YD80AUAAxABCTTQAAZC8AENHqABECAAAQsw -gQYQ2KADHMgAgwVIhUADCWwAAg1EkAALQJCBBRtsAAMHjACDDEKgQQUWfCCDA4zAAxpUYEE7sIEG -MqiABRh4IAMJcE4SCfUxgQYiUIAGG5CgABSwIAQR0GADEhRgFhGIQQhOIAELQKBBBhtksAEGIcAA -Ahdo4AALThACDSqwAAMPZAADG2SgAQRsAAIGEOCAGDTAgg1AgMEFIsDgARZ8IIMDRGcmjjRVkU6M -M8kzj4qR9QvneJEOe4RQcGC5zJY6KFnXTVAxWrPGP1ET9F7RWc1XUAHFDLsgKqhrpIKTZWiRUTAT -ErPVQim+g/EEOiU8uTJB6/epkQ3DiXofa+8kraF3HjT610qpL1yudlo41EhEpCENoZPF8VFjdpHI -s3GMWBUl4lenMNFqdqLxkOOhoJHoHlRdjFamULweHVtVn2G1RsEQ38EWlHHqNQnLTkGJ+C5FlZNY -JKS0hnHWZGhmvA5ethPxGxVaXOGSThIpihNSZyauCpGCp1nl7IjcRJxKM7TFilNBQg== - - - RJ9TRixzZIhoERRDUna08fD81iaVkFZp6FR0KHK70PxE4dJuCis0DZIpKrHSNclBIRLYm+S5QoiT -czLuJKpRRehcK++JnnFIiDSVnarUFEMtTcgaLaJTWErTqndiH610aOLK9J9aq9E3ika0y7DIQ6Gu -jZq0X43MsdGedlKDWLvmUg291KgVP/siybSGW3LK+0XJ5VYsxLg3VVCM3RkXJJWomsrhJZBYpggJ -5E4tsWTqe9CSTNiem16gVGgPZMiLhZLWRkN7QKXvpvdJnAyf2tP5qkzSYvaQ4Z2yiW+oBFkqtcz3 -Xg4s5WuRCp8YIbIZZL/vEayYkCByiecDIeFaR8mqGooOpqYnUSF1MGU56nDUPaNlOh24M0f9ko46 -RniZMYukLk+raup5JeoaF3YK1EA7kInqvJeKcg9mDry3i3E6NMsqWcNSsVQNVWWLpopa1KqGkW0F -WzWdmpbAg4u4pi46YmF6QEOlw/WoKgiVB9UQazCKhMHTUlCqDuHByojXfk9v2wntQTWopGIrSKJN -idXSrIQ6RQckQ50p9yPPlGltbYbKwk25ggudUDqYTfVCo3N0gkKhj9BU6ANfRfmDAQscgAQkeQ4c -q//ui7PTg3JgoUuBHvcBkSlFoT9EJ2yWedeLnB4UX7QgAAC4QIgtvCoyxctBNTL6LJ8HJgqkg02r -N0s0ctdPRn3ompuCRe4FEXkC0Qw5KIZVqh9wVdUDonBkI2tRHVSXpoYo7rvd6LMIkRn9Ii2Sa6WY -+KNkszRdK6RuKOhCUhtylBW+zpu8ZEJiDZkWukhrrHRChNJKTVMZEuIMlXPx55bdoUoP2JfLEmsx -kek36K1MkVkyihdFDckTmRXzSGKl3hI50lalct0DllBpjZ++Ta7NZbnSj6VZpUSjWQVfhvrVlCp7 -SDFKGqtZfSRC9SK9QkJ+SMjFvlJyhRRqTA5ZySgsOe5HVYmL1JWnz94IeU6Z02VcoWIvrNdtD6iq -fhszlsTspTbYB0U1E7R2fPCLYz5g8EP0MWsnxytC+QdimWLFikIcHaGSiKGqjRXHYjQRL1bSYZFU -4rHabJ6QEYdHi7b9qYWmfFjPB6ayRLpEwmS/dVA5zokTy3TO1MshFTLZ2qPI9PKUnnq1ihIlZtGk -JlFi15DokWr5JR+/WhxPTXiIrmor/LLQ1eAYFR6RkSgL62WqkEYRUY0rqlzzUrcUVZmoosoVbyCT -pq2aI3LXK6gcllNYrAhuxhN26JZEE84lmoS92qtcWohknJZlnGFXUnGRmFUtl5UnYtgVZWWZi4dE -VhNxKbGrylIXcawmevC6mEbcOcnIgTDMiDpJ/4mlnyhUiaJIBG+fTpXO/akm7gdKD0rrhCqmHEIu -b+RgJedGp9LzKaGypYySsFn9CLlxaZfN5mpMmrmrOI3pY6pJxhTy+WYUfX6lTLP/ksH3QUQzVYUm -So45dIpnrkMuskNRGwVikYaKZq154Sm/DLFpPtJGEZGDNHERTflC68ggy3XTSDTbxDkyitSPPOZY -vKSGFUGWCk04agbDf0DiGDbkwCEin6mRomMUMVNRJMarJpsMTXfgIp/iLn6sCKogScUl2um2fbrW -5JyQ2sGEJB7U0B0UF4QHD6IwDz4cP/pPzVPmO+XVG1NjBFFcGMoDiqCFoipLycxNjgd3EproeJWE -46Sa1MlZ+WCDeeCdYtLGOr3qSrW4eIFFj9fEd/XgtxBDOaIzFx2Y7sFJNU4PhGSdd1jFk/CA4uCm -S7eYxmoVHexEq4lI/aBqju4w1d4TmlH0lZGzlAaig7J4kkA64E0/jA56C1leq+bvPhtyww5VhBH7 -MGFvygStp9SJvEVYoYSy6C4zDKcDqmNWdGALPT2oX+YM84F94JqqPucPXDojvpeEIwgbNBnZAfWN -qoN5QFO8RtI7SGGtMYnmYIRKOlTp93N57eBBYmE4nFs4v7+J5w0zFvt9huF+ezsPflcj3pogt2Nw -beGRalJfWDzxCUYQDx51MF4Tkm7ckE5TYbx2cGIEj3HS3sVfrMvinkWEbhEefNz0sSkhqZFN7thm -4T5yR5D0ERmJfVulRjhyxxhVrsuHviHd9Bk54Etiiv6RTieIdJtmSyc0f0xMKhaZaE3WG9JpZhET -CSOiK/TtEbWZVrVidoroiWB/hpFRsBdLjdhErbCTFnuSRckeC7PjOA6udsninmnWicDOVGHJovym -FRtetNs1tijF3fbHduqon1J1K+akhVJXNGJZFclWXyUS20GSSmK1ElLI+6pU7gzNmNbXp4yj54Xu -kiZICUVpauhbWhGmUSfLJwdrlojHPQoRm79E9AyK6P2YqHRCFyLiksxmpExaYxgqnldHaGjqDkdd -SiV1/BexxPfJ/cd/8aPkq6hHcRH/PwpFB1M8aKwVbpoqj6KmvN/UA0bZd0xHFt6DKdPp78QnRsM4 -tWQxOpB4J8rxHrAcWrDC0MHWB00YHB9BYUhskwltB6SVN3msCubBiIjMTM1BKBDAwUsi3CkkYrIO -v+/UuAphY8iHTeeXPmgj+hDDgUyObBTE4KOIWBUxRESeryZxfMQJkT81kYZMps1z8I2RkjeS0xFR -4soGyV7JlwzRlKSGSoqjuqFW9jYqOmSzna5+FIVSD9h6W9zMrt3ORUqQ0OMpSx4ULYmkDeKpPCQ9 -XyFPLMSvVMpKBFdcqchKT/UUkyp9VShk1hfMutILaVbnPD26dqkr1Jfn5UDCJsdEXe0BhySkSRKd -2txf8nlTqIColDBH1sIk6J0qmoEGEACTEQhAQBwOhkTjgdFgSvMDFIAFuIg4PhKEwYAwQGx8G3Ja -GQAAAAAAABAAAAAAQMNRdEvu5EYOuA5PRIHwPwHra3YDKoo8eoIKw8JAVdFz2aTsCmh3Jyfbiej6 -w12UFVJXZLOzlr1joJnS0Gm3HRspPAMYSIFTsJTjtEdFcEN8dV6/U/Jdk67Fc5NndFF1Yc7crocj -wDQNwfNOQJyNIeqBrZuZI0//fV7OeHFIxiqjtQB8Ypo7dL+wIhEEHmjTWJ61HDGwiIYMqj718Icl -JoO4wLpIsgKhl5+E7QLECOrflXtd+miV9lHIbpVO0+JSaZF2YaCqoF7mYJdCwd1uriT7sKWRYIr/ -0yHD4MiR6+OWPLeP+ElI9m21l2uqZddz8p1FFrerQ3uQG4aF8N540250Oe6nluNud4fJV2BDqNUM -C9rEshpywsosbM7FvaGuO113mwHsNo5ipcRbHURw8RSa8PiAPWM61zqlLPonIBJgpTbW6YTeHxUj -uNthOLkGqZvy21P/3gs++JXtgqtOqau3lbmCx2EvQxVnP0LeSdzIkuV5sxB+2PoilWQ16jP3hLB7 -miQJPlCsySoF4jtkVRjF5te0FYNsfegEEBQ8dpepqp5DOFZ4T/drKsCOCtP5WUbtHlXoiMCRtxLc -XxNsATDGhJXnQhCAjAvrpjyPxwDZm8BJ7rE8/OyqxXI0Gf/qG5AEwtSqgRV6RWyVDiDtY4ZNH5fT -mvCFKq/bX1VeEn8aZNDoRbK5138BCM4+Q0+7KY8uhnpAZe5GIR6m+zCZ4yU9S+gaI1f0JQejvsm0 -m+TRJBQLayA4VFwo9vAIqs1Cn9bmaA5XWRZQP3KJpiJXUK8mX9K2CQP9ab9VmKePq4i1Qvli2ml5 -H6lVFr/rO12uQUFKbsEQymkEqmiWp5n4pjvoM0L4kdvGUg8tuHjWp50pT3rp4FybNE08KY3XfwMb -rAakof3cLlxpQMecblb+liSMbg8qVtUPVv+XSoiBVqc0ayNdaJaCk2Bcery77Yn9DJ2g4B+7Xm6d -2zdvi2GZI2QeASBIl0Vg6gEmNG08wxInwlydBSaD4NEnUnC7Rd5HR344Eq50qyr8JFyY9ZATZIci -5Nzl1pCBUsCaMOU3X9rEdwbiSdt8mW8zOaS2CGhLDCu/mHwOQnXCtGAdKxJzDYHt+HrmrJ5vax4A -9ycNPFmQ9PmX5F0w1tcNpDrAixuRDhgCnlxLWw5uaglIJUFgTfkcnQpF0JiiwtTFzKquRr4g2M9z -F2zwmS6xjm6Q2JQR8vPlpbpP6lGIMHXJw62EujaELzmJmXue0DwGHv2NFST+JYQhf+FBsnjFAynD -Zwe7Y1pYkyYxpksKVfe8BFUlKWmwY51kQpC+7qKbb53sveTCayhfi5KwroZOKOUNlC1JdCr5OE3O -URBKbATrAsYBYAPNheN//ohepNVspsKqgja1/lcK58RZuoBAvAVsFOQeG2bd0W8fVbEgkKuep3oV -MJBsvCpi57FVKVH+a/URoFQ9CIY4cLHio6GAG2k/CJR7MYWYsVUSpz/lo+01OPvFEtmBOXInuHrS -vaItop+cxiSyP3CWYaYFlGupLAeztcdEAFw3+ADusvfbWJmhOMDxDhhyOe0Y4iLeXNb59WCnOVQ0 -tdsDbUJdpO9pM8P6SsEgHmwHEU4e5U8p/wrWQXRqHBvAAdG0yRziO+pp3c3XNQ6pL2JhpPIyR4h9 -NK2kX/6Y22p59iS97/UCascDecYxNgnGXJ+cpk3+NcPWJYkRL+D0L7isKIjPOHDOtgIxuXlP5wwB -B46IXe/BcpudWGBCuLN+hjTny2CvN8zoesVDENmNrp5H8hrxG9IsWlcMdW3jKD8cWgalKRTlSuLD -BGZLbGY+dEfJC9Ln1ZOnu0UUasiExs7LosrVdA3FMDTkbh7On2M4VpUenh2qPzaETEq5yulBahks -VHPXaKpIbsxmxycrn3Lu1Ov4HUQcWt6vexK4a120tl7UFbpIAl0JkR1Z3HPG6uWV8KiflslcK7Vi -22mHnkQ6NRtkQQerf5RhLLTb3BnyGbXRfSUYZgLyc7/QRKoke2UIdiAFqVJWuM86linJTs9fwM10 -rEW1LcQxEK7rQ1ONmkHoh+DwZwq/iyD3d0cRubZiyx3jXJaviFrVQgHT+82KJNllCX8enSb4dB7R -HhDCRtTQPaZ0eJ14iSgHxBxU2pDkv1HelwwYC0I83eTbGlbz1sxN2OTSK3MbnvaskxlMuZ18LnqK -laW8bgqChjUVdR6vORRjIwqBKx3nlOHrj+GdBV2vj4clvPHxG7zYO55In/MMgNEkp07uxvLR/NH6 -JLqU2HFgcT63nTgcz2NqV3TRn9sGI6TDA35BGhf3J1CdciAasCE5hcZZfyCCcxo4jXWKciJxgRjG -oGkIKh1yqhM5tmyjdj7uZxY1i04BXFy+ffn119W9ZAmoeAdnf1XOCjpSmdUwy9a0GGkPVbjrkqw4 -apZvVUlH82jJ+JED/wtg0VVx+6v5GB/nUKw6LAYm9fkMSvF62ByGkKoo3HaiLGZ6zvP4rerCGbWf -0/5Bg4UWFbkxEu/M7w3dmnDA0e/CviHzbwc1Ojdi1Dw98M/sNH1WTlv5IvC0s/qTNVLzX/a+WVK6 -6PjKNVcGEntt69TjXm05wjc/2eWBpzEiT/jEMXeJmMKUAunF6fnFVZpxaF/sPDZrsg== - - - NQoUocqffm03byM0tdICLImIZhlQJa0wMlud/qnY5r4ZYRJ8Rf+bgTAhxdWp+d0OU5oi5w+o+LRC -rVFgoDkeHu/5P5drux5F6y0i3MedsFJZUU1V0KU+e0PAbi49IpQOYLjFObzcD5YaYWQIDlWVsRqL -qkiq4/NDpubsSaf9fGC71NCMoWUY6AKnxigkoa44cEVGgeBg/bL8dKwTEf67pjmwWjIAOQ88oN2g -7t1wbMZByzW/sKnYJKI6EKXZ6CPkDyt3FPVrDcRaTVJtdxl0iDLe7Ark4iPK7rQdCZJLZxKJQi/+ -NmoZqs9pDA2eVTj/X7zVM+Ev+DesADS3EIjC53xULYLucE4u/wq8+5qe8KYi4Z6fJ3eFuOzk5GtA -2JcQpFm6CGEUyY6Uc4QKEURILJ7q1EMQd4gaNEzpxv4chI0yzxpfl+df3NzxtR2+1uMhN3eTVSOg -4Q3LWutXygJoiCQGIYhpHyQxaNiF5sXBSz1RCJLyc7JiuzE8QmzceYBVfcuIW5N+H+vnC0BPERX0 -F3u044o1OfkxDuIyuNJgMlScsKxu5++4Of//DGGhZB/9iHnfo8hoeMVkT/UsGTw8n9mqi50QP9ak -5ga6QUY6v8RNMWO2lEFmKvxqkz9jR2QCPTHQbQtdJpVzOAOAEvn3+W+D32mmlkwYWrmBawtaNDkG -goXTRrIxReRB2arK+s9ZLgmPS1WZMLcwCTMdPqsGKuGZkMuzEIU0eG6ZnI7VTZHHv8qcoORrx+GC -ZBHTmeXqPIXy8OcMoiM2r1PIUv4AsTkVJsIdHOyBItgTk+/b/n618lEREGtGx8PnIR5LvuPhFfm2 -3DlU3dnsQod2cHYPs/w+oMOehIaLWVSf6Vdq1xhtT644ReqvSPkZc94JNnxXEFFyTwgwChoo7ez3 -mWdCW8n9jo3TUlcMS8lFRZw8LcqtVm7UmlrZZDFFLYS+QtJpjN5sMwu5g/G5jNH4xdoNcRcc23lR -Gy2JQcCdhcArH5D3KtY2g0uCR3hiYl070Pc97YwQpiIlYD0TfNAA7LqUI6+8kGoI6XmN2ziNHhNG -P+q2CdZb08nSPeUM8RJ86//WM9JcXr7Fja2QVihSmNRDcgrLu8MTLSsS6jYMpZaEntcyCqFzb1iC -qsIzaJyGCPp1vSgFNgoh0P4jKa8hHxqaAuKyaCCYiSr4eHK/tpLcT5InUKbQYD3RvePTgHtXxd9F -wHpUd5hX5mSZA41i2DuPW+KWxZ6z4fGoe53B73CTKzbViXI4SyapIzLGJgXJuM4CQhar6yNalrxH -rfyf+2SumI42d+2iiseQj4g18cjyGzmhdJuFcoUhinh2DcDQ2VyoIkobhws5yNC1V3pjjBuyJ8Iy -I2WzeTYj23mCRpPF0Clo8NxDHVYEH1EkfdmKIzWGuBw0bMEHiJsm9VLHkpGVdpc675Yk2tCiQqOA -zExkSxKf84R6XPhUmPw6DvkdECLsNADM5GY8IcWncy8ucQynNmTdcDRBaI1rbErsTNDOMUPVIaHs -0LifsqLANkHVW6Ip/h6RrOBh5WBrPgHVhONj7CmakD2e17RmuVqLVnzROsN5OOMd4s2xk+GDFRzW -Hqi8Uh12GdEwWBb91ILr1VjcIw80qrSaOMcASRPWz5iyToFMw5F6ftwo6OSvS5lXQtxsil/LVRNY -g9xRJJlKawYU9OhS3YJDZJj411C07YNdHgfOsoDn8aFmwseEO/G3ytpYdqFEMKa16AMmiocVIeuq -gwque1FTykEB7+582EsO3ZKAAmurCB0cUu5deA10Qn0Lie4aVi7glUySWXPDElcxCzlUpL4Z2biv -Vt3xkziizvsrdETlpZep+gRAK9rKRfLhZZX5eSDd6bxOpCkklEHUV26CMTSRCHQTI5DEpAaKRegx -iRGwiSmZYsZ0WCWDc5QjxlxP+Qp4gm7s5dD1uxqYVrxPPT2OWou8kywCbiqwMtcORGjSxLEsG0Sk -kuuoF2o+LATqWA55vgoPVVr0jCL6w4XHbdwVxwigbR22uEnbK7ERNH1IzzvlQtPuaQs0HWS4ACf7 -T/PH5AmtrxXuNTKRJLqfi+NESixrZjMbHUa9kJDnrLXlo5psB+2UmhAkMmUr8YzGqvBoUqEH9wN/ -y3vdObplhz4VYflANzBSGGxadirmYtM5nGda2Ox24CIH2OYmSS0sE96cbOd4WM0TNH5JKl1mTJrs -NpVmxtppHAmrcBSEKWYw/fCt7djTkFi0k3QmoguSwFdAeQPyEk2R6rTDJ/4LYJkkiicIflYE8723 -KbVhq9K2/BuDHqc64Vqjlh2Rmy+FLR+doz6UBeLDUcbQ67vrSTLdM12EGlI4BV8pYze0aalEuTpi -Riqo2oDBHBRzJGu8FImJbUurnZux0/WHZ2rBb8Yf43vKWHFFXzenRNVuJpImf26+ZpIqUbh+4Q3c -uMZHNjzBB4ZW/gcRd8Qce+/O8ZxgWq0Vkhmj+OH4HKbxLlrxM8QwSTW5FYWR6gvVkBwkSi0dTSFN -+mHjSyhhfgVgEJerFToRRRgGFS7Q4FghNUy88Mps5iHF9BoZo8ZgGyQEiA+GR1YjqxjXTYFjM8Gv -rfb7qX6LGzxYVykl/M6b02lVoZtGgF9YXqLSQm1CvGgJZrYw5UJpXSOq2IR2uRKzVAtces3dVhxz -MnWBBTk4BTbBp/dkIbCCxTl1DL8eDTmXSHW0BDnOb1E+vH0Aky6jtNOF4Jk/EGwOvFJ37nmumqow -V9bkNLmmQ5Gt9CbpHzYF9SBSzR1kLZhy86vZEo8o1AM2wMJeFmaawezWscv1lQmx8T9XJNom56e8 -sImGGwvLnXglQ3EFGX2wRjbloOFR8Ovi8EhiVlALdUZlKsBeXEmrB4TzF8RuAkyFaoFcVWKGyxT5 -7kv6IrpE1ca8EQtaeEURwE4diRZgLF5CA5ZatFhiElWPJrmtxXMgcRlJSAu/a83i6VZ0MXlPP0nD -+KwE7paAgxQoDtzcfKG4X8iOnLyG+wkmLN/gfbO94U94xaSiN4mGdzxn84QUpOYwqLKgF6lOIm7+ -oG4LAoJnMX97gME98Rnt8VvuVG/+WqZ4ojABOFYiPQkOtjqaywaJNQFK1UfooQpBIgwiziIjnh4J -HgYv6/QvkHZDxoCCKOoqn/U95K0P+hHrvONCNW6g5j6RknKmc7sDCtXtm8N0FmQqsxpi3DwCKBz6 -Abkjsli2Z2lUJJzzqU8bweTiHlfK5JAkRbpqrKsEp/EPJ5Pm1O4OCEBQM8wd7sTxG5NwgKidTxJe -1Q4ZJklCp8vsoJusyoGpOGd1JA0ugFcDe55kkNHWr9L5EG6B8Jj9FnkeWnm+p00xhDyqj0kKR/TL -Op99I27FvlmRzC1/CixzS/55Y8T0z1VKnpqA5OqIg2uIY8X1NY1IlKXNA8thpQHxbSIIx6Qf1+B0 -V+iHwL+JbexyzdGHA8/b2u8UY47zqFpo9D/oIyQG1Pdo3RSNpAuC34jXIQKZjcrd2zVjDHgMiD3d -MxuwnBesNyv4ssenf/9w1RUY8ExVgkphYWfT3Q7BLh/uOcU162uMgiiyfbG3AjMZjQCEE9zPMV2E -bIJnLdATT71mdiiPw7VVNwVtaD6DnCCmhXIIGE2tj6fg3yieVhO0CeWev3CrIYkNIspUfH6spx2v -vTieKHVcF3Z2UXgTAUdyUBgOSKqETlL0eKmwZTrdPbww71FcXcRABc8spNxZgaevLo1YelB+zly6 -F8CkCLm1RjNhAozoEmJB3lwA4Imjs6Z1jBRTRC0UR8Fns5LzK02aopgLEYccNQ86ajjPUJGsav7R -4PgEJMxCAEM3bHkAizT6xr1AcAcNCpLfI6GT36P6+vGCg9B/eE05u9wW4TkbVZtFOWfrrgHQm36Q -28wsduQFu/1r7DI18vikXQDrChhq1yVqh35fXV2Si+grT/D/wqrOirDimK+mBzoCAxxCRQ0zfnrY -liGYprEJHSirAhnYTj5LDHMiY+29y/13khwDSXVoKJ1Wuz5gSIC7F0hgEPc49oEQP7RE6jGYKrnO -WFhEo3WDiQ3+ts9I2BQsJcXrAXAlyf4i5N+D/k5lUk+dfmWZ+9i0NIigKt7EfkLim8yCbZieurD/ -CBng+uSeSL0j1w06E5YdVRv2BI3yH854GHqj+6BjibZwVWaSAczhM2N27N8PAsicsMaAeEjMI8rE -eBw8dcith4upTSxBtoow8F/pbOSO5XSbV+Tgt0rdXlY0MiT/ZGK2DcEpSUKdvVIV9iClgHf8/HWV -r0kWbL6GR7DHJQAhbKiQ0+ctshPMMyJkvx+RM0DfoMxFy79YIaLgJC+4QGn1hHD3DipaP69GT59t -bdx56COULFJYphIzgleCrdBBNSoT3WXYxf/dZQOqVNdhb9HMNpW7C6EiGonAAOumtL2MXoR18Zpo -gKMgQ7F+DX1PckAUQp4vaZ25I9+lFHEuSCYiXpE1Jn8OmZUhtRN34wSFKMw+us4ZatlaAEr98xFA -TJvY7DZitzWavXnJHbreaVZsEB6G7J7eHWiHHrYyg4e2W3upZbnzSKuUEtSIcCzTQzZ+cAb/cehM -lMsilE3RE5mlUhjiLogGFgfERrOGesIG2JjBBuWJ4r2zRvkvXu/D3jW1Ri6QxlNeKKhC0JVVXH77 -xP1qRkwfnglCThhnLmpQ/+mtzuii/yDBf/imarmlJzVVEZVHwGAlxSB6beGerggs2L7XtqHOtrmh -ddyXrQBmhpsYdCppIvCjHqYG+/uTcNwJjC2IYIBn4FtBsE/HZ0apOidKs3AKUSwChHeAGiISoiBG -MlEBuYnuXDMGrRtXY1l1CWe+ekYFscDvMo/vS+fjAyvTIKLxgj2ICYW2ixBbDjGBmKkhucosKtIY -ApS7s97zdRYOfmaljxPhvC2YFkhvC6TkxRskZsozv/YcWMPl5zDvERZi1mP89uchhp/pyxckdHHT -UJQVAQa096xrlcU933qgp9P6CGlBplF0vxHRTG3ALRa2fFFeYjmQrft5MKWl2A9hvk36lmgLPg8y -ArgW49X1OKFxogu3ZhbYwlUpjkK6Oh5CRtuU0ZpYfR9G7qqXgF6O+EtDesQ/bhXk849tldfHPQBy -/XTZFCDFvcjQVL25xJgK6u2EP3VXO44bqEYnRGCFWHr0XMFHx7qM3NkH5f5BE63hqD3HXjL/eV/h -63xKyKbV7ZwYiISKA5/9TKEbWxJ5LBslmlFJECadoD2aw9zJ7Et+kGM/IC+HLClCBRJ6tPFEybBt -1XkjlYQ3R4n2kC5qgKdXre+o8dBltsDvvqNw5GZD3UTCWdn8WMz/iULiYXY9oGE1q0hTKDkLmc6I -ixRQy4OgkGok1jOqLPNLhJrjsZ/Eyxo1u2jbcNKsbAMDRju5yujLEKPn37U/WqJVeEwCyfSJuD0G -gg+MIAy2CIwO+bIQVACA0AxGhVC3zD7GXOZl66xh1rurHNLAdcwrZnYJlpCUHg4hFQ== - - - BltsIzTX1WERLG94HaNaQkaKtxl7FkDwPx1O+86Q6UgEWa1jeS9dKDMwGnNUF0DwjTjoF8hnYXKZ -X18B+A8WjwpqQK6GcUNSVq/1d4vt45odVs9CJdKUonuVd2y1GoBhwcxBzYahXUznGMO1L32C/hD6 -o6WYfeniFBXB3DKVgEcaCXYN69cC2qb4VhLEhrW+SsynyRmHF/dF/R5t/EuDMqIW6BpKIacVRaM3 -s25vXzkwqqujzpppsPjGhzCC+y4kmqk3HyRFCJzJGiskR4hGojSWUL/59+ImPwPLfRWdxBbh4eoI -BT9JSQH3QpH31q+3FZczHJL0DRJIbrPkawlWTUHHxt/SebJMQkDmsxHPwLP9fFhzexanq4xURyOp -UKcNaM6OsyZ1v5YS4huuRzMbAJFnNdn6JGzQeGGMD8ZCr/woVi0AexxBZRLZQfhqX4SqAUZnxYVL -It2lE4lQv27eyzaYGXbNb4Lg67zqyk/DhorPOeks1k1zMDLBUJcjTmu5YkRUKtsNGoiveqlZCV86 -hefwz24jXWJk0YVNOlF6SGX2FXOGqtDwZVIIoYZAxublQF1ZeF+v2FNP6kKyhP9F6VZApBUc12TG -8lW0/jLeRMes9g/X2B106n4gjuVYOTkUs4+f4/8N2CCW3BaJ6lfQ+lUwJB9t+xHBlznLdRwZ6rg1 -EQlL3IloALyfU2QQ8tpiM54rzP34ol4HJhUjI3+DWOYFxHA1/U8TIH0EvdMEj6pNPvZZ4bA4l1Np -WlhjJNrF+p9stAJ0PY8dBEzyX06RN4nur2zRENGxdMWfoiideqgEN5lCBaFRCHk726qIeK4phl8G -mbYpQpN483jTkAE+v15NbH8cZaBsSAnTgemZYCynvNJsgi0vIoI/T3j4xCacUa0rCFDJywuhaJea -dJNPog3Va7LMzIRyl9wUszcwfS0rw8ZUnD5VYp0ZNJAOWg8A6ejz5QL7wKMICTJeqNvG5id0dhwe -pvld8s6K/5Rxnf5FmZ7bZ1HO5xopBTS+A7Zm8Tov46aSsfcPiNALEC/lCL8gW4NklnmyLkLqg275 -vPUL0rDRCQZ8n5vqOHJic2jy+bkCDs6gW5XCa6PtFdOeoEvyzJsj8y+Qu+tixMZh345NF9srTClZ -Zsifq+DfOenSbQrNR2ncjAhQdifvXEdhqKEwTQp2hqCzpGjXc50ZeF4rKFhc8lD0NCRJNXcKdkYe -tShx06SgXYVLVXcpYv1V3sOWCSzJbf3RqS2BXRM0Is6uYj/BOX9sW4zPN+EzBk+ZzVSX4MoOod+f -9q7IF+hLbZhPVrN3VnomM8Y7AFewPEXdyK0LxbAuF6WFWPgaPfGRURIiDqFuq3NKHTV7NjD8TlnP -l2QOysw06MVUYGSPphN3j0mTMnsqilja0o3PfnY+fioxzJBJLiPzIgaxrlz4C6YTJDLLSo601m+U -AXOudz5i2c07+fCQkIws3OZ3xdKlgBkMIG2ALj/jcKAYWvJ+G/1xljKhke2qg4XPvhW/UF6qSqtq -F9JSeLLkVlSf9HvDaB+biIEMkk//TruONfvB6q/zGq+MrkCh5HqLFGG5Qt2CjQnaCtcEQJ5AqyyI -GCYgVpHrac00/KZof8y/IiNpu1tss+sD090knuUIEw7z23bi4opoRQxsEQ2TSCKMmaeGwl4e2hFQ -Mtx1/0gaKU7p+YaawzEvNi6z67WIDJWC8O+qyMbFNeBqAI6TwvVTTFVAFJSx8VaFmsxTekUFQWMe -gefXrulewv6+hN1FBd2iZw9m01o9I/iCYi8aDtcqTSQEnaflbcDIB8CcPju2MO5PB3WPWI+DD+DE -wPdbYQGdPJrCSyPoIKSz7fGYFHaPqcyi29CuxSiBn+NJ1/+iVLmihYCBIFFdrEpcJwahGA2O+bzY -iOQHJuioO9u9u9RLejrr6TKTDlHpN1nUE3vXo0D7D8Ww2LQd9K/YZOIgNd61uKzegUPei0KP/+Dc -FWwwgmHAL41l8gIR8FnmILili0FaAMS3zQDMrax9rWBcGG4ENnKPdJZG5YqZlFcW6VoGaQ47H2gv -UYkimQ6lSH6HjR/z+zsw0zRkYHe0jQPLVZqWSlRjK9CwEUjMBMfTT6ciETuW5K+v6QpfDiAewTKB -5fW/CHE/NKwuPlhcAZT4bQjA4QJcS7M6MSBLJm37Q7TMXZtIAdqeeimIJGI+NXlkXnn4J6rH0uFr -vYADOYjE8Vuwg22Spc63iJc0jvJcCnu5Ft/ByXT/xofiPPCCPIgU+UXgWsadNGV0l+AJz1ErBy6c -vl0yL4LxJHGSW49r9iBodssbSCIFz/LheLvlx+Uu4SA499Z7Atuj6zg7fIuOLtWVeMMG9SMGWJab -zy1ns+EscyZ7PIOoX5U2A3vANSdBwnimcddW7LD27MnZ/RS8twW9xXEyClIO5y/19aGtRP60w2A5 -Uw7Z30rz9lYYLxm7f4LMuQUKc3nVx4vfEw+Uy10mnj5IrZhYQKLOoLnEjVJNDzawC70+rpwynNsl -0TD881zPJBE/OT/Ej2WfM0pdUYR0cBfsXVd7T0+UhETtIJyfOgDgI0LZI43Gd1Oe+8FN+hOc4i5X -Szkt7V5DaGXgH7Moqn+KaA4D7nSzCt1+K+xMHTQqCg+Nhx6y7+LBPQTw5NWt04BfdAkbbmGgXADU -rUp+/oN4uUK7cXZBCc7QoT2Cmzlj0rgMltOize3+udPCV496yYo8+fUU4EpYEG4R8yPk184JMKvv -PYW9kTYIaxiCEfcWml+OMkq7DCL7yc8Kobjpxl8sMP4pt9T5PwXcGkivVMCucrJ0e77vAYlxRYfF -MWqAMcJpNr5FhTLuaEDZxJIQiNrr4bcwWbyLlrz/33eDwUngeRpPfn4pB9ZI0zbKSXVSRWU7EB+P -MT78wZzRQXtYsZDEZiLLMJJKwD6k84VHWpTyfZlzO/GPDFPRf/Mw38jnWKkbH9C2h/7XtvZZxjtC -YHyNNekPBBjAYlNvIPmkd+mNJHh5vWS2qunVi7UISGeJsAQiYl+/ytU6UQOZIvhLOEfyKZAaX694 -udWgnRc/pLbor1TsX0VnZdZW+Vh4XZ8LNnMd0dohROFoe0jHGSA5EEaQybaPh3NDDhCzp83DGUJv -OmjgDrSpyczVQAV6fCqT22E2vgKqWr2Nl37IEgApN4Fv86cVEIyXiSUCmp0JCrYWjC3cITJFCHQi -HAGY9FOce7wW99qXILArxBwQ/2C9RFks27Iffcw7RAprkPlOycyChmx6POd94egW9Rpc9KutKfLi -EpmvwsNrb1AUJC2bNJJAwAEM8YbYq5jjwiB+2YcJnj+Vk3CeOILQb5u9xlOP1DryGFFAWSC/NFfi -jR+Bf0uuxPrrXVNEzluCEvSCsQVSyui5kMNDM428Rc/oeHBan+ZF9dXQB5W7d0omAJ0qmO7OS2Bt -MLuZjsNMqJEi0IE3Gac9V+8SXt/CmD2C2SuveeLMdeWj+ODo8uev9Yw2z9X1u1FryXBfqHl2MU8y -3TvcYPi/xmijo81/IjwTThA5YBTY161jFQyupC7lAXLq2OetWxyJWGUKZkxF4P38SNdG7G6kCrZ+ -yKfIlzw5E100q6a4yHvAA2X7fV/PQyuLNckF/VjXsAXv8p36R1YYdtLgptNBdnFC4CZejf+RLT5I -lNQcRtBnJ8pMwFCw6pScogUZgvH3QWRgl55RLpA3OoDCDuUEnSIjcnyNcrud1AtBf8PcfpZJZPsX -YJOPE/0sTsCD2p2ghmwUkuTTOBQSMR7WAUbPo01sq1kAMSBSMPHHm/IJgUSdHketkwlWoW9LEmAR -Lwlq2HF809uh0YqnCbhxAbOka1BgyMM6BGVf+RwxLURTiv/hc91KgEHQ4cWsBRUY14F3GVwT9ziu -Vj9LjKurlWBbxWRrCUkavzd+9J69GVH8zIEQwQd8W3RdKWS65fFPtgWbm/+wRIUI7g+kgI30qGPN -U5V8T3CS0wi2+aF/x7hWWx9ETSwzkCjJqpR2m5olRELcUfCyguPoTdjprboZYgyJU3ppuM9ipVXF -t2UnCm4MRfCDdbiYXTaxUPAF44JQ9g1lMCrhVcLcMBpCxKHhcpUYlrWmQj6YritvNEz3j1lpUJNO -8dOTtCfe0hqCCa59yCPod8DoKP1zmF3pDxOZfMm5Uj+QFrM7nKKxC+JIxpGHYj1bE0lJEdJJ4lx3 -zDOQR8FhI5Y0okbJ74qyiuCW8b8TuAF/iovIacZUSNY0QNQHPIWE4Tp4ip9meRYG48wWT67qAa1J -g5a8H6fEU1/o+VLhIlkkFjvp4GcX7waGIp7z1lzjv+cgvAEb9bUdJmzzl5LWHJ6s3XuwdZlmIARS -webRyiGtX7a/KKS4wTuZi2y3it7jWXTJpKtb4sXMy6XCWjNjuRE6kNEXm9UX8WuxGB1Wr5cq8Cox -8vRmPHCOUAW5EChRDHZq8cLAIukI8cHdubvSiDPxqIX+S2ohmSGt4mbcB84C03vIy/0NnnyPJXlM -dPhAhvebmuW/od2g6qKO0diosjZZFI0YwgZmNW0jcn+FQdLNXmv6DO5utSI92aPvD3gpRNpjCeDx -zODWnt4MA29jOUnSGO7I7S88HxsJBe4mIZmL7Q2QAtuHBg+kGMeci8v6jNhiml4G5oIJpXB+yFsW -EFVfxVRSiRfaVMOjF22TFKYF793b7m1+yYbZL1Kzo3Bm2IIApWSUEXse/ajWryzcVcfR23qE6wvN -l+NGlAUCWWQHxgXaJa39mWZeFq5LSg+CgUvdmPTTv7rGWjxu/Pjpcj0LAF5JdQvG5kAcwa/Y7Aze -qKxISFCfHpbj9IKXqFFsEn3X9H1X2FvZBAYKF3TZpUPkkaIRdM92BLusuRBsx7Ex5v0MKVOZtxHl -qu1sLTtjEuQmUGC30vnAgs+LaofiNzeFNyt89YR5uWZiy8p5TSDtxD8FQWrIg/tCbALQY4imeOzC -yMXTvZwb4TNYd3oUEPqyA/gYsmwnzgjA73QVxTghXYfXQ0A4g8lh+Jd2r3qOr+NCVIJ+vJCgrvh1 -QxYprV3crQyshkTPq3AY3WAVTL/cQaaNhq6SlZnhlU2Xwt1Cs9knmsUkcSi/AjIX7912MK3LDIpS -lQOMQ3kq9MQiaCjbmNOnvcGZwzi6EiwDZkYUU2qBo0cP2qKvenbBabO2bhhmIQyD+4FYbf2L0I5a -zqoGvbSgQbF3X5Q9eVcAedK7GmCe/zPNDP5YpZ7CUuHYfu5RCzhGvK4DUqOKIijQIFoKq+bl4pmy -66Gg3hp3cgf/n/NVLuFYK8MM9zqpYmR0EcdGfTE4Ijh0+suNgQbbR++Gc2h/E6BaHoj3Xu7J+o48 -DYj9wDY/DQYd7QktzHhlfJ6aU+vvo65kewV5qdOwIeV81aaBL6Klq4Ab3n/3IapYqQh+wE9y/yxy -BlB9AlhtBk3t+Fp1wmCVpfmoptgnOFQEii/HQWeEHsgCecS2kDEKbRUabIHU6QPJcA== - - - TnaNDytOOdWbBLjRKH39pZtfGFjE76MvO80r0t7bTbk10O3A0k/4Lj4Yiu3OFh2jMy5hT0Sd0aO0 -FOmmkk8hCq1C/sEHkI0II2hQhyJfHtdvDHmJVXDFk1CjyDML3G+4WZMunL6t3GsXTvCHWOC+gWSV -QsSmC6ZuEhJRfwbziogmtnlbpYzIotth5nqcZFZ0yrb/P48gcXlJG8/n42/50B0zBYt9+bOssF/Q -ory2+z6iXQ+OoDwJENdyvplOBimPdpG/4isAuyBG2NBs/ncVrGbQtGg9G19JcJLn9MQMysaN398p -5xghSnc/bWkrATHw2lbC0U0fI5P5x+FAFHHMlOoG8WmK2E9Xjhxh/Ij/nYViZUJ90h1aE6jwQyqt -S9Zz5aikj4CpttolzQpmbrZhLMpRNKwbZtwk05JmJPHjW6KQDA+8Kxn5bgbe0pk2KqIXsTanFmEO -072Hop0m7ZVw507BvmXIHMQngKAJNsH61cBTnGdk0Aw4WmUuo2+85pMI7Eif/NA8XDhx1VbGKnY3 -6oZM5DWDcO9cl0hAHypphM6jMrBlD/IMskNNfubIYr6YTTwfdZiWtXJCh2C5pWG3lh9DXYNaUoUX -L/XLPwuJdTmeIWWKkidySX5w8ErH3bebPS2gysPgRQ+/a/hoQEe0hhT60TyWZeMLmH0c6w+yZFed -SXGrBNWW0TH9C+xutvKgxlzoo1bx3SClQ/QmtoqOcw3XMztdddgq8EwuXe0GSpSUiwVNibyxTFDJ -uC3vztiFIn64M36VT7FlhBY7FEnzZcFVV72KxCszQZYHfjs6iP1OIG/rM0dw1PAeV44KGl10Vbnh -mpVOri4Ccxaipqk0fAIBZFWH88m72Yp4iNgVt+2uKwwnU6sovpHs2o2g8MBpwJCi8K/xsoReodNU -JYwml40Zc6cg7khB7HYp1ujTmwxSFHeHWbMDy897z6Z/lx/C73jMTphtMQbIr/MSgVbU+g2qdVLl -TqmlU7A3TxjEoM1cbh1y4pBefgpRoEn4bPZIB6V5sOncY+nFkPzAeSF4Ah2PuWC+ZtNI8S7lD640 -RK135eDo6/m0yb2lQuNEjjxETkFtO6fVfhwGsoDZWYmYepDtmD+zCHfoZ7HKhmeStQmXhbgHd0Pg -fPgIdqFSP52SGSlqrv6M7q/taBezVcSfSsxIE8jBrWCfuiSXJFCxAcfQsZnAkKj7uR0mNMRaBucM -SFmeI6Eam+oaVA7MwcXm0zTiELIN/L8/lwHVxNNkMfVq4ZDR2+H2q2Toy6MKi4ZL7o2Uo4OcrEjG -BxFMQIYTEl1NPlj2/IDFRmvswyr1Lo/Hu9344VliWfRibilMuFOVVZysu74QTwJo6LkIMWtp8mhO -7GESbTn3mirnOnowTJKFRtZRswR3jC/dfJfoZ2zIDqq8NulCX+MeTIq53MEqpP4nXVK6+JTkz6qV -bFJE38ecC+U/IoKJ++N6iUriEsDkeDQOREmJBtgeWi3Oo7K8sfy6PROU58L7v76ehCfv6+H92475 -wz7w0parUxGefM717Oc2BpD9iddANJIicjGDNXgbbGmPmbHVjeWp2TfdSO8xTF0NDyI6INGp4Dgu -Rgj34ljwvTOTm4RJq6Mvsq7g57WVHe1hqHClNgMhliIhCAnbB5lpMUhGEejBPBBJwBRBoMHXeeWK -fskokEuLkxGE9CudBxAusfthfpCwJvAoeJ4lZ08JKjCMIFo/EFUPP7AOvDNPWNn0Kwh4K8HpBwxf -XyTrJ/2cpES/TBVBkPLHfWfAJfpVF72Rtwu3KuknvO19/3zJmTF6y1fLeYoA/ULhl2nhy0+47+kQ -IP0wIoKAYjDIAghVyx4F6gcs5vWQylv5wKzq8Z0eqPAUD15HP7ZmhyDR0IFT6McyUFcapHD0M+wV -BDUspngEIvZrXbvnV1FOTyrrU1Bt44XVl7wmCNokzYFRFzdVOiSp9ju/ik3sBJFx3jdjrL3eCU21 -/Yas0iud1/kwX8FRVbok582um3er0qhllSZxkubAaIIIQVZp3GsKhJZMMLsim3uPzeoRBYJQtStR -JzPJ023qJB3/L+5TW1fpDPZW2jVEEKf0KnkrfYwiCPaSByIMLE2uByIh6UJx4Md9wdI58EDwcaVh -c5FQWNr/iiBwy9LpPRAsZmmwEQRpWTqORBBw1NKQJghItTQlAFrH/HjX0vxPbOnm0kbwWlqfRq4d -WzoyKwhk/I9xDIIpt5+Bny0NyvrbB/wxgQvZJasYTk2APRKX4ZyAdJgMSEFMZvUaXy0mI4i+xsRn -c53Emax2VFotEI+NI9dkb77GfEbIqY3hsTEaE6hGaONiCso2Tob5SVmLY6zWZHSPGbCNxWPhDvtj -RqSSCzR+NRn/bMxfcUJN1txj42ChC20ctUyGDHrkqcn4jo0hmjVTODb9FfPdMODmttJqxCyAXimH -urkvCrhnfaXQqUJaCHUWsLhCGWxQrvqy1hjlck/jHo7Po1uEFpIb5Si9Sz1/Z1GDAWgcY+r+jnJC -QOOnUC65RQYnvNpMYcaBVydVOdR3+Rx/jXeUX3ZIunOKj9BCWFZ6fQU5Mv5vFSRGCBdOodLtIZiF -IDE5ziZLLnIGSs4jZgEhSg7wkgDLbFR0BOWecFgWJKFgmobgmenuMSk5eE9+aEsOEpoFpqkHjYPY -Dg+JX6TkevrLrzJKkisVDC4gOQs4SEDHSe+yQHrwvsd9kFzmVH0T4upq5yRgEIbzMZuZHpywlT4g -uErCgh8EmNDNUaH30OAk6pRXyZhJrg4Qcsu3KXcrufxenHLciJgB3HrAWGBvHpq0glfYRslUKJTa -gGgpkAttVBwKVIx4Qkr40QQIvZWgkcltgyTwEf0sGyGRlkSwyuTQTwgUgzVYIFzETK5jeZNrHbLA -gANZ8DIpDoJwcvSSt5cWF0kocrWXnK/DkdOKbP1AFm5jkn4pC9kJPhtXoMJEaKiCeczxY02hhhju -zkLtILRUTfCxVLDMb0CIIlqoGyjto29OMDoXeKyMfdJUr9bIR7+GXDZu/fGeIbUQlw8/ZStQygkm -dmw+ciKGjopZNCE12KDDeRNMFxJCRBhIjZyL408E4uTCxKr+hABLWKxT3XBGuLRaahvNv0fdeCtt -uHxLVH077IzBZEOMswClfb9Sg11I405BmwVRz8gxACxAgmwIUW0qNIbOCqGvS11TSr2DAvvUT0VO -QSUCHUJvwaT2Wsyg6kwuHxiMwQ2R63sXsNrjCBjZOE9onIsLoovkIEx4OI0IKpybFWPSyZPUheqX -IuLpICTkrWrLFBIJ/cETpBZH1V+qLiTLrDrUE2QJ2q9XzL5T8ZFB7BEQOUPuAugSRAQu5MzCC2Rk -fUvgIDf7aMlwccL0Al0njlg0P5yTewGghYtrU34Pbj+CfHGJfIYY4CaCIaeAXg7Z3kB6UsTlbYDS -u3nQGBN9sb0gU0CfQxgdPNUiQD69OS4+j53Zzk2y1GKws8MtyxDKyRRKabtxBMlBrmYRkOXz7Dgc -wY4smxhDJJg6Qw6pXAIEogazyI+hHFnlB4RFNuonBOGtU4IEmAAuKSV+YwbDx3Zfet9qDbzkFK9b -u1nYXpCxUkyCe1sW/uGUvgg5DTOpxLT2I8IgIec85fFbfc+A9rYVWz+YiPLxyxCSIPfhEJ4AckpI -gnwfAVh5luJoV5ricblRgJwG+C1B1164xChET9IgEFeTo97HbpJONBNk261QH1MznWetoXXIh/pe -WPB6NDrJUwZY8RMgl8eBzHfTW3mvVQMd42hjpkurnV8h2S6qvWVKkJNuKXkAcoV4dRJNoXQz0Lcw -AS/5ESjrhbEbQhgqJ/gBVBES6+jUwfF1G+CroE1GdzjcxAUYZMDWFD3Vz54SoHZ3xxAQKhwsO4gc -HSEZFBjeO4VyNEtgEAA5Ku+Oy0klBHfcrloY0RXQr948BBTBjWH+a8yr4vma/V64C2L1ywmo9B4n -3i4vBqkOFfg4cTooqmTnewSTNus8TvJw5eU6AqR0p9LOhxshj6uxE05CyHnjcS5z4Sf2OPXeLd/r -VAWhi7XNWihvCXCSL9tfocrlg9SL7sJ9fkpyC0Z40hFF5gpVzFPBTdNSiLPHYZxDgbGPo0lPSFCg -6GvCnCwvwes+DuVJSLGPYwUSmPo4broIMfo40BwCaX5BaNZHeKGaj2OmHgTTaPU4zPICi+P1uFC4 -ASkL5adeMGggjJ4zOFFKxfmC2BvtEzDA9ZBGNhcMEKjzWODqj/uZCuYzaCjIw5wJkPRxHE8ScNRR -xMBgu1Z6LAimAgqFe0Bjj+PP5wAdh1TCBoTnEe5l4EZtCEZfwHF7XLxY4GYqkhQFNEJim18M+GFA -uDQGDCYgyh1AKJ4yINKOKzEFcOIQBPD1+gLURceBKgEQE3reL4BVDvxH7z2SgcuOI3H682rHvTQZ -3p5eYfZXUgCE/t8oyT8MT8C/lszEPlnB/lqOJkMuHMmgJZIoelqy7Lg4CJ8NXDPufRuntlW5r2jH -jcX2I4THPsFXa/3f5Kgv7Zb0+ui4Twb9AXLcSHF+TI4zgQiERiSDroCqgApBPlD1emW8maTjsYjf -pGxhCA+uyUQS8Jj8TamWQTavzfgdsmTGe1xJtbTuJtIEhMt91x5V1wypIoSitm8RPG1LO6pyXOLK -fn9fKR32HqYu2bve20UmaB0ccZjd6gDI5dRhwHFD9OnTZZH/peufdwNIX8L+1yW6+iqDvpuQ9jwe -OI5yc35QT0zYXLedkfnZsC3vBMdBzBpU44XCmFzTFZ4SOW3+IsGGGm22y9hQEzJFuTh2xQrv2fBq -mRuoDQnLT49tyA158bWH8KVNFDyZOY5nbgjWpCxY8DEAhryhZRt7Z3xbyfukG+c1dx/84RA/duqO -TIbjoLkfxQ2HMjgEb9OnFofeaxznxoE4fusBIAe65lu0Q3tWasqB4RnH48kosXc7CkT5rZuZI8wZ -us2SgMCNcbrp2xDGwehOgMvy2Dm0/5CggA5Fim3kAaep1jb9svWyxclbWjSh7cTMhNhsJuWJBc6P -lK+VVJx03MIdsbkuZAcWOSE0FYH7WnWi6rxrF64mreGatU+Ks9aG2oh7sqatC+3oq8HeR7JYbaV3 -WkvVxBxOcaZ2BTQ2KGp2BdO8TxsCWlDCaYpIGWVMA/4SIQFgiI4c7jw6zMtotjhGhWm4MT0KnDKc -/D8MyT9D2AUNXLgRzUGJo5VwGqiAzk5JC34zyLVwozVrCHuCzczojqPBy1YoD2AThLQeXIOT02Bl -RiNEylIpMDg1BCaSPKykygMyz48HChwxhwtl/3LMrhahn8ZmtOC0MObVcyPmLzlvUSkntilWmDW3 -R8Bp1FgIIMAtpFbb/81K4jHKdRqmnkjBr7AlAJV88FF9OH99sJzCEIrBDinF2wkmm4Xo+L6VMUNZ -+6YdiQwEsKVSSJj+cpH/Iv9SfeMrcvvK3NJREN+Wn53i9yZZywbq3szJXQimXpbi2g== - - - Ds5Lps87tN5E9sdMaQD8UW9uimP/dSmvYe6SupKOwq/oWmgolpxLDs/YSrlMO4Sji8smItoNKzlV -wBv7liB+H1+3KjcMRbdV9z6jvbtlvveja9WbheN2q4xrGnPwLj7RbvWbN9SdVY9ZVft1q/OYxCqr -rg9B+b3yDz0+ZSwqy9EHy+H/Bw48K/G2Bv16NZG5j4kzlocWlBq5Q4/bqgHqAGJa5YPlwB25QRAO -tMjqhpiPW0vMBm7GLRyqgavihow/0EDcchYz4C7c4D4GxsGNsh2G7MANQf0C4d9Gty6wqW8L1BYg -623EIguo4m0UMLstid2UQq79wDUlxYMZpMxBP1CjozI5JiAko4inBBJrW9RCAqCjbbS9xqH6iD8Q -N6GYSQglDttwBBBCfm3A3QP22k80ED6f4vWHHohXTyF4A+jhiWE1oCw7FZEZQClSG9MQEYfBg8gp -xC7AAzhxgSzgWNoISQUpXxOyoADQaMMXmM8kIh+0QWk/QP5shPKBrp4NFzrAs7PhEwBdEpFmLZGn -iqWmQ4VZZTZN9AMQAeZKB7Q11icDHAqUIKyAnGsSv4gAsLMkMskDkgRFHITY/X5ovBQXALWIrS90 -oRwb7kKksRmI/nwwtg/gf+8Lrv+7YjPB+ScnNhy0iC1RhIdNRu8uov3gnH5wrLB9mfnvImw4Tb5m -nOhdin8GwTYllBFx3Q98IkQMvB+q7SHEqf3DOTTD2MuyhuiE1vMaQydFPZsWgnjSi0OF1iH0F7SE -Fsn5KYWQzzD/RwfhHFJeJhl0Usi/mIJWx/i7RpCFsG0gCLMTSJAYA/LD2wAKqnP/IHHz6XTb+sHN -dPwQ1Q9E4j4ccKM+zn0kioOEcWsQ4P0A9nGjVeodQf4ao6KuX+DYNCqc2CT3Nyq6gB6tpd3s1TBi -TRQtODwqUIrWaHdCrlbGepqa6X5U5EeWgHAv3bgFqUuUcLSWMwKjNXT+njVFFM2aM73oMcqsYTAJ -R2liCM1gfkJVEVKBoSFSIcasnRzrjwFljfOZr1CSIxWdmLWYYPwBzJpJgL2QM96oQABJuoJzsna7 -8JjQHf6d3Rb2SC9tjOzTaknSbldHmL8U1l1EbU/jeI/ykTJL3VjSd9JLIz0FZRdSkpD4+SKDEJ8F -COy2+oEX0V4PKEtoRnbNYEsZuCIHkCUfgxXVn+nk6Tzn5rDK6dJIa9YGhhKsD0FAHpBi+SvZG1wM -IctemVvXPkH20ltMXU1/dUScsPX4Ck5splZpWsmY23GYsN4oUZjVYLl0x8Ay2PBD4LDTZXHWyboX -SYGI6mlhlUvmIOX2kqkOgjkBw+D/r3nKIAPWie0WrD5LQvBDF2jG2T4k+mECoHXTdf/5Zxful5ro -web0q29GRzPC4vdyg1fJS/lKc3SRrht44LuH2O25fq1iFz2ixdViEh0UAo5jaMCoryXkCYEqCsWz -b15salmsBHsk54myW7K8OHor88iv9+eOaEGnk+9GkUvSWLHyc+qwFbdBODjCGEMv0qNJPbIeo0by -QT966XZ0gAXo9tpnkMkFzShfT0eG7iGtK5pmeF8yMQoVE85YjWoiXcTmEA/F6esXefbvAfi6etsN -uB+O58l+jq9dXcLzcqOZY8jlO+NH4u7iV618eS2LzkJFD2ygZbQAEAh1XIIed1YmtMyLafYinhUx -+5V2ZkHu+hk4k5BnLMBM1P9Oh/JXTP8s01sCqZbyOy8XbOe94ej/ktI4I1+9V2ZdkMYcIG6C6XZe -ax7uLNWy5s4jM6n9M3ZlRhnuBnc+bJbZYs4/gufzcUUzAM+b3jIV4FdHaZ43R6Rwgiy93Bu/i5yc -6C2+lJE3meW7IkkQjokaOfqh3shRDJ4ggUZ1XLqFA0Ej34jXWrfiVeFj9Nam10G4oML0nYkRbrTW -I00QfBA58sN9OUxHDr9ET0OW4L6jfUF7jH+tb3FHjjrbK0QTeXGHZLAKOZygBOQosr6QU9QdPn6z -1D4ZYIavZD7O3rpA3sx3KM+DNbxuDsmCj5ds2Dve4uKB4OM4jNfZ1b5J5E/CpBuUhRK8uscLP/6u -3LnKGpN8bByRsfoa8v9DfvMDil5+AGTOD/lIK+nOvSIfxsZuQ4x8ezaOp7Q/8stIfoIB10te9FdF -oVx65E8bXKv/Ivl/E4HLk3x/ceLZBgDPz5/HVKRhkp9lAVd+ifwNKSV/jWmG2yXfLZFVnGZaucIH -RYvbykUrkz8RWwPFJV+u8XcuyG9la7Bn8BCNJ8h/cgIg8MHxT6UTOQyOT2jJ/OLjwy1KFR7GlSa+ -6vtdu53VYOKz80nttrw9axNfEECU7sSHzoqYp/7vJ37/z2qZw5mbJz6KEBQD4ycPnN4Uznkw8ZXc -FuSt90/DTHz3/GSdXJdg4s9CJ58XCwcT33sdhsnNZlY7fJ7ALSEmPt+xAIli4pOpLKnKu0NlLvER -57WvlPisjLwGR3nPZIkfF8ifLfHTbs5dOhpISvzVJoM8TJpde5X4cVktB1/ixwcsANmKQ5sde/AI -uZGPl7Utkpe9tdZefnyyBZaXY4wvnMAfnYLnEu04ZPDyjaxD28x7Z7o9Cm3EXcYTv10if2gcdwI0 -FA0UtqGhnfhKlydlekU8BNmgrLprl69CNl4uTZOXqnJoDjw85qW1Q4uMnjta3Z+uvOzFjpAsB9BD -i4HSuYzIkD7wnHwF7WLZMdONN7RUQwYnSqt3DgzNUHz9Wwj/lUxrCEN0VGU/V9shaAttYTLcHBAo -CSVa7PsZrjLywZ6Emr6TlT8N7iOG+smO4D1yqNS71Acy5Scl/NJdUGlcyjNJDhtmwSdQnYQ3pR+D -z1/Y7Ty3hGO4CLoNlmdyHQYjwt1q2aAmbnVisETrLpjmyYZY/gPoqj3A4HfI21IkukDmXtyY+FpK -5b8ScuY8f45TDNErRIRBwV+usEuxCktnoJk4nNxPbM/rAMcBU/iLpXtyjmfNpeqVAfOEthXCY5ZM -K5+FahG1l7kSVoF9tmjy5+k0XLj27MDGGJjxhPOyky1JdC+QQZpz4cRYDwOVfX/As/8OjdlRhhPw -3VyVSllFsGI6ZStAgIZ8DeMW+EPBoX0UoEdbrE1BhDLCE6QJ2TRpExZphEgZOVTfwPaHLs7HrteO -S0uGhO+OvslzEOeUqDrrSoxm1WNcAwoI9VSwBwVur8Ms2+2XqrFZ+edjSozYu3nnh7L2qnDcFOk4 -xpkp2teiN/J5IrUqXl1RSA/d9NU3/JwlA0pdoYk4BjVBHVTWiXVLusUX94zkRXBGtUrgCq1BhVOO -DFHJK1PvIwisSBkxjAbQuE0tda8Sg6Xt/fBu0UTc/ybam4Pl4zSG5PkPK/Fd+d8atFEh9BZ4Tb2f -0m0rNJ3MYb9c1Mu1PYnEtxyMIMxODBKP83dFhfaxyBlKS2FvGPR+TPaJ/NlGYbsXdC+JrMzEHZov -luytzjKcPUPzCMO0kikGoMwyFEzrac5gyh2DLz8qCxXHI4PVGvAF+36oIZYgePiU6cEsNcVUHkAN -qMPzD5ahn0kb887K/tHc/Zipv+ldEkaF9xkDJJb9sBTu4vO+dHXltFudNl/MjYEDNJr+aLNLl8Fz -zXaiRaMJdYmHilGIb2AszzttCQeB2CmjB5RfIGvWIFXVIQ+rT80kbLI59F0sD+kWF0iEzLal3feV -HfGDVXPLxSA7MhGJWkxDY759ntoJy2jKxGnX1AKewObawL4cRh6N9tLiX+9WrrxtwuEwUwrKuR0q -WTCt/OYz7YZOhBQSgNwGRG/mjztVGzBiZeABp3JrDowOSI/dSZZDQ7VN+979vbhBPXuMl8o5dQH3 -7NXCpQkafaQUP1vYZItbGMsy3CyTmgDcEUNjpW9IGahsONSfGl3cFokEccm4xDyIW+ZIrJzhkEEJ -LoAGSukhBL7obhfS6licLBp2jb3anVkaIXeVzP7bTzh6ritVVcz7a3L58KCBOyeFEgVdVFBGSLpo -yHU3hVZAy1zVi1D8y49+Bsyd6xwCSICaJwINckEN/gf+Dry973/vBb1fVU3pMO4g80C81Tm9O4kd -m6y+DlUyMi++4TGIh5AY59mN9dTHhJMtTzSn7KlXrpaWcuDdB42G/BnUgJm7c0Hi6ORTjut5XNP+ -MePhA/7BfGIZgL9fHL8oQbB7l9wuC2hdWlqekMjMZctNa935VOLPtbIE2UssxsKFqotU5be6VOG1 -53lkzs0qVBcP3tOcFOmvRmKahL3lDMoTtAtYPiaC3LBaVPOTNqxaaSVL0GuTrYbfU8HCIHoR4RrX -OjW9OvvjKNxUza/NQT6t9mh/sRTCkkVpo2ESmK4XOvFcFPlT31nm2lmkvOphN4E+Kuwyw9ukE3Y5 -o5JITaW8JnI+k0US6GVEwjXlyUIe4xhHIWecQhoasKIYgPFCxPrB8gdpiLIJZ5klhynYlIbgKGD2 -O2SinzSYwWvy7c0Kd6pX1CNeiQdAa8gpu5Aj6LSgGzbSnKnlyDH0grdAcGnDp5JupSH++OWjgB74 -UFYdNKC0pg+znmDzv8eASEymYX2G95ikMM3aL0FS5aqtIg59vCyAjEnhXPXkxzOqAtAhj0z10/yO -HQoo60jVqRNtZzOxgwznKgM4S3ri4kdJpQ8kvqkqcNTElNIw0QwMtXmh9rmTcoHGKFPDPu1QSbPz -zBOR1ut0JCPR4swXoidt+oURMk6aoQOUmUyj4TsIBqW9b4DL3MzxeEUPvoOeUgy6svsTwHv6fgkc -jrD5Ecnli74hGqoN3kf5eFFoBwDm5Nc24OQBORkSrgSMC/2Px4xUlBCCiEsAHgBnhoCc8DU6tMBg -pJNh7UhboAI8ADiPEJrDhSgwWFGnow+APXi5agAEzafccL1W1XZ/+BwDP/ffkRhaeRxgPPPtD/np -9GBTnUPdaSB4ywOB2T9HDIZhwWKJM7LObt/buHQ/FvGf39QdZtqngamw0cI7+jM85StBnRbpSAbn -82NreyL9JmIo48sLzTs2VHPtcwW7lKT15nTGn7TRvA/2CTzrLvsabt8qJmJ1lX2h3cTVDedFWE9f -j6yaBwpk1Yn8I+/0w8JdPJVUrRxFtcSl0P4MjSKZ37Ac8OHEPllnrrj0K7oX0fW/R+jyKtFnMzjq -TcJEbmyZYoZKx8pKy+h19Esq1FSrtoCErN9CgyS2Rt1lWxz4n8CRZmtiYj4MBDXak4ZHvBvH/Uu+ -w6WEzlvKqgT3I9ZNIR2twAZoImaZV9ANnlG5tx8hzQuVwdgR+IqKgSJ7VdYozfe31mxqmV701xqz -evtBg6Csl3ORUmCRAppyqmpSm+i/dPwlCWGTwf+0OudE/dr2JaV//j3hHALZqWcGQ8VAfFkHOQ9E -cg8pqkrSGA9pzJfVhhAPBEYRAf6kx0o1WXXRFTdVz4+iYu9J8O76I5MfiCCBFhtyORzYsin9AOje -861saNvQN7eIggASyjTfJZRqEoEWj+32faVpzoG3PMmgGrlOqZi0TicRwwdUdpxJag== - - - CL6AH0CpkD3xe8ghh/WKhtH8yUUpT90MxcCCia/E6q47pruxKODvk8P35+YJ7I5H4Ytinq+hsB1A -rjayPizrrMn9TWjFHiXiKE27RfeDEzVkoZWSyCsrVT1GUrwv7keRUPfJ4i44fzmPlfIREMUoqegF -Mjy3N9mUxJVqpaxrhQqYZPyHHy754lzENBXyVqxg5/XVVyqeduCZcGHJUIHiKMXo4DBMLUc1xuWA -VScdiP8UZeAzqPIuJp9B9ugOEygMyx3NYmAaDcIgBGGYDkgQYRVmCkYJeFhTur6nJtQ/d8vLusGt -anZf8CI/t7qKtK1cmXvpGwt2XEOdoSpu3CFiOvJQ6bKkuG+hSJLXhvJjiunqqeC37lDLrNejEIO/ -gNkA0D3Ct+mXAXo3tNnUeh4G5eCmAhWyg5XAxoZJksGeGUHEQBZBkNxg+YogrQfYAVeNPIBhhQN5 -ngoamTIFIDq9WdOajrJYgalTrYNooiJg8IvaSAGgxh3XsI3ns7jAiWg1CTtADXjIfR3dDuf9TdTf -z6i6CXETMAd/gMCOMRmQiQBBHW2/g2zQdAyBoLfSz2MQYlv+dA4cOyOsvNwh8g82NgIro6740Kvr -YOLfwv6tEN+q+xgRIZoR5Zzh0kY7siD09ejq/uzHr9vjbbnNgOWyFYbSsy6HImNhmKI1is77jH9a -ql3OD/FcXSL7RJE/iPqkusNWDQxWL23/oS+DwBm45lH+8rTZ/vj/UlQWd5T0A00o+BX7bH2WrThw -orYdSGhFYbV1uYknkLGhkROELz4ZaZ679UcQ0dcTFgjF87Mbg6u0Z0tKg08m0qDSidZZchq++RBm -uTt5A/PDDD+MKv15dBICOQ94j1pUMvuvOKtQxiTQsFkw6h43FCUoOA2SaCt2a6TVfRo4J2z6vIzv -mtAFqntwoEibLObgMmFEJ90gTJwsgJuflhorV5frm9k/Ffo5j+3Gw4BkknZZu+61Wc47DEMiVcFU -weIra4wrURE17MLSlqWJSEu/z4LuJkm3RcueJ5IaTS1K8ojsAYFViQlxIteM3wlrY4e8kW+ABH9a -3855cM2Yw5RfHsgL7nJBADSqok1uJecVE4siBYum+ZK0DbloFZjZ8Dipjy54iAZkuvjJA225QhyQ -xCry4bI1AgGai+yQpeF3xapjEn4oHKOKGDMMIrUDVRI6M+DPDRWAFjoLES+DgEzOQG55jJakOX13 -YcotQaGsI+xY4adCmHsG1yUk3YQOjZGLtv+4/HpOetatjbPXvaZ/qI3xrpxzoIZ1P8kQIBkZ0PGZ -/sMhfKswcX6cxvmRAHW2YrAxsCGSPiijb3CfJpJBebZK3RLaVawjA4kL1mnZq9K6tRHt04NRteAp -sA3ZJDqrXeU53i+Lpz7NUDDBvSCeozj6zlJ/5i9/piEHFAFL5J91wZGjDaHO8uLnHQoMSqfFxJc+ -UieWQFc7hosFCEZ37JsiiFOZA1/oe8PYMNUj7YspERtYN01SPT04bgEVisnqLy6rGAN2NMHl2IBd -naQR9oi8laQLCy8mNiks4CCAatR+Ecd2nlNg8DIEwEfxKaAV1pheJIJ7S1/pzySHkhzqkKlGRraR -w8EtPlDnxDdMgtcFm4GaXASaeJlDMe4SQc2f8xltTFdKcVXnOu20hOUNQfPAE1MU5zIDFYeD2X+t -S2tMM06HSLgtyzdEgRMNhyHInmsAvD5PULXX9NiPrK7tzQRjWrZJsaPsA6b78Dxx1b+qNJxWNmvw -WkDn+ntXdP/GiRpqAiKckuhKjkiZzhJAts9vJaORo4dDtsyEZmJiFGSdlvm/e2u3PBnGXktDivJJ -cKXBxU8cq1HdTfN1asoA1j17EUEeUxbHBrNNJYLwFUG99YHGEzZj4qjnlns5zREclsfmxFwhrR8s -b4wcWJ0q+3RqPHQTWApSVisAjpww3o3XTCUnZrPWXrUuP+cH6RzXbcgFu9fxFgiw8TqPNi2LMT9y -tuo9LwLWBmsbQtISHNm4PHDXx3pgSUyyPZijhHtwYzluUfzF/r5zWKmSU3rpmpMlKjfKk3YE9b9b -U6Xxm9Hm9WY9iLmQ2cN4YrAoPeDDCjyb3jnrfh5kNo3yPJ8tpI7RpcjKHI+lHvXL9unD0J5WrMV5 -Aal4wQS4em16SngySdATprihtQWuY+5p+5Q0y8pLbVihGYghRJr+ZzGfl0CEoXSYG0e2XGLdL04X -2w0iHuR9E4mjK2SjOEjkhBw3UvfKypM1927sVCXE4VK2GgfrVrq2F7lw8EPYy8Ntcml5F2Zdsy9R -kZwVMGXLrmn+QOrSDKBqUyBW1NpXVxhaTsQNf8flYVz6ZIJyN2jgmKT7M/aVmluGdr1FoCX3clY2 -DrWTG/8+xpMkzYlY+imQLfCFk2nkDfONjrFeIwf+3QTyYaAFTeJ8MMdVtQ4vLCdsXMRuKnlflp3J -MER2OkwO4J6J0ADyJo5JSwZUe2CzgriBGVR9sV4uI3GexX6ApGja/A8q+HwnxAHtwtwC4PCFgbL9 -0COtzyBEW1HQrcj65pMikr8m5SdxFD5lKLoG7fMLJD08MCxPMEFS3VfMDMMjfGuyDJrOdv84G5Qz -tS7AQBgtgSlA9k8hNshpQfdUJZzWGfG/pWxk46u7BVCevQMvUe8dphXJVQ8dbaU6E9Ewn9glVLTE -QvAw0/p39EzGTszcODJXauHtGUbSZ/6gCuWygXy4t19jszd5S/MshMyj0kZ4uMYc5Xd9DipWrDnV -U6CLYVaBjiZWleUEonfYVPILL7/IY1tfn2UCDZjq/u9XFT6BwvBhECD3ApFZ5nTiuILig8B/BFry -GLBdfD1LLE/Vd/joU0VY0OpefzaGTugRMztnlGJ5NL8sC3lKk19BWr/P9oBZTIOEtIk8vJw2P8sl -vsySEWsZHu+OaH4j1OFDZJbv8AB8CW2lL7Y6qIlOYMRKji5WZq5TDi2WR2liOSg9rrB4G/kMgeO9 -qpMIcQdvlYIXeV9M1mI/PXeBGPq2KewACuPpryd+4QKPPPnq3pgyx7DhaLXUF0Ze4ruyTQxaLRrl -x+JqSp9Hp1jMJdQKkDtgM1+0fK9ovVf+lmdPAQJuY2tZKv3KoGeS1ePry6Ele1SmzqB72x3k6Sth -isOQRXIyNtDeVNy7pWoEc1kxJTvxHRq7ppCmtVbBl9RQUJvKRTpjGGRaM2h2nh/dnsqlP79Hltz4 -/Px+qRY6PNX+z08TUVGDfrpf66wkno4/K54ct9r5odRFlH5vP1gMqvR7ovTgwC+h9zxZ4CfjhGaB -X7i/l5dlAwMZe4QX/GTHvIt/wA6YnyjMwg/wy16Imnu0geTpAT+mArDMNwBMpjYCfuM4MVVOBBf8 -pDSJIIJFMMj12f++AspZ0fqSm/6r9fmJAVsIdL/K+obCEHkGPqwvkCiNbzBwWp81LZPvItcBhOtg -Ok3uSJNaVN/gzSjh3pdaVbV1fhsen8oT83/oF09c0xYOLOr3TEq2VPwRLPULciL+2rJFIP22HAwI -0cUUodAf6ScgptQqnX5SCbHL6bek4CtZsrOfB9DPgpTWZcf3cvH1qBZsfq1YFricyDxdON2A2/VC -kLUdwHVD783TT8V882hrTMWtYa+TiJFXgg43gFuwMM3Yu2Hb2+UPDJFKeS7UF422vzI7we4ndja7 -4HpvEx9i1/t5pQVgsGiw+16SJ8q/QbbY/bM/puhld0kLK0SDLD/ZnU2hXBlz2Gcmu59NkaBnnIwv -INn9jAVM+oCYPsfun7t9s1jVxibbdceRjjQoi+4c666y7l6X606ggJJadyOiu8SG66hdFgBf9ztN -YGNPrrtXlAuv++2bpQjPyvRuSVC/0jsnnLGz32nZv4k/ggL1yrff9dhx4cKs1u/iGLNE7Xdp57UI -ryMFkFOMXEBo1vLEO4VycUGuykPHFPpcUogbyrOnUBzcOAyFhhspdGFiTKJbIsoUMgbqPTik8IFG -Q2I4hdTzrZO8GaMohbwRHYMUMiCprklvIjGF/Bo7Eikkp/V7h2AYU1K4FJjF4SosN81KxhxC2U9M -pS4+X1/JcfIYrFyPkFwthhghwzD2WBaSm9NDzpegqlppFubArTvVgiQ9JfQHMZIrAcgYMCgQpjMk -AjIQgndVraXE22aWxsyCeLKCsFG7uKqAsHD8sZtL9A+EhppJIUFYL4Q25EfYBQj/hHBqD31jVQQQ -4Yj1Zvv1744IzSt5tJb/dotQLRel1RVh/DD/QwRxAIkQptfB8RMcz8WHpX6E9sTxokQVCZ0gUE9u -NArtDSaPe9ACji5tg+F542KpkLGcG1EgKGToi+KHs5f20aXC1FEskXp9QnOg1iTmhYeYDSd7YTVG -KlP4kqcBYqd19uAifpTC1l7ZrY/CLfpQYQA9yTNgdhNWq0FWhCa08+oWtgkTzVrEmxDqPGNjNFBU -A1khhi11bU+tonoTJvfmE8eEpdjVSRD5aEJLDVVICWSU9id02g3QKDmh8xZEVQ+Cuu1AN31Fjz0P -BqiL37fLBIVGsw9y7+z/g9a7Dtz/4ODoD7yJZF75QVqncHZz7zTtZEjotnmPc4RlQ4YtB7td7QIy -zPJhKykyxNp6BoQjbvtl2GNEwKo/XWP4ZxmMbg51aumBudwTSfv5IOq4cjVPUqxitMu32cS2Egd6 -rxVxiKro9/S5llZ8hDAocJFdgGnzh8oUrEbqQd92WRaChLR6W3cawrGGZfIipgIJTbzxZV/5h+fP -65CscF9fUAZYxckzm0eC7qfZN1jlKnbbZYnRwNQIig+yKDFrNDuOJWw3SR+LjtdwN+agQYImPNKK -DRTsTI0L10z1zywOxzQKRDCaFVuv5l3QMxzPDJkoGtTYuXPuVg1KKUxo9/m5/xP02QZpNj4818er -NgmcFi/0qXuWburSx+bK3dq63a4bkwV+VBPVB3I+X4I6KcwuTjeENY2EdqfqqPQ9e7NRJunhkGj6 -zojY2GjyI2rXQRnanq4w8/s50GijxHmFJdSjeLrIBlZ5ID+iBXvhCT8ErxQVEempnJag/BStzQbL -h7RlBfObg0grvRnbJXDvxQguRURNQOCvalM3CJzj1g/M7RMuBiK8+hazRTB3aeOXbi7YwaUWoOP6 -AdhK/e62/e+7+/katmeSP6Bt0qSRBq5phak9toXLFDLWvbMap8TJXnhErStog7vkMUwuNriLX7b4 -aeQLAvUJcPdMXm8oOYIexTa+Osao7iT2+7EX3+4dCd32/kJk9Qu3z++2oD5ZtEs1PvCwQDgN0s/O -nHeKahdeePd4a0wqQ7Rpcnfyb+ynK39aRwcv7kQGa0V/CXmobFTN7YIakDpF6rOMAmpibUueZ+G5 -ks2Q6P8iUC9gwgynbswNuDdUhNPworOEI/8xz7u36QZoFyL/NF9v5uE6tcH8q7W+nypbMfdzLtId -S1uenKMp+z4E2MYgd8PwBvUQ0TOc1H1+cEsexvvpD0ux3+qk15n3hjUrl0IXbuQH6Q== - - - sh/EGTWvtKFoYzAwbbwjFTRd6c7oXB14LCxjgWdvDjJxnrWhtuaBvM9lT7ysUDsk4JducqEvqADS -V+YvhRWIEg1agHkZ6hvWlB0M1AYh+Mjbmm+4tdDGxAAqaanHA+WnZ+3riTbYcL1i+03AayQ4BVkS -/3uFK9/vuJLA6lU09uzC3v/vRmzgfpp8efGTb3YkTiyxcj1gY+P7PrM+1+NB0AtdFumX19tyBV/O -2bjmavxZy1tz1RTGAoiEpRRKYMkW7AKzXN4R/UI/2SHBwbqmHsxC8Ga7XN1KnL0l/WB5x9xBDVbm -XcEEUnJhsG3/doQEd1YGFp4PYEQVYBmzP/irGuc0HWBvkh5wIA9PHlhXx+9dI8AaAb/vBT7lgB3u -5KXot9JELIn7t9pkEUDiyqWDhMOBOQmutu9/kCR5c24x1gwnSlccdKkhiXbcVVruyRXedtV2vOM2 -dgyv5XvBq3kxZqRjorBln4jOiffg7GJTyJfW4CXKplfB0hQiLW1uC90FdcbjHkFjKPS1IPX7qv8d -vMQ/3vI5mJqb2w/uNnLfukCN2DxpEFZxZ//rHIH7ZBFLetHiyihfAZXt2LuBXfT0iMZosTE+plgF -zDmafs5WPIiwwiYfUoMbD6rGmnsX/6AuO0X9/R2sWK1DE7QXJwNYsa4waTX+H1detsos500iLcuX -dr5OHSW8NlSP2745g6pXN84FfoZHWerwKwGRsqwZTcdTQO06HQ9n0kT0Q0vH2VJW+tOlQba/Mds/ -Q4GyYGMF/l+7sGR8DorUsMwguPoSci3EkWkmuyB5QNeFljDYhwlQdc05BhN37i4FkGvmxeQEfCPj -HE43tVJ+FsYqqOdxSYOGTTqBI+8dwdByw4pmmuJ6/vBj8W9QfaHGDg5KfwR6nPp5cAO+mYBM3eGg -6B3VLFhvaDkcW4ROle1jfoOil2DsoAUcIqgutKjuvmTH+Eunzv1OGn11sPYqZayC1tOaETiCVe6w -cDcQStqPBMTb3PKZ8wXbhw5EvZ4iE0CsAIQyxqPCroq5lRi15h3VNRcGZjEN/eo7A2uAQKhB5PRG -VTBjIPROxh0eFF00PjeoDtjIQWwtUCTHDWrvBtbLtiyvOyjCJezNDUr/HilPJxo9LLicFsfsPTLo -UE9LoLoZcYQXNJvkNFG6/gvo3NIdExiHiaZ+D8groqUPmgFqlxFZnjlIZqF52o6IrySmSt3q09j9 -mQKmYOd7Zpq3k77LZ5uFjlSD/rOv3Fm23lU4D/ukwqM6MAe1I25dJSwJA+agswGeKZOoednQOIrS -wB8Y1+tHSyjtAbDArR4G/lcNsJx/poMEXxdd3O0eJOFZDQaqA3fRF6zkJggJWf3v6YlgID5IZrHv -/AJC4v1BQlkvn7xDDhAS8gbgrxL9DiGJ8nylYZAtPwrvGxOWR0h+G0m1te0VzT1tCyEhyd+dTC0k -E6d/5KUFhxaScS94uGFlYzxjWAEkaOV+YdqQDM6elG9IrKfUY00Tgb8h2Z2rnW5I4Cu68S29Nxlc -SObGIWFIFMCMQ4IAw+xBJPFqNP3AciGSlGE2JzWXXEEkh+Kl8axEMpm5cOUukeBzCs4mEqe6ZCcy -WFWpicTN4wpmE4n7tEZ4dSLhAHedhmGwiYTY4wOjfoRUTSRBwss3TiQyaxP2ECFboxOJGcHAbziR -fBg6guqJhOyEJ4EAW/IF0RNrrIQFVPEKM6E1OQsomwecnZ4ub0V2TRbcpgqcB7M+LeYYPgGUJKo5 -5X9sVK6Ynhw0RKGNSgcoABdxGLWsGFjfaBodVlnJtODTGECR1NMicwwXGIlMwpkETzWgw0sY6uzl -pcg4iSyQznVuxg7UvxKjdcc9iz+3FVFoCBCOeoA5gh09ImHmxcQ8nEjjz95cqapxQR29Y0MAivab -9JNa5Clb6ec5ZxLA2EFFu0ov/VydDm4oizSTLd0UpVMd+veI+9kVIxkMb/1tJC/JmCankSv3M+GP -/Uny9DN3WZSfK6YgtHvAD36C/3EXJ96K4nLaCQhU2/KT5iRiSTnJMIvL4LSZaJvcRAohhGBT7z7q -ULN9wCOEZuQDXYCZXcuRF8hE8I8GxbQGwRNx2IAJKNtLcCYxq0usRZ1DPd20gHoUEWa5+Q1BM3ji -bz8bKwZZunNKtFXSNBEyyp9q1iYqZT1Io3y6Up4IXDh+6ktcpeVPTJG/IIJHKIDg/zR/Omx33seg -1vwZvrdfsi23xiIXVD5UDSl20fMV/nnnY9IV/wzDnOG9O4l9/FMtbqxgkZe1jqKlzejP9exP4/dT -+6cQK6dT+i+ULnZiWZCk3lqKvW0kItpVcOWJyKPeA+/v0yj4RQVAS222JXYm9fIfRHoJwl5GVa9n -xWAN/2DjTlikfzKyg/T5adNMVJPGISMvnTZ5E+FUcfNpsu8BaSwXIjkbBy94dV3b36d+1pntMx+M -RU2V8kAv3fE1yTJLTNo+X50R49PeiDRJCtmiMlyPyL2Vf7QYHFUuDWDit6DOPVAv7cZQtz6nPYSU -paU+nOeFwmvzPj/JJHrBKGCe6dlTyl0XJngPgLUHMtWYsKlL46Z9Lm4mZP1pJ61ffYL/TUarzy5T -dDBe5clCoTA0dikFXn26J9g+LUOcSxv6Loo+8/yeigd3tM/lYmR6nzAl0sOa8dOhvcZPPSvzep8q -NzLA2FPYAwWGolNmEZwvxb8EBub7NvYJMHSOA0Bovg8jGCyg1dMH4MSZhQ1oVQVK9wdreQfre6mR -Pd6O43HzU/uSX6P3Qp+9SS5vS6oAX2E+N3L7UF/XXB6fcWza7tqJx+fql8+KsawkOZPV+BPgjJhw -o8pN18JXWNgUormhPs3D1Vr2mQ9ALINIspaFDBVE82l3d5B9H/16wnjuU9Lbm9LN58Z+eem7sE3K -agBm91E+G150kT6ddKjwh8G6XNSvt/k8Wz02Jdx1SJ8XUI5Fps7BzfY6rei0L/IZycq6YbTPB0Ng -oea+a7r51IbRuud8wrlVq/RZqCkRp6msnZibT6pMqZh8xrCRtdISgpi7B2bPnPVvoqYqKTEFyecv -tHAmn2RJlBiXkixcDaQimG8UKD7PdsHM+EYy4U29ktnDufEVcv4S3tKNce+6PxF8WhI9bwvzGruv -UxEpAbeqEHDT5U1UDgs+F8gwBtNIo1uxEpVY5vEqw6jvQ/1zp+iWppo5SgWfFK0whEmJYV9jYd2F -UHxK5QZRmRRVxl8CcU2BT8CaMin/kgLvSdiFQoaQ2HNq+6d9MWm3Z4w1pZN32h+S/oEadW0YkX57 -Si4ClJUA1nBPK+gOniK34uxpcDNcVpHj3YARRenUkdfzaUxt17PllnhwRGbgS8E9e922o/6axy9u -fb896SuYeleiBnfaYcA9Y3WKRj0YvLgnHgfxJXSv3j7ReIj2RFNS9lpAYkCN2fOfLm7ZUxsgt4tN -gkUaAAjKavCjBJidtsqe3QuotDKKab49EeHRhoMVrCIdnMT/W366PVkQNFl/3j40fJzpfYOSxmo6 -ayHEt9V2Rk1FttXPcVVw6Zm9sCuGStj2RPR2Yd49dZdws7dn6xbfyNVAgvfE6HhuiO94v3vK0i8Y -bfckr0YB9jQ+bSxD1D0dYbLAQvdkYoOdFioSqeLb2mooOeieDFjxv0eHd5mlmmPWnsxqBuvz7NSO -I7AlUBn4Qjm0Pa8f3fZWlq8fylxeMxEfULiuUkj/lJHGQJdQWbyHr/89qyummd9zs0UBqtk0Ow4Z -t4f14aKLuaAEzX7dE9E5TLcDvu5JRoHNsqkt79R4ZeJVXDg6vYGlPBiMDJeWKKMzX5XQ7Suxtbft -WXO3tmMpIUXERn+isqr2cOdtxkZYUkYaybtX4izZE462Z1STPV8DeHNYOcfp6yCH2R01kJm4+6Q+ -Q0q82HruZX7VNNelpZ6FFy3JMKgxeQK11GrLoVpR6gm1jxoYr3btaz1Z4BsvRbWezgbJmyTsiFBo -g1S7wg0PY8WAK956+rPKnThvPZ8Ox8VySFLRg4xtZ85TsQBb44cPam/okK1YAmN4tZ7dlwh8s4Go -Z4miJ6Q0Ie3nIweEIT/7P/uySVU7JhJu0pcpo/XclIiYNrEEGzkPMK5PUVFnnbnbgjwstp5EvvLL -SeLPrh1ysDEr4Sqx2rWNM/ZDsVxTIc2K3fcDvHmKj7QyGuLGz4LmwwQ4e+gTx9UUjFim5IGRVPZr -GYCNCOzDVG0dOa6g9KQtg1Lka7nSftNXcUrq+AD6hwlwrLBiFXwZBP+MW91tCoCe7YwCWRXRQWT4 -vZyDHuG0e7QOpuypQc+JzNJTKPSctSp1bZ4BB07i+CMPOY5CT2f7LKTbhZ6qP9ZKtQIbNoRmCuep -atBTPViH5h+ubQ0NejYwN3ZasFJLR09XyeI8W+BlyWIfoHs/ZoanEGoHMgf0CsKa42VLgF3EBz2v -QjwygZhkyt96SOESeioGKuGH0NNWRooj9OSp77iU4NX4ff1bVgSPHk61WDqA3Aw9a1pac6LdJiav -KNDh1qnp1/EnerI3i69URfSsWkJtrTuyp4znBJUbOsDR1avroZmY+gBJh2x6Msz52/L0oe2Pg8Gd -J7SD87SdZ3w08eG/88xb+aCGPGf3JUB2nA7EOGcs9kXk1ZsfXHmAwjwX9IJsOxBMEObZEX6pn5tP -wzy7MSKBfPIU4y83pi0xTwmYrUaLB14eXSaZFD1NoKiP58vgNMZXvh5MKmElJVHGBc8ghXRVUlVn -RE0gImBAed2E3sTkkw7IYyhJX/oSd2cA5vmHkbhAXX8PWUo48bQzh7Hd9I+Jh2h1xUfXlAmDnXIQ -lts5/hZd/nnjqWTRaI2UqwojZ4w6ogxrjKBkKk06Sx1JrriYPRZ9IRYjEdSS6PQ0jwbQKXvhhGqJ -h57xsSNeBYYtD5EyYqn1wwh9YvYA/ToConKeJB/2leFFNZjjQoK4yPlIiYEcp1A4hDGEj5KDOpiY -WLCMwc8DcBVOUssPrHdo42vE1t0nkK3Gd2XAFld7od7suvQqvNnNlCdILV0wjJWp4TZ6IjZs3NyH -UgHfppCBgnN8iX851ffAJI/ya08DD/3Npj78eZFs6oOdlNjUhDbnv6YekHlVPH3h8tua+jslSe80 -WSVNcae1QaZUU0NyPISdPgMj+GlqQqGY0rNp1viD0tK0xBbU+pyZG2gbTXNUwJyWs+X4ECK57TkX -/DOBxJp0VBzOZByXhusZ7YkQXPdGnW0m2IokFWRgIs3UuBy/ZCYGHAuxtjVWo+6+PNrAAsmWbLbV -BX3Atpsc3iYT8Auk7moI+jyXyNST0DZ5Go2vAFca+S8GnNEsZRszY6ILit7F1DHn/ZQ5G3dEeGtm -PflhLmZRtqoFW9a5mMyGiQyPAiYZLbESKJo6QryxT4ppebHh+7iWShoQBNgAoh5/KfNqkkljVVSo -uo6Xfad43Zo+BoyGq+T+JaE5eqldSy1Gl3RifMEpwlPR9nmnl6nEi01eXKJxbnPnrg== - - - swmHxjNcL3x1+TK/VENDl+DfMKfPMJdg/7eoxG75COIyf6s++4KadRlv+FtqL6ekt1tCU5iA/LAt -z9W0cE8raxRJHelc9HOitdwyhHUmpNLe3Obk3Iy01KHwfJXRbXXCz7L9jBLKyGaJMl9Et67z07JU -zXY1popUUzHLhguVvrEkz87SCBVoi26+DeMeYZlVumN+qX+lTzfsldt2pT7SoeeaTq5s5qAL28rc -A4RbkiI4qBih35YEUG07KSXc6p5Gu5OObmtXC0nWfRfnROmPboP1zGkjVb635ySptKmcrqSygnp3 -BkBUKhceV70KJ1Jq8UtfLsLADFvSH8bSHNuUoCICPzBTVmNFr7iUo71rH87uu3ZKuXce8X9J+etV -EyektH5SS+rtzEYspFxZI5jNL0RfN+LElNnRuEqRuFBWup8oj8WBGHCLJAjcsFBWrC3pyh6XzhqU -vZhvIo0tUS2btRdmD+UQjQRsGLqHB/UECjWZTOsqPBklrFZUCEpO3RDYyedTpXgeAyoDQBdS39Ho -9yaJI95gz7gPXZJVl0/PiKQpHm9OrEmJ5mPbxdFkFw2WwjxrJsnu1tRdZDIbMTlITZDNhHZuYZI9 -PEu4GS72aQ+/pLCiSw7vVJWEtpY81nZ4xZKuR3HOSlbyW85YHkAl/9E2DilZbSqZjSTSyODwSaYJ -md/Jatz3wmT0NU3VxkC/KSNJt+YzfKOFJbbfSEp/Mrthy7yBzfXnPX465q0sg7RrIfmCDEnvKZx/ -GkbCAsjLLp51EoLxAuR4kkdKoSSt3GUo45k80v86+RSWW9heDEbkz2QqMnLluTGjYG3j2/5Ud6xJ -YWn27U9PoEzZ2vUln9rbn13B0tDQldT2J7co4GrQ2p92qdN0f2L5xrHvnzfnxOgFIYjXAKuG+6dU -5r9A7k+tGYi7fwYfBEWNu3D/BCS9rWcqQ8QBBTrfk2wbgCuowAEEw+Xl7Ntke+m5JKWUKSUJcDgi -N24EygauBuIGVZ9I5SoR467SrOq9NOP2Sfe6FFJhjbiLO0G66UTcxZ0o7uLWxV3cmnCDpkMxpTpU -DWr8804WEp0Jmhj56ZVNTGnqTaNacef9bVD3zbiPS5a7YVkk1WimfLTniSi9CCN8GcAFAPS+yvH7 -l0Xk31NJ4bt08EOPK++/5A+/HJkbzZ1DizP+cEvXjDFHfA71Y1LP4tSl3AfdoSz6IY50WnyLcr6I -LyI9MRKWl7P4VoMcsz6IQbqIjKrzRAyaj+jwPNl4VU2RN2udiJciEbeVvwQRW/RfRtosRJRijl6o -WJ4Xq4Kuek/he0ovG86Vikpx+J0dXXSJRG49iXWJKzOieExDim9RimfxRRajr5JkPQU5arVbT+LW -k0iyrCdxPYkcYl/DIKfvkN9QwjNaTF8hw0LSl9GpmSixI6bKlT9l/ONYdWTVC39KyqOoH1MohNKP -kGrqq/2GZC/klZkS0q5hDn+JWYK6eTGo/USjzJ6mDxiDcyJyyjMqlrJ8sOKSmIclyEvUUsXu4cZ2 -SkNcrU/IROk41RV3r6vVxsfRUMTG8VnZxktCqFNU4jhRyY/2IhS3TmGhaMznuq9J7UzVFJ+pHy8p -bb9LspVSspYcCRuLkUuISL09pNNvKioe2ucit0+6faKL7ZRWT499qCXKY187QolYJxHdNm10t1uy -ei9NKegpxRCnJhViiZa6zz1/8k7t7ZBvr0ucx0nKeKtmfKqfImo8qhJRdhWnUncnjbdKf6quRuMj -FTfOKs07f7mKtiI89RuPKs34VKtiW3wvuT15M/VyKmLlTTEf0ahLK/owH9HNvLQTfs6OMsKPUPjT -nhCraD6h9hy6pyEJxevj84Uc0wqRJ2rBJifGns+vcfoNJUylhO+hTCflVuLwpfSIpJDhd/ZKjxfz -5YTvckUPSZ8o1jbK0syPMkoJM7+xlX5LRkOmn1DOF9HmLZTokBcq+YlONIJan+iwXLun3Ykl2+5s -I2gxO9vurInttJ3w0D7s0GqabWP/+rX2ifT6u6mW1l52qL6+YRLHsqY8w1P6Qmop9//NVyM6ZWry -jWVRE4uc1prHMRSqiXC1V8xJxbV5wi+EPktIxSaPT/pJv34PTmRcP1KIfPyqNlxFapMa5ROjzYR8 -ZOIHyVWQQQvH0vKGhIsTyw6y7CBHnx/L1J/5cEsHDVc9mUTSB7H3sH0Vg76jvQwp2nt4mjPZh/k+ -zJcLcIACGBCAAyggAQgwAAEMNEAAE0FIF0NhkaHOJ9p4tTJSjzBfJSFe0zXemomxHhgeBez4ftkm -CuQlLIMHh3uFv5q96pqM7auDmWiwBFRFIcslwV4JOWh1EeJdskAHjXkjwzqgakemVnaEvATb4S3k -POJQQTqt16HKmD0UmU3DYKZFr4dUU3/YsdQV+b5xOUJhr6emURJkoTGlJMxBM7SDtjY0ppw+AFQo -I8FWi09NThviSlnRjFbEYrChBc1KqMYXFwmNViR0D0nofpjsQ1MeXYg6yxl0SDZOEgZiUkNWFUSz -JyJLbREqClHRItTlSYU65BKWEG2IXFUPGKW9UL1Jr9iqSsL0IC9q6kFRLVPVmRRISclpPnIJlaQr -Cn9QIT+damhBTnbIacg3AxFV+MtERUWxolVVt6oxSzSaIGNNRXdA9N0OE3OU/LJhEU1UrSGqoqIQ -1ZGggGgiQTUWkVPVWw0V1TyEfNJEiNHARLcsRvpiZqrHBGV0plQ6UpZKUarigikgfeoUcPYoJOxB -vSoiBWf0memHJtOIYE35pDCGcTM144YLuWiIMxnXLBqeaE5+xZKJhiZTfolGpg0hYikkoVlMhkgY -2nlUDuEM0UYxo4qKmVBBMUQjZRniY4hIaMZC3VDdRtGMJtQ4qRoyp9DDqc7sQquqMceascMP0mj0 -z2vF09WxjC3v4wsqiutirCgTnYrIM50qfyKmvGRV1IlJZtSSRU5BK1n+oQtpaS2nCJJOfDeWx6Ii -qjqxRJEsXm3lFioJBlXlNT5FnJ9gLxMiuuYncYmnKmVyyPJT1F1vJ+VZPfTT2wqTffq51YNmakSE -Ni9O5Zd6fKZT0xQfVGNWPhVV/lykND+JUenIPObyNj7VZ8M3vKTWkem8Ptlx0XMNb3YmcF80Y2aq -uhpUrypcnddhv/PaPm2q87p+kv0XXwr02C5lNbuv8TWtiNKcUcue/Jz2bMmlchFT4xSk16gR9ytT -MXm5Y8d6xmba79mLw8l4Qp0jloXk4+uvjKcyUeYrxl3lnN5ZI5RXZHOKRPSVzU2iO++FVt5YHqSS -ICcxnkS878SIjAzKxGyNtyQMEmFUSXxWfP1qeYlK6GlQEI3se0MOHJKGmqBCzf2hUOOZUCNjoKFN -eOkhc6IVBRoqRYTNudD5Qyd4FjydMNNgEdLoNB+2TdjFToJkpPXgyhPekeqKcHjXMWoik4WYVb3K -JGJzZlA8lzYyWyVYMbx8OFqDUrIIlMXULMqXm95K0vBhHViBNcM3hkaojN4D64GbEIyIYCyUgQIE -DgxrWJUwrMMwDBmGXRiG4cIwFIXBQYJ0KE+gNlAlUCdQAxnI80AHEUbCDDGMaj4QBSo/0HtHqIc6 -xw0ichhKJPIEWWSMclE7c0k56susjOt2z4oRF1VsH6dFP8Sa0yNGUH4xRTRhV5luxqK4pyvySzE1 -XSdaDNrER6XLzEgrZuKfjgyJKeYgiXNOMuIoYUeIj8uQtMizkW7fhjNdeqGRWad2s4H0khNOzXpe -a29bDfHMe8SIyEwZK03fTgtaS6J1p/Xr5ozNSu9uzFssrvRVRqVo/TI+1pV7dHZXWGbG13Qs6hr8 -rH/31mIx6QOyhkY05J3a4XBuRWIdie/BUjS+B8v5X3uwpH2qwih6VlM32pOrOGpnX0sri2nFzlUy -sZV9bm0V0u/vLaWUU5npTCk+05fiM52HpqHHa+1Od2i6z6W2ugcRyVMN16/qAziLujVPMY0cdohT -JO1pOFrUXNid+GWyDrJrlGLldH9ayKGa5HxVkxQLac5ErBnl0Pwo5Y3VJSIzP0bG8aq3Waz1JCwu -ih+tj7l4Tk5PoYumPryZ+MJRuVWZVygz/YQkksx45uGpsL+wfEZpfRAnItIHuRL5x56T+jLJW9yK -Gfqc8kb61Zx6MYu8oD+TRBViGmmaamiie445z0h2jRT6wZLU5khd0hPTWG8cP8iWb1SisZFKpTyj -xTO6T2r8o7US1dl5L7Yks0v0Q6Q9TtOReKkT73SMjkMmnDE5oulMR2hCaFwKEVY/j5P0k1a8ph1u -l9GHHqmXOofK12Um/okRTdfwyjvKKfN00ifT55S7gtEPcf1qhqwtWSPiKclWl0w2L7i+qtGbeJ6I -4a9ljYaK0iBSRd1VFT9mUFjxToNV0xMpSmLuxa+iKzjeqnSJ5hI0UawyE+lVU1vCr8/dZvqE59Wx -g2O/VM89j5nD6jzm6dzS+WteYc5jlofIbH8UNRsoQOBAPf7Py4j7Df7Cv6LD//UW+S2+l4hYi1c1 -4n3jUQ2yOURxmT7qtN3isO21Sg5xzMQ9kcLeq51fLZnErTEtatHIkKVfpOn1ZcEyOt14YWfjuUpH -OH7rJrgTW+fIS9yd7ojaksi2fdKOxGEzStV4VCueTDyoNHU/QQ1xTUglXvXbwvpQWbN4UUfoZHm1 -MxSXaTHqvUjLFK+UZIjijE5s009aMf1cr5R8SslwVMeLKlRTOwuhrmqZKTFhy8Q/lbhQF1VZVUbL -zLipp5WrhCPbQzq3O+3cMkeh3M6GLuXbIadmQ5dFOZ2svezsZ0dKpi5LGa1DXsTXSDbuK8pXVKKu -9OMfrZWU0r9K43F2ojyt933SISYRt6Z9WNnbjuIVjrS1uOylpbK705UqGndyZdzJ3aedBLkWktge -HTc72xZP0UCojM48KUTM00kuKp5jbMiT3NBmNjxPiaItOx9FjpSU3hesozohzd9iiXTiafi2RsIk -yZ1Exa9I4kP6EZa7CUkv+JnJH8cYnFYp3h4VqV2krVUcHFWjyjxFWYKx8iVYliBrs7IEGVEOVrBc -FJEa+XhDFOFGQTvI2SzPHjmcffFsyqQ9imcMkmi/f+m+hiW6r+H0I7eEErS/+RErjd+/yzfM6TBK -/KF+hBNSLyOxv11V6sukCZk0b0NDXJFQP/MIZEeRTGb6EFLFR9qG9CQkEZHUNFE/ZjtylkiQqXUN -PSRJWkjmYkP8FGsc/yLN06nq2YNI4SXKFXY510uy53J8kxNyw9OI2JzxlIvHKU49ksaxP2OJY44O -tmOHyxglPD7Hucqi9CN03+EseBq375C00tSVmfsR1l1ETHsOZ5O277BRlsZ9CTsJkfYdVj/DGp2o -xBNxiop4KXIkq+hLDGFpqFyhaWj6WX20SIZb9EIs4n6eiBTyohRpkBdTzCErrExoLB+TkSXoN2Sh -yKoKURBlalJb9jmTZ5xZWriRc2B5ltznUqWkKmgqr2VHrbxTS3LvhuV0sqpTpYmTSw== - - - I0qwKP5Mlbippt6rO6Jutk/3Hi3tTv9aVFWc06J1JqfS6HTrtBSfKdGc+KjxU4UdL8SfpqU6/2As -vneqfKuNr9qPqStVUE181VUZr2olXFw83ldJkTI+1RqHG2dVaDYkLlShKOMOlW1cVVaTamTR6iWb -DZlT/DYl96wzkYqhkAyJVMxizUqCLpXWIsyNW3ut/n3ijc4ZijFtRhJraURb+JC87viOhpt120fO -MEQhiH4gBhLTq0JJRWh8STBhIgeZ6YTOO65Aq/qIW5FIMTSCX0MhHqRedgNvoACBA1yr5Qotqarg -ep2vQJqY4j9EU4FMrQROWC7hIuGyCpcLTRSRERIqKQm2JzLTkYzMZoVHRjzPHZ1ieJyVkDYlFFmF -RpXTdMKPTC25iPxNkFHhjFkT/oURnrhf39SOLr6GfLx61B85Sckci1BXXfSzmtWmKMFipYJkj/E+ -l06C5sGZTEEjElb84ZxHQgyTYjM0ecERUkSUT/GV2IWqZXbnaUgVm1XQQ9Og0e416KxoPfHDmz2T -Ul4xaeox/KLpQyguzhKlFNE8TCSk9DGKhNQkrmd7CkcLwxThVGn2EnSQa3YWR8hE1EdJe5A0Ng2x -Ti+WeFVeiBfkiSyqtUkZ+YogY+MXcUwM+deZBLKvw1gnb1DJwrWDNmyMy+AazRES4ZC5VDxhE2qI -qvaij7bhuGznwbF9Z3cuHnkv0sYzIqfQRFi2G67RwyIxl4Ujl3bN9zgdGXzNIPeK7RKvzKL5Eg+S -3weDfAlSgjjjl1gfNtj6vln6mblUQuWXwd/BFrkWqxFNJtS3ikV5Fxm/Gy+PISeeWyLGj47Dk4L+ -WR+DpfJr9kemoYLS8YuoL2NQSZ6N8cQ4hCqXWk2XsXykwbSoiwTTIiYiRl6S0Kqkq5nJQex42UxV -38Yx38jiEjizo1h9zZ7EnNJRlTjqhJ5584LVcR2PzCyEcfZj2keKnAllzo3o+0TEns9sJVnhsriU -hNSsZiZ5a0ZSMwqtlppC1ChquWv2SqyHqJk2Wslmb5yULZ7PbogizayTiG6CGqKrOYVba27huCql -NQ/holif0zyPbqPTx5az5xUSNaPNSo+JEcWYHrPLjp8vh5ov9Z/QVpXDWBVmJIoI5XlTQrVKEXw1 -xhWmq0uSAzEobCHoCpWpPFQsMgwWBotUbCmFqdV8saLbFFyMc9hLCSzaRgwkYjGUwpCsxapaYEVJ -+eFUmhBFoUX1ogZCDSuqcBo7MkFBhFSBakZaq3BocxrRWRRyNF50QmTqKxULpE8WaGYmeMamBI+D -hxJIXj3CmB4P4mIQi78g7kNdXbgrHoaqKszlEua/hPn5Mbz2CvKbiiTh9fkf1NVI03bxiVgtojQx -0uyj5pGDhB/TI2Lk347p4jlE7DNduFImKD7NhmKkC+cQm7SkTbZ5cr4UoaZhEzYznmogKodVKCIF -GQcZTlE5yEyQCTIjl2KFoclrGgV1qkQNbg+SS5C8to3I0CxFi8bH12W+mn9e1snxQBEkOe+PLFFw -TUiiOGFXOKf64TV5fWMz5KYJB0l4KGqi11OJkJPjQb4ir8QhL9q/od4PLnpGyVNHduqUo43MRNMo -9seYsYasoaznTPCyjjx6rI5UmnWn/Bh2NeqjFor4MmqQcVVBCmpHlKgI8U1Rt1+hsCVj56aR8yIV -+VJsmOD8RbFy5VKzRIScFgxi3A5F85wYivYLQ0LkLJqIdCNfaUUconBEuiLpRkaj5NfMZkguV+0x -+0K+g0KtEFpFRy60aY3M8vmk/TR7fqwOKZkLZ0E6V80MwCM6GShA4ADNhA5NUJjxBIWZCTMOMwuc -Sgw1KGrBFeJvSY9NvZ9zHEWCtm4rGj1c05qIbNsWZh3HOG6gT+jpWxvMTUXE/FFbR/Zyl9rGEvLp -s0bILLSjal3oULEgmk1eqWQ1dxdTs4maT4XDcI+abzgGy6uZiNrLdE0w92CQdjXD1j1HoI2lTy0i -/CWfxEok3aimjFGthKJSMumt2DDc0mmCRLg0unSlR82lU2IufRJrTd9ik4eIBb0+Q9OET02RpKPw -mdM+wZ/fa5CHdEHuDj2ng9wVZYjYHjMDBQg8IDgk90SrDdIpLROm6zDm+zyZV0cPx3nJh/tFGymN -tNSiX6XWhrxElKl5iJMQvzQK0bgSRRTCouuecUJCjD/NEIn/BBnFVUYEr2pCjC6HBu0OzaUTpF+X -8hssR/kVrCg/JDjdhrPgZnYvJ/lmJiciTxBpnauTLIgiL+1mSSiieOpT+bQ+11gLUvtX+aRG7iIi -YiJfK3fNBNdjZKbISZPwSCBZHjX/XyufIGMcU74iuw9e5DTlYBqN6hNMs4SVnKYU4iO/SCpMcIo0 -9vcxNhISETTTiiN8xoRIFULsSxRfPBNonER1xK/XgoxCEYnaRcS5ISg/H2bdGaVWmtqnKsNH1p+J -g8mu9AlDysjMhGh1j3amtSvOPNpRMMrFiJOGbHSJBXln9CTwdkjoQyJejbSzaO01XC35IkmTwwmT -NPdv881ao0mNMQ46yijPpsjChsegqlpQ1boFO1G6u4+LwXl0NpKP4GItduQN+mOkm04raNKKVgSn -fcOzGm8yHrUrmTyP2l7orLGCVa6oxqt+SbNCMmR8o8m+TVGmilJTJTVFqZDi1MhUESsa9CFrnS9o -nmv5iDhFVGszU4u4F1K/LAeljUnjFVovwZIoRskSs8oV2+2RDYv4nSnTQ8jBCm2EZNGpjIJDcgXF -M5IUl1Tz4nK1uaFwT93I5YR3rR96NaGSyT7arMhQJIRoPmHN22VjF2DckhXEcjj1xaKI+g9Zn1Iw -+FZHSBTsOqkfwfMb61FdIyul2r4yar6Pv+erdbSa2aU6+1wjGyQ50kROtEbYs/LiiiWitR66H0pl -GMQ1iLSew7U1axCDVnaG31aTyLkYRMrZsZ0RSocVlYpSK1rRaUhFS6wohfq1C39G8axhKleM6C2s -IrmzJUEiRZ5GykRfneKC7Cdk5z2p7YlSpLkQEjHau0j35itjhBIsG40hZRR0soITHZ1FdJGs4hTx -Q5JRztdJ1BmeMSx/GcZZLsqV1lq5td48Xsej1ru0HHnnSivrBmUdixwckoNeg1g1r6IcPN+OlSDS -/DlVSoNCIomLziJajUdNvTsXa4hDIlIiFR75RaQ44431jCNl10i7tIShVsUjIlRZ66vMeIqn3cjF -SPZ7kp7MqVKiwncpsrosX25OE9wtnmeizBBRvGj+EB3ioVvNUbJc8+LGcJiyVaUZQjgNFE53y1iC -Io1gkNElUtrisJRUxODJMWRk6VER3KLkOE7WehBNM0GUTjAcxaCpGZrxOJvN47NO7agiWJZgf8fY -b+YrutiRfZ544niie9IiwZmkKH20/mGpkY2i0IYdt4/i8Vqh2sr9Vq47wgnFwxHHiXDy4uyOLF5l -/EwyyzptsPM6FZtORU2pYtNvKhEckiVSkYZF70RFak/FxYrhc0gjcTxVIWv14TjUiKLNq4X0XCR9 -/lcj05E4TU1qjnLCroa82mg9tcGhvaakMTGdCGrJQY4XKzMOIemScRC1KmpaEvSJmvZlTJVKfdCt -aMzSXaRSMUpplU6kJaW4qX2MEPUR1UdJY7EHTcWmno6CpjPxKQ2FTEkeJD1Vbbh953Q4cYmzVzlX -Mra01nWWcBhBQp8TNNJq1UoaSbs9o0kt2HGZpkVa3kKfcxRXfIlDGR+1pbXaTDFTqdS0csFGkCM1 -smu9Wp122mmcsEUTlmgnJaLMaHcGOdGP1o1lNP7Ryi/6qFyC+whtMm3AhdtJJ5tubleXZzJt2HN2 -pUE7TbnSRlK4LE/3dMmolFKWc0dPtkxYCha/MjFiZWmHsnqdkvLaastryMrWcJyJ3kTiWDy5ftyP -OLTEBE1Q25jriEUWhXJGK5QzKhzKyTq4CuVkRE3kDDnRcqlcVCZI4TCGGBWacWu2ucmKriSietMe -OkrimEjmICq6r1PJeTqznFnWrefHkFQQzfgsTQ/zRenjLbMLT6scHBk3KqVqLXu85b+lqBSsyJBS -NRJi0TMhUm2q1KJMcS7KlBSnw+m44LTCIzrHoF8MCglnCyEJJGvMoMmy7HGiSlLMg0maTV2TFSmZ -S0r9IYdTjtJBDkKiENOieJP+1vwjJsvKT+6HTqWJQR2WRFxa44u7zstvjX1ROZOoipBvG701yAm5 -fJMoWlCcEcHlZI1byaRY9Dhk0TGXqgkiTV32R6Exvpl2pvE3itBRFKLDZ1XRGOLP1C9pLXwS+txU -oykpQ5wYk2Z6lESgR8Ciim/kq6ER1Qy9QZsXZTOdotb8mtpLFimRiwy/0YR8gkivYzf2GCvpvutW -mldf/G/Wl7O1C3Plxi037sZlTEutYo3IoKxU+sRIeEHOKTVVwzmFFJasy0ZppaOP4mRmZzdtO9PZ -SiKplUSOb9Tvo+z7GjGdiGsvl+L4aPXa6RBN2BKtNI32n3YpWbHm8ZVSdGK2c1RNFl1lueiil5lZ -9GVE36oLA0dytmZitIc3oG/HbaAAgQOhxlJhtc8vVBSBThbaDGnqEn8iOEeuW87VvghGpXV/hiTU -4wuSIa11UVUT2PlJNUQamjVKT+6JcJOTn7wzGQptIyufWtWYOnSqOUHebRZjLqamWermIzGPeoYq -u4eCEJF6/rJP59RPqDf/6/g2LyEKIeuEmAyF81BXn4aQHrGNPm/lVAXPccUsaDM6UW3cf0TWbMJC -qypZdVSninaOhbzHkme1qRFjE/Umsn2qMtV5nJR1bWRzBrWhqFTyCMWTGDoCAADDEtDAIAwGA4Ih -IcHoaH0UgA7rciiaieFwUAZmoiSEigkAEhKAHAAACGxS1qMXfPAMALfnWVojcQZASXVZPILW7UTo -n29Jmu71Ib6ABkBou4+oHjYONACEmi/HvkIUUb1sW7GTRcigJBhLNRsozfWtOAMw90Qxk8CHjfhh -ogPxXtEAUCEJvGyjBBoAFaIH7VYDkHlff8I5CPwws8WegQ3x8dMA3OT3aVwff4FlGDvaAkbgop3Q -RXQh8jzSAFBtxW8rkPUkYBVXKcFw1w+scQMlYtYEGEoDsJpdVoRw/3GvGgA6DXEvXex1cwNO1JX3 -4xKvQIzRVAVeYtBXHHcRmJEmCTZqANy6LQDUJ/KBmDvDpHGOQrC6P7CxG5e5EjidtkndEOjHGs+S -fd6Aww/333QiATDWWjTjCnhHVtXv44fZ4UsDPI72N+vy0NQAIJysqRziy4+9QRBHf2oAMMwZse9t -XXtkmapzVhoAw7psCc40ABLkZgayBdPGWSTaSAPwp0q+uAVQWSIoYQPQraHoJS0cunGqsCedMpkB -AiFqCTehZPVcik2lAaDl76cEpQHAtYOuVf9NN+Xm+pA8myvaGzB9OMHeZddHAKiMdfgynGbq1gAE -UHcBSWHb1b30GgAXymi4+roNc64Pi9EDTNtNHamQswFAQ3zCVVePkCcbgLFGIfhtQA== - - - CUvtQuOm/O1JtoaWHbaDUhMbgDN+kerkClxosgHwSABk4IrQZuVTCX5SlDHdACCPb9vsSTEdcAOA -bNSaP1MqXUnjMRY7KeyPJY82AL8krgzGP7lMK9Ot7Ys2k7gK3zYAot4MWyUxoTMGcrIicmMSbwNw -pnUKWQGYNVz3QjsQmZ34m/4+x+mclQFQROSEllG0dsEF4NxbAGZorv6kU6IUSLc0KQVAiWpu5dYR -GuY5CYAqsUMCIGoueuQ5EbC7LFGAXPwBcFAM2aCZyUBm2ACQGxal9bbq1gLAYUKPfpO6Qwz4mNZJ -JQHgRxogwKsRfDi4AeBZWtcqbVErdV0CgES8vbaV9/CglADg5KbHF0yEQ9ECAMDChQ8B73Op+/+p -yV8fRutdhLv/D/7/eoXVzbzyf67lKt3bmrWDvXqHxaCC33D7H4CzSQ0WX3il/+HNYbL131GT/4uH -pR54ZqkG/P8Qhsd6wwjwUt7+E03fss9UM0RJXP8rMQkaaLnWN07R0v+gvkl5/pUJTjKoU4CoyCkR -Sv+ROorkvpaiUpnfkMaoyScXXfmkZXgq/X8/PEo/5Wrp1s/5XwRwM/m/irJQ8f8bEkMeJLY8H4zA -fxCQv6gqRY42vH9X50jGtEsysyDZcMplzdSKfM3+TaDS2vAtZEcnR9c/orUFOrAwuP5HMCh267+Q -vX+Ub2H6Sv1LuHegrKkfnfpP+s/9oO59l6idctr41oL+f01mQSKg/+/Btf/8M92Isa7+bCpBQGKl -V/4jjDcO7IUyd/+SAJ7GS67Af2m2YqpI/K/ie7iy0Cb8V3UH6tqLuwBA5yAc/ibFc01v5cW/958R -G4Pe/jOKBt9wu38adu/kijN0Wdbk/idxenNyKi7bbf81BNanG/+48FrS/ug3SegNjUIn+6dEISna -gf1v3D9F2+jnVM1b/0PPdd3HLoWnkrX1RyHLlrwL91gltPoDA1Ow+iuRC171/4lIQkzV/9oJ5hoT -AfhsJzRKjdwJ2Bgipr/vVO4KI+5H/1Mg8ob+LyuJff7TwhqfbZT57Zno/PGjps4a3TVd15p/B/IY -/HuwKqw8AJ/5F7A21CrK8q+L3wbhjAWeMZR/gpeJEvWxEu/ylEX4e44n8KyykBN8/JdpTI//B1CL -CdMg3MlDHZBE46+XjOi6KcKv+K+tLxwqbSvRJOLfqagj/H6I+YGbrwx/XxEy162aCeG/YqrmCSZr -rAN/ZfAgt+hdedCsBP/9VdwUJ9I4Gez7i1jfH4JvN3CdXPlw9v7HX9bCLqgc7x+i6ZUwqEYKYsra -/fQv61dXvZAC00f3t01sCbV1bz2ARO4HoNu7fm+rjy4Jv/1PbWx90e7o6dn2U2sCe1FipshgsrXf -fjCQw85n3fPv8H1xSGHPjnw10trD+wghpP1bvasPG5xXIzhpvwWA1dH4nqH8yYGmKj3L3mb/HIrs -SLJ/gdfrUdL5AWxif06FUMN4G1AEsL+ZzTJSQCYg7/p/zjsrAitJt/4prMTeJ1hZM9ZbdrL+gNvk -Jx4RbZU92upfwoL9MJ+MFh2b6lc1BxIxNQN3LQV2XkDjSWklab4ViEHKQNtyKoOnnH5/KEMcUCiN -j7gd0//hpESCtnXK7o7SD6JAlijNhxJtuhVUmh/9Zy2o4F/9uJoW/Z0ApUWlor/Y3Ikihn7ybRB6 -4wpG/gBxBvoLEWgD1OwpA67V538MOK+TQKWleH7I2a1jedQWRYLOzzcCyIFnHeabHzfiSuOcRsCa -n7/uAxDJB3AJr4cH9GPNT/DZBqwncN3DB+oFPHcCYm0gyZqfy5MncNCARLHmh2O0kkWGsA+Olvya -f99wsbKnGREeYeFuxYYJy6d8zX+pW044WnOOy7gu626G2TMisIijQjIDMTb/VRS7iSx72T0fTBNH -q1B11gTScLpcXdfWFLdrJSksYdf8fHBpJ9jdSoc5U8jCV3xnZH3X/MK/PU9RBVQhTEeOdohxmmv+ -H3/VUKBenTU/6+9QCG+hCAiL3fx873bC1vxXdjh2OTeGWFYWVcpY8w8LOcOYBjbBK7sl/CQQ1fwP -PlzQCcQEV+hfNNUZlwL2rdb8B1AU3wyEFk3rFbDm39SOBRyPIaoLZ9EoArTutRy35hfzjK6hhG7Z -he6ZqqMwGKeJ1vyuGUwkEabyhDYngjW/lJmxnJCfujXzM6u7KNJ4Q3+I+XlRgBXFVGJ2+UOqd98E -jDR+CeKKFz93+ese1T7Wxo+wUXnbELPE0i6/hdkhNbxE3JYGu/E6qYiialwX1vHy80lgHXHl8ZRZ -/pj5ThG2bJxhLH+4a5H7LtEjC4ddLP82mZk7UiLlzroeZflDHteCJ3l6n9L0/gD1OPJT1rJCe9SL -ka1n3k3FCFl+EfVedhBGRPdZ/hlpbtqBOlORVf5X5w+c125nWaYof9P6xk8Emw44i45Imsmfd+Pf -lmcvOWQSkh//0T11fRVpwDTNAsTZiBYMHjMyINbj3ZdFNyGzKFXS+yH/L3a1WRbwrXCKl+NxJi9B -Uho41GXILymxG2DiKy+YzLBjyB8nvscyH599/MCzqmEzJSyRZmBmulclR0Qyg4aX2PgliFBA8PzI -5hzjHyDd8VT0fjabFv+3ZpHOSShGRVcUf2T8xZ7tWUAj8fPK/sqLgCgOCP7wI2t+y/fLzT78BYMH -cu+qw8H0+fDv45GJ8or68Jve2Wdj5D/8kkg1mSbl8l7nDO3Dr5M60Qlw0eeHv6blCAKf+s5m3efz -E0QGlfL1h/9cAd/0UwU0P/xcN+fxUT/8bE+MrKYHWX1av+yHP5zt73grB2kQfy390i4oh9AcC+6z -RRC/2ZMyRZIXQiF+z6Jsu5vCrkfBqhC/yQP4pSVBxEIdstCF+G3W0w8muV9TKcTvE5vYDfxCs1QM -8RPSFvRawGAiOvyIU2OxBs080okf6nZOYgx/6r+ZcjgDBTNHLoY/67UFb+/dIGaP4a8c4waVhjlQ -hSM/3cA+V+BkGrXH8EO0T7oeD16DKLkgbl9xU3LWmB/DfyfQ0T4M/6v2lnow/LOBMLQqTB4w/E2I -ToyubOllg2BlozWG33nB7R41hplJK4vht7mUEMtSdIkUw+9rc8euhU6OjuCbXiG0Y/iXl0iNALzF -ne8NbhA9xum6wZHnRZEQSzRWJ6G5GP5IcE8o5U+lUDwy/Dz7+JqEdqk8yfB7FbueRsghIpddfCBt -fVP2JCPJvfu1t3NJwx+N3CAOE2wZ3/fTe3EcmoafhX8xWLaNY8sa/ol60BWl4n5rPoGlF/putjNI -SK7h5+t4DmXgcZaVBEWboeF/LTxRoiBM4jT8WWvkVqIQpLh3iYYfFsa0d3Bozhr+l/zAI1rW8IOu -Vl07kHbaN6iLMWWzWcPvExFVKhWbqMeQEzGvDb+SASiwCy+xSMx9Mxt+L5v3o6c/3eQ2V0pt+OdY -6mwkirf4X3kwZ+frg3o8vjLJCbzioZ1LNfxAgJL+Te4Rpsduwz/HdxtEwRlz3oY/XIIvdQ2SxgkG -P6F3Nsp5RG2Y7d60MBt+8nuQCIoQM9bwmyH3oLMwsvsu68jCT24juG1OMMLSut0ZszXYcj9gtuHL -teZKLCqSpJYRwgi/favCpvIcDmnwJ5h4NUyVygj+WnnRXnZKg4eCwK95aVitPUZdQiX/+6PbbAR7 -17fk3O+3pCjeit8jDHLCfT/SgNTrzwShNrrL92kVCR5n0kmPgrj3ERXFCJnb+1UanzW1MXxJ7/Pw -HGax7yTvv6ugMRcKUTdswPsnQQHKOYBBbIT4mUlImvJ2H50pWJgkohHuuv8MLbMgSbDCtNYMZF7C -OJfQuUuL7RLruT+BaPb+jJxWud9BeI0S/n/BuD/hGs1G87o2K2RdDO675STZCDBWmHWl3n6vlS10 -6eEct5/xV8mfH+NCPdr+DWw9U8tmwAoU8WtfcYVLsWDa4yLBaj++41jtGamaHcV5TfuBP54R0/4H -riXR7dgzwmQSRX6Ag6Vl6+yrFoTgAL9pCGUfs/8tCSG6Fo+yYQTKfgK42+8JCz2ndn/sc9i5dFb6 -nwCL/TtzTcEN+86EgpjJ4YxfWNSr3ThgtuIlozsj9vVXZAWTYq9wI5ik5PVvun/KHUKw4vUv000G -JlnElskn6PosnT0TuAeH/Le+axJbjC2wqqxFZ3eGMGpuNT1EKrDWrP8EYTY0OuzICrgl6cGrbNng -s6svVfWyHfN6EjWy+nJ7o0ri+V3iLFWf6Z+/QdsWXxCjoPo1O7swsUhg5rYv9f2meA1uuaQAXUd9 -vleAw91eOzLab9Q/jIeJ6pYTvEZYCfVzj5VtvjTTQyz8nr7ekXunnJcoUUA5fTJdS+WEPo9UbJq+ -8cgYCwUuz7mAhl2blUpzDsU/xPWv9N34gWKl73LvC4m/9tWEsyZ9ngXOKqNyComvbyL92TOABhan -qUDALjL6rRWqDupLxafjXor+fmCruWfkmgiiz2XkwNDfMVK2M9Pi0JAXQh/UeGgRwqA/REpwoI90 -ca/APrP+OeGff3Lg1sy1Rd8+H5336bF+AOX2fDhwsp89nxJbAwqwo6D4dzw/G4DnhbeBa+f/oK97 -LnBb/uh8exH2QjyuwXLk/EB3Mfg4X+qPwi6CkiXS65tfu4/A8lxG9DDp1+ZXWk+ENp+kNR4xSCM6 -KH+r1XwQuhGY7fC6Q+VPR2wkmu8PkXuhh9XMJ3MBwMx84pSVckOakPnnoFNjD/P7T2MmY9+KBIr5 -l3+8su+bX/6RKlGcj43AunyjLDQxfcCDA03a8imNpxkOVal6mXScCA9ZfuZNo6aKIF8I+HQrHxnl -LwjRCVL5sTwHZoTiTAEyKf8mgJYHlP8KKc5iFBqN5BEn/6NHBOcUm5f8H27IYuUGlzEm+b9pScYc -KzawYQJuR35bE7hj0B7qEsSCG3QKinxGyxlN5DceJji2+JOzLQr55EsPBbxnVPSOExSQ/w2QX6hp -GNo7DZRPcrgTuMfn3j4twjyuCu7442hPBFiS1kNcjj9MtmVJa01IlxChiXn2CGJpJ/jWmotM439D -ONy+dYqf5P2r5tTBFLH8V75s0nm2YHxuVbvkGrrdUoUG6wwXH8Y1XKDD4psvHqvnKX6Z6AvHcf2u -CGJxb3aOPV8jOU988HyTViddfU3+Pe5jGjvxXStURxoaJXh7mGbTOZp2o3d14svqUdzDSnm668RH -OF2ptun8TPTED8AgzDuAoQzj/InPxfCiBR9I7xOfr8RFJIoKOZz8E1+GIVNm5r+YuMjQR7hvge/k -2Y6STJ/4MqKQt4eAVEmWHYxPfKPbeflKe277w574IyNpFIW72X7id3x3rxJHtjqA7P8k5TXLyl+E -T/wH2xAh5be83t/idIw+8b2fpHPQNincPvHRJ7gRxJnJ/RumBPqHMqOAmGUIYnPT2ImY96D4mcxb -LVd64r+FXCFWF/z6ib/Z5eRTGV8VeKvnvP1kkVZdXkcgwW5gUQbJ6y6IT/yrnOnQVA== - - - pH4QV/ITvzb/3JFJw/m03ePgd3HlBeVlD4Lp2WFWJoyoU6j65ImJUDByfo2P5U7dmpeg+BHDqojh -i84tLugR4REgPqRhAih+02q3nyXLHEa7DBlCH+Ei1P8Uin+/zMFPBBIkqVB8KckMH0ALWvkBxb8q -RSXkYU0BApN7pjEkaPrE93FDm1hZ6mQXYqtY8RM/oscjBU4nEEWw4b0nTCrMtCTsE5+gcBDsJ9mI -v/zPEx+gJnUL7yqhw0nk8Z8Rxm1H/BPfz34yPSAGVU5kJcgWF3+h3uMTPzqqvNZlRaZ0UfiJ32Lx -TsoYpXWFT/xnRB5xQJZM9zMtMxThiZ86DL1jU36XL+wLoYjOWXX8/hNpbdffMRrIbcHdNCN+aBzM -N5ogyQfIDeITJbiFLH2g/xIM1sPv4Rc/MqxmK8ThB+zFEU4oCfmGo+FfrxbGtfA6TUPut/3CR0UJ -wrQf2iFYbIVvfDfxsFl6oesm/M9sKyIRPh3PmP/IOV3brR38OAkPkj5Kv2XwCTIk5IjJQgqAfgo+ -C+5koPRQMB0I/hJ7BrMxDM102gU+FbQQFlSUbCf1gAps3+nnjQG+05YI61/mmSYS9t9LwjDdaGcn -nJiqoaG/hyj8laTKL9j1e17TzY9MCID4PR+6lLrN7DA7LfyrEFj2yhj7nmDT9fL6PoXSP0gN9lZo -s6vvf8jH6Qg1xXVD9Q0Oipvv90PWKaPkWvO997MV5P5RWTTfwzAulba8rrNLvFYFczo2nzJZNt+3 -Xl2XXI8333MiCedI1eq+8z2R4ZohIcQQrxbTiHM8p9q0ANRbB+/ne4e5aIi5mlme7xNVztOiMcAp -IiImaJCwRTrfFy/6uHxanUWK5Xu3R6o5MmrlIv+c1qIoY19fexbQRRro7W35nocOXOWi8r2zANvy -C92y6ynfq/t8Rjz18TdGqXxPyT4aimHhHLKOUcNO69DYMAfyhv0L5ftdwYXRGkfd1/XEbxrR8r0/ -TmyF5fL9FGC6jgjme5X8IkF7/LCJ+V6RCJprvSDM910R7bvKazj7YekCkWXDTr3HCslEDWvx8Q0S -Yb73nl/2FKs/Yvs4udaZONiufXjc9e5xtrvJe4n8w4l6d9Wc7yVstb+B2xY5ZFMn9OqrmoMiQYpT -VcD38xjOS7iO53vibseCt/yFLYBu8X2+/1nuee72/Qu4Vxaa791AE/gc1Sn4Nd/flxcsRchlHN6X -4UgiCtEwnoro3rf5XrvFvdMvR/XBs1SIx6MH6qtUUxQOCmvfkO/lwdOfEvCd7zdMdP0R7vpLz/f/ -dTEYnfB8H1xx7QwCbbAHJBUOIOcNM5wxSHx4P98PmlMYnFxSyvP9DN/j2oVf9p7v9RPT+BQQ7Cie -71mwIq1tRvO9kFgfENROgJLayKODLNK+DfkDlHub7yM19EERKvjj63yva1LiJlYw5oiwqQnJBGHv -+d6HooRHNBDR53vp7JdtstDmJtj5Hm0UdE/9eRWsQbpzgakzgdPuScV7zzWYSj2bQ3uPGraJIakN -a0CqILd6D0BT8xWq95quXNRTKr67apaPDL2v3PvVmNf7oEAqdo89+RH0/qMttleGSy2RmDzv5eP6 -Dx8q4sq9lEwPxZq2x9Dq37+L9+I979Oqli4VuZF5l77WeX8Q0leWZrTvZwzi8UA4xOeF+p339n8x -w0mpuPlm77xH/jVhyqWfuMcD4Zy8an6V2zByii9wKRUsCtiepQXxUJ73BjJUJHRWT1DihXKd4jeD -8c97mVj66DTK9GTaFO777gk5Cns4OOtiTZmxINU59XnvuM8VS08yuZJlMet0bJyf/nXZG6NxGJpm -DLEpp9eK4gGad0zq6CFK9cQtDVSAb9R7knu0uy3IGMJi+7yH37qBmLvMRdn4vB8gID+KV/8bTdZA -A56QdKgqSqlaUQug99z5aYLP/BPi0aSuTmCmzKXTYQx69yVToqXne+Vm3Z9qkClMy0zvzIkYjd6/ -qvWOkxoMGShyHkO3FNL7YlcVWOCwFX55PVV6L4s0hcrPiV9tqO649N4lqS3p/So/s9cC/+j9i/Zu -pvYjem+p3BghavPCXa6fQlHMczMmPW0GxPfqCYl5GEHVAw9aaN0bBXIC0kTvpWblYgY3xnel+evo -IVMhjOzjGvQkHwvJFNHK33y65NtYjThB9B7LXRErWJHti95XUe7FxP5tTfmBYqYWZYjejxeJMnq/ -XFQwS4xC0ntDK6X3xYGBI/I2OEEXwo3WyIG46LHuCa0tC0zpPd+j/NIS2MTaYB5NKyPjxjZLTkiU -3rvbC+FMe4EE3EFe6X2VXidV8NErrwbvq0xYKRfGAnh/z1Y6TO/HRBdVcY14mt5Lt0T8LLb8pPPi -waBsMJBYCvl52QuSfP7TdFZQ3iww288vOwsMmDS9h8UuxxwLec4hqD4jhpWz0icOlNc9sYh0Yrlk -Oe/r5ZSa9czcgICWZ/LeMxdL6Pw5IH1jJzYpQUbKMpu8Vx6aXLHuu2yCTKHJe6eBDOHnAgmWaKwY -yIVpwMiSVMGJ/fmPn4TMdF84gVQEgLzUfOkIs7z7C/mwPmKm+gh3Xz/H1a+5Hm8F6Oxe0/Jsm7qR -8FHYriuJzdphPEK3xDJJ9V1NNGYypIw9mnTU0PEwu29S50sNkCvs39XzhX12wNl3fzVCtPtm1kP7 -7D6AKgBQ0e63OkRMohLoKqJ4zyLRYRW3xxOkYy2fTruvLEVGBZS0e4uYtN10sUopcuufrlKe8u/D -Z2+W7w62bd9IX3PvrMDK5ICga6Yw7OjQYDLa2p2+k7LMDZj2UMixdUXSTMkVcxUHUkmeexUIfK7q -imo65JJAAGuUnH3FVlsLCz7luX+29yfzQ4MvPfdTAAZg1j33TaKz4AF0mCrSol7UACV6NbyO/J57 -m6mBmdu8ovPYjvPcq6ypagYAI472bh7zUEpBee53mViYdZSEPqA25Okijp6Wn7wjMX7d57kXC3Ga -esbOSXr5ez7UYlrxnXvbmqSr65oRlF+xSPGz+6Bgr2ld6OvcG//CXZ/ERBVRIGSPPAiFTILFCBwN -M3jRiPu+kA+MsNkJct88bS9MAm1SgnHfBuz5zJ+5801H3sO9kvQ9N59cgRwG91WuUcML6xFnTOq3 -R+PgdUqEkd5e51/jC91uX5QK3p4nw8btqjPk9lr56Q0bIYiEbftNqzxjsxYNm+yGb7TZnepjO0vV -DsEPBlHZPu6yrc3IigFzkcH2uvLVES+uvaQaxHBrT9JBYLb26mQByz05qS5pq31tiDwXSgGXXJDa -Y94Wyjjv7PJu2hvgXsgQt00RKmmvfWysPHtsBKPAWLYmaWJyPADtF5QTACrAAc2d/buBBHJ1KNnZ -9xEhsedlMbHNPj9gmM1+0QITZ7vX7L+iQ6u/yAMrIx+52osGiNmvE4YMZe5nlv0Vg0cxh28FhoWl -UIWyj87GQeDIf8wJ/SN7xQg4+Ywha797zcf+OHZ9syXysqLi+rE8hc+xouiZyEFwr/diYrNh/5bS -LGE/20yyeEWHONkS7MG4y6qEL0EA7FU0vpssqbTz3NcH6Xcj2r2e1jhtBde/1xsrG+Drv7ZoU2Zs -Lr7eKndCClJDn7GssOV4weRUWhxR2Oy7vpqv3WVdbzN3kg1YhyDN9fIPWFtnP8pAUX/BDXH9snhd -2C+nc7c+97CyHIqjmWz9y8o6p6IwTalQP/kTy/HX14haD+jZ8Wmpxftn/bgKfi5/+4GzrAetsDTV -VVXTsf65tE9dsK4qWVqpPl6HrOKerx5brEq0atXHKlXV6ocyexSwsHrWLCUQFTJqXIdVz0QbVUB/ -Ad/EO3481dNlXhQIa0mP7ecWvyRik0UalGGgqH46qrGrGGJ7UOhTXzc2aVi+7qEce25grqm/EKhF -9+0OS/1W2bBb+fcAajxSz06kvldYsALYyjipMbWM+gMn1BD1by1NB/UL8aLOwIqr/vQRtAwJEPPB -5xelHkfo7XERI/8U90WoVEEgVFz6J9ErcfpKG6vCxGz6f3M6NcfRQ9PDPdJU6UHl4pqx5daZqvTb -/bt7vvTVaqjZFRwbpD96ZQ0OrvQDHYRTerq9jInzKuRA6Uulywyw7bVylafNqCqBV6plx1yizLEd -Q4vuw/yQXsaBkyMboXvtDjLkjt4AACdRuACwvNFbYk5BjlPwNKMH7auyw+BQigp5SNlFPxTQeDEt -00uJUr5R0XcqNkDqXTLoXKLfRwvHv5j2HQC5kRC9EzDAS+6EHHoKTewiv8iMEobenfoxrciDPFFg -0Ak9xc/rBjf5ne/M7OOXB33Uk/UZUajTGyvjxqjSPgP9jiARGX8wHaC38IFAqag2pMzKCKscU0Od -dL9mxZH6w/vsPCmkGz6/ZKrHEZo9f9tqdNFljEn0fFlK6eULL9xBnqcMMN6da2p/7tinICbZxeby -sMNOKAZupbawnZ/XndtP23kuq7RXaWwe1pKt8w2lFEhlUtZTcmhJ560/ljLLiLL8e2lkmqwXZQbp -vA09sUUXdyVHOv+7Ks4k1AxH8qXn+91GlpfhUpEmUkwXhYwxafXma/mtpAcATsBOcZ7FvGg3+rAk -cR6QHvT6igc4j/yLqXG4OHfzN9ouKhp41I+cZE4kM6YWJaNV6MJ2HwD3bH7/auW5EcZe85P/dLJx -IkHFlaya760WLDDNL3B4ftNCgjtpQ/PrdnKW6BqWVQHPOvPU7ZPsNsfMfzR6BL2wQplfuyAxP3F7 -zusf80PlsM4PsxVMi/koo+T9HXvp8tVJniUdwkHnFa/CCObv77Hswy50Ef8W7/vyC0DKiGEwPXkQ -+iQvX5LrVbY1Z9VXD+ryCuWGNAFjIC4uXJ5lKToXCD2vsBqCLf+ucVFjYblg1dPPU0Os/0HpiQKK -RN4QlGtZ2175pZwZFPd4n/1KrfwOir8Gbtm9/8Yqj5q2RbazKh8kglH5Kh2d4CsqNOWPGM26cJG+ -yZhI+VHMT9QdpphGlBe8V/kYPnitP3l1Z9kd22KnPANkdvKYLa6hj5u8ZTqveP7Y8FUmf55vsjwr -Lv92jEt+yM6xIm6itQU3TMljbELT7E/vhJJ8M78VFs+KHDq+uI4geSDcwiWO/JxA9jq1IDHTQah6 -kXfREt7KMOTPNpEvn5kZO+TPmbhwBz9gf2hc4ZJEcriYk2KE4bog71iX4gZ8c7w+CUI/fmLQmEr8 -+PjRYAV9CEB61RpCWkOPl3fCDzGHYA1St1qa+A/NNPEQFPT3Hk+ceKqUaEcu45cttQFGYYXGd+L4 -rSqhE93RIuzGH+QkB0GjOCAbr33sW2brJaXGqxCNHTwCS6hWBo0/Qft3opXgaEDjl/FBs8A1Opmg -4jG+mbFrvFziWwAt51UZxqOxYV88z93ZWvfFQ38MeiW++PCEdDWZA6sRXkDiJ/6V6Twt/sDpLrSC -ABbPXzwk1NDMvj5YX8WTZcQ+2YZ2BrS1U/wpMPiFKIOvsuwy0OxG3jYG8V8LWCgnxA== - - - ZuLzH3OzeLG8TPwaufo3qYJvfoxdTokfRhbIs/2E7ssekPjj3+1XXRJixI9HSkdX3pK/D/GHq7ck -N9WSNoiPyVpz9TXx/vDoAEhetIc/mrdvSRwSE9wOD38WW6LJ4SOnftvwO5JyPRVgafj1NXs6ekw0 -jP1UuN3NI3BASeP9Ahgeq1XDRTjU/YS5iUBFrBEsMydWygSmK/z4X+s/13aVwj/fv6q0X9wittgG -qtlnkKiZXDkp4eG5sxAlYXKVuAi/GqyWu4MX+EtLQXhighftVmU8cHwyk8kBTXor4vElEJ6HYiNt -9pWG9TcPKzuHpS4vPpJmv/b+BeE9OgnnluTu7yY/CL8YZOf4fC95OCF8Vp/K1zcnPc5+hPCVjWyq -DPBfHiVCePG/vucnLt8iTritBEUI/3Gtg1AMappsr3FfvTzh7GOLgBB+g880foUlHvrtYgeaHdMK -ZJgNwm+nunJ2FPHVILzt3KrptQ273Jor2M7fsn5m0bgH4UNEbre76l/tmud4nnIuqPdlgbYevNfL -vSai4+AX9VQrcjws0eC3OtYkMa/jTSRQKsaBzWr41NPMVBRZv+BnYBvlHei5+4IHgASVG6luX/Co -qn/Bo4wtH3zBa28Q15L2gt/Sjp45c7m3k1s86Iqo03mawxCKXXm763h4wWen7Ie2yLwnRo3qSFeI -xgBx6jGxbgeowh1MY3cSTw3tglfnRdR9SS54h4LC68s0Qr6LwitqAp8wMocL/kvypQu+3rEDbkpe -8BJFvyQls9lTz3/HiZmyOLYdg3oi2rDTKfayFzyg9JTQPdAgZHzBv/fVh1+7Cwy+lBXFubUJkofB -d3Iq+oHP4y14/4J/tM0MZEoN7SlLfMGrFm/G/K1APEB9v+BtAY7v5EDksw0GViU8k+YF/yGXX8U9 -L/jAf7wSHWVcUo5fIg/z5E11oy6gveYrbvGqO291fF1aZemCX33IN2h+60tgn7l0dFsXPJBDhSYm -ueDlWmcCESNVuQs+FNWVIRUGuDsfu+DdagtCQeKCl50prXZCsgVPg/89PMPg64YucgFKCz7nm1i2 -4N1CONsnMNlrCx5VeGOjO5j0QnrU8nonwSRrNdyCr9uPliuSvyfO9LECb8GHVzPs3YIHhc6qNVMK -MtvdqEkB5ZhJnIq0prnbgrckT9DKL7fgl+8i6LoF3xp7zlLyGC54L7OpAXZyr5NQOuTaHBpZdcGz -OzwNSl/GBQ+a5MGSMcT6MJiCj5CYlOBJ6LDGZpXsziB4ZnUFLrLxZeSr+kZefnLR5h/YDcMpf/4t -pv+6kU4VjsmLBi6H4DFTdQGshPf6lrUXIYQbfg+IQGvLP2bUMHP3y+jOja57E6VFhceEUXjwxZAO -o8t4/h4ToyqF1OH3xeihAge6UxFQSxnsFTgZvIBHOnCfQMFZa2zmwOuaO4Fb4sbIuCuLK3CwV+8S -KqRA3631juwJjrHV6lcUTuTgb/sTnLfPiSSjLxtDyuhJ+OIqGXBbRhdAqG0mBkcJp0lFcASwC9KW -cMzdWfoZ+5oIjBJOWxUZVe/X0hlukOYlq/RoReCNKVxrHEa75e41DM5kCSeVICoJx1jcYYSDvStN -WhzHOP23Mn81uSg3ELx507wQuYsI4aStP+IBScdSPTXn/CaEYwSsuLm+u2eFwGeQcpqXB/gdVAiH -CK4bssAj121qCEdoMBMDSVU4gDUbCoGClJlKhTMkgE3hgCUnUDjo44RO9rsrjJNaRibHeJjY30p3 -zjzhjErMr4vC0Sv6ldyqUnvqztn0rk6pNe0l+g94pyfQ168PTqfCSHW/Dw4Rgrr/2TLiICBkYzlo -fRiGykgwlcfyjuI1Ryvx1wScxFHE28rL2sG3IXCQ18taQ/bH1ACJgrI7Fc67itVKS/lTGt8/gDsz -fUaBqEMVDqkWuSR0rDHyVDiOM42IZWXM0ulQ4cR7N74HZh4zsoBKztsBPXngmJGS28NmdHEJiZti -6K+mMSPMZBUsF1SOIZzEriCYzbTwgReCl7YWXY0TcKRthUMVTBHOILkdmoqbIgDIK4QDZ6tFlYLs -srx5WXP5PXj47hRG1d7DDehjZLpcXHxkrW+4T0yvareb7RWEA4DRT+Fg1ujwEWpzZOYyKy8fV3le -Z5QgtStFHWaDv3Y4CVRA1hp1Rq/T/oz/BGyHuxl1Lxml9reG08G6ZYsRohuFuBWtyg82m5gz4ibc -jACY+TkBsbHf+Gk48fH3JodvRuKowME1HLALmE4ZMxqqmwZSb0aUa3QjZVhVl+3+5R+v4bS54bf4 -vfpiKjyj0QD/Bc4osTUcVZng9fwtLGCOJkd8MKP/Mk8NxxW0ymsGOmTgil0YwmJweisOu16JKCAq -+2Z06weV3Q7Xm5EG511dBW04nNM5ytTr3UMxznW3yCqvx6mr9Td4Ds7Iw+3dH04yf132CTtYO/KM -QLb3k25Z9Y/WcH68SPVAIXEgQORFKuHmDZ7/VFc4NvThbnprYn9o4VUZDU85vQplm6W4hHwYTNQJ -DpRV8ynwhdG+TK/G36ioemBm+ot8IqMdf3JIoFEAZJz47uiM5VUMO0xkZAzHGzwff004Ib8Rhklp -/+UTJjg+UkJJH1GxAJPR2yHm1w5CeXGymIwAJ1jsP2DpmIzOb6W5e+FXT6C7ZHQGiKiM3sUHldbj -kTJS1NwuZih5Gt7g4KBUjbYcCkt93CllFDd14HbSElqSMvqkqAm2Fsfy2eBcUwtENFWjDc6KJxir -O7PBAau1VxCsyFBG7AHBRQkOjqfB+U7BqGub40mgR+NC9rkAjdeubb+kBgfM1az7F1sOgVBG+Ald -mceWREMbCtSoQ8v4GuEEAxrxk9p7hBMHEdE2rEssI3iqJ6w7FRYjHAw1WmQypLRjGe0LSsaXgDU4 -Z3kMxzLiQa7XJaZoqvsV4WwhrzJhRvoGpWmWl8pZODuNANTMlN48ACutLRzILqWdkF6fw4xAJPsE -OID6pX0so8nbqmSEbTwzg0k4BFfIuko2MUfCgTxjQshxDyF2kXBOb8mBzvE57kEkHH1u5dV7iAPp -IuFgTk48ceEQ4llKnHpSoJ+GXDhxdONywwkAmtS8Ib9rRgb11rtj8z9SQDBiRqwHFk0SAjGw1GZY -TL9wypQRtBe4ijW1BwoCyowZ7WBhuqLGHuGYkedy5JzTEUGnFLBBsyPdF5azXgnHV4J2IDFaHMHY -Q1hEXThO0CKVZbIPhQvn2L3r4HCgMWdRXeVwnq1WYMeM292MKJdMDw5EQRSUMsK5sMhw4OBVqZxB -82Q4o5S034JU4MlwRpuEZHQ4vsca0AZgoJXDgarAwUMcG/NRmTjKJ6Y4dDoUbwnuK3wLck0p2iWD -j1scIwBxMg54cKRtHCxYjU07TohHGac1ApzDA827XqMBkHMQ22QtNjIRwKcm58QrR2iOcggW7Qjf -RsVa3sJXE7JyOtujNH7b0I1G1Vz15cT6Sx5zgHQWGzQHBiXSEgAdM0rEOWCe7sQRHK2N/EQrEGTR -cyZ9PzITgejn/Jrrb27QEVgux37oFFzsiK4N/ElHLmt81APGV+V5vNTR/A2OJ5s6VTpfySgxc3MG -bJWq6MXRetrTz2HvHQAsMJVwwYk6H0JAYGeWP1WGOsYHQ1EHd8dzBPBA1xFOSG9TUxybOcNbKnDp -TNZIk1qdJHwyZB3sr6ZbBzaTcIUcYioeLw0ofUThZAIT6kwrC/5rsnNHAGbPAu5xYVnaAaH7KGKu -QFlAeuXMSPY5aDKBO44lSq/LrW9ZTP9CB0t38qV3WG938PGICnnHhI76/ds7Gld6rZgg5d9LpSZI -dCThDYAHoXEYZAXP9cAJRgJ0KCIpL7YlSAQ9gUUGpI+lndqlDE1IalGjC2nVcVJGwOcOQsCKJ8yX -BCc9hMaDLmFz64iOHs/JMNqBkceYVh0oD5Y9aHmALN9e544JfwZg8xi2G8MYkWpZ0VtfkZ7ct6TB -I1mYgJ7vYOjJKSRfY9Sz91mfJ8fb6FnRk0gbiS27qPjnAvbMem6Lk/J6GICrynqkFE7bDbwz8Qnl -C/VIg+5yKH+kICB0SmwPaY25zT9PiKQbxMsmYBlJTYokmeoqxfJ70CTBM6SdT4IPiaAosSeJORzR -YzUALD5D0sHoU1IPM48EcJH01XXZV0m7vEApwJI02ZG2pbQkeulFiqGPwKvzYvpkBQCVM5gUOaBs -Xh9bLhxQmdQ8wHfEfbB/vseSHPRPYqb3sYnRbadwrqMm4ew4B5OxFIz7TJV/b4VyC690afpMGsvd -vj0ojWXSBANNMceA0dcn/1q5bocsgV+fsg+iTjXMv1JpYxLkK6wxK+pFmDT05sq1H5jQ9O8lUZiN -l0JEBgSh6TMtfupyY0Hppk/uTexIsFjZXpKLmBspULgLnYrok2oN7SVZFk+d+EYhkYSb4SwUx07b -9HFN/sU4Ru646fO/VSN+JXh/PPSS0EEKlssSdGhGRhNO0mIN0YdZc7KbW0Dlm2kBKfdhmDCKUDyi -jzc7jPyCiqD6PVIqtVS6FCRoNqDgLOk+Mp8YWpKYaVJuIHtDUYVylvQykBt3IYckXtz5JO3XQoe0 -2huXK0tHaucM9rmPws4HXJH3pfiPF86SMMjrVgWtZXvn87UkDVqtlpjtfExstabfa5Uilj9Lws+I -7Z4cVl8SnM4HT0CJoQ8mY2umDxCMjZ7a57wDDwkHGIJJ3/jNARe66lMTV6oAgTzrqlh9lCIo/PUx -LTepTPofJ0JN4j4P9NM3vHcjcZ9sd9Iam6gy75mkQfCDUX4e0QMpaNIU95FZt1CCJs09Mn8UO9Ck -NQuspbSr0s19hMyoaCVhAbaAc59o+FMFo2dMmfssj5+YGWf8+5k0zQDK0bnPhBVzH1iKEWpln0l7 -sin0WpCkJ+QSwxLiP+sIT25F0wcCaO8/R15yUJ+d/AiSdFgppdzn5t04Vgnb+EwiOI8uA/PRyT6T -jAoFHv090j7Rl1Qb+HKTNV0mqiyTvq+/7FqOJxZtQMsk4byyN1bvrGZBkfbJndI+SWg80z6qvH69 -E79KcvNQ09cln/aBMJbRu8OetECxTCogLLKrBuhG2kdg+oiTxAo3ifaZeW+l7MLfYXpCTUIcYzEL -fAK1LQVD7U7Ab+Am1hUTtZ3OdJ0ZyDD40ULruAU/EA5+xH6gC+jBz1GYArrmsSq1gd4Gfiz2Lgcf -LacM/Ay2Vq4CP28cPnsB8VAGfsYdtgwXEndNIfCT6M55jQJHgAJ+Eg1dFFnrn7Dg50d/1p6/kH4U -LfXRzWoO6zQqhQ75oyyNk+w0rCZfEAE1seZjEzE2ibkglH85XTtGTcAPmTiQym4gAcCPNnak2bs+ -GcPp6/t5wA+MGjygxj/23+cp1O2jOLX0EZt0+cNJ19n09+VlJLX6+8iF4yZyfbKM1COJUKkmyOq4 -GJINNNFhIEtXuj66LNg4p/G3iEFbtjCHe/eBBNd0pCbFVMi682v8UZP6ngsUzJbR6Q== - - - luq7j3dW19jWz7PNaSOJ+ZRp0B47sfwAZ1GTTpe7ZniyAkRQk77mnDBo99lBulZmfr5tEVCT/Jnp -CEEGgB6D8L/UJLXIqPRzJ0rSrjs1lN9GRvaR5rRvFO4+mBeFGBVACPCD6M1YMuJaONPlGtvzFATw -46ExmPipLwq3qoCWRQn54QuLOGlmdIPOzMxnRpxU4hX3uNFvq+IAYTp18+Ic4sGM/DjzLmHwAclN -nJR7WtpG6mP38o1WF2YU1E5J+fi5r1IhtBZgFeHxI+FUsVwjxBrykyMg4vGDZeyDfwAsYXZf+jXa -QFFkjfUNTvpr+nRIdldihu+4+uTHFR77r4LYXZJMwxIRg5STCoHPLNs4iAgQToLOz3TFgQ5hO8cP -biXJNpgCQDZ+HNNKlmdriPzbUSSeaRhflq43FFtyyOUTsg85MH6SWI2s86WNQ6SXOCnl2GCFaT8D -seyakY3SbDoJP+lnY0BXxl86h+EmV3vUOefMeGqzr8tmksrqCj+t8XPte4jiJI1T30ZmRg5Ajemf -UY3jRyjVtm8jDHn8BEjDz0t9/DC0lCCtqsLt+I8fJLe6vloBOuny5IoO8oOki+24z2DIz6rXKI52 -WpoJESE/tjk7k0Eq9VjbBYgs+B5+Vt8+Xo7fuS45aRtNejdLZ1kbOvwYsg9HHVggnTE9CPv4v6zg -CduBNA4/Sf4sf1IBn1vIT9jBr9hOav7ZrCBPok/Zg7R+zL5a9NkPIrTmDe9HRheXiaBUnJ8yEx7i -zzFxjbgC6VkhEaz+JeWxBApK12qoi7JOm0X3/fBFZqFD6Su7isf3I9liuqDVTV8ElNSCLRsjWSbn -+/n52eNPNB+WwCgoXRT2Krws0tQpe0f2T3zSCSsoCVvZ5QbaVlBaBrtWZBWUPGw7rKMGLiNHyJ+k -cHsxH0imhAvv0x5R8vqHXQGlRL+B18lPivSt68WPtv5V8EmgxiPGo+krg09qFL7yGLYXGhW4J21D -k5mepayqe5Jx4Oc+Kjq9gKYyP+pSRPek4bMBxdMxbJk8Rj+qMkFmdt73Sam8sJcw/w1nzH3SOIN0 -x/Ga5y/sin7EyhB2AqvVQdHck3gTwpxpU5YZc+aHF80CxyXBMj9qtq2n3i8N5UlMWYUzQYwqd1Jb -y0OngawefizA8QNuoMHf007UVyzkTbeksoCMgBt9+EkvxCxBemzzww8zrUB+Tn/bAJh2LMeC/Eim -YO/AnkQN+TmFDMlgk5B4xM6dpBgEfKRk3DIgPxDK6YSmsr8s5KfWYfl9ph0SuiV30p2Rtp/56WVR -2/jvwuNBpZkfQxtgPDIAGoTMKE9KACD7EEOEvHERsJ9k3aEQ8rP9sBceuRFFcaQqmTvJ3RP03sad -NLZ9mgNo2YQrID8b/Siw0fFG5wAeWB3o1ODt6RiOiYP8VDOVFUswUoT8lL8a1rrVUXPeTIL8DF5j -mTYYvT9+xP21wMhYPYvHD69hp+0O+W1yq8HD8hnk539AFtpSsRU+3UlsboLkXUMO+cGh6IMMW+uK -3eNns4SNlxkZOeD++JFXtplMotxJ+1qSQTi3PX7aO7Dus/D4Ab4ChYEHu8adhOtowz48q09A7n38 -kC40/yXdSQfhZVsYes4gPzqEp9wQq8v8a7qT2HuawvnSKh4/ITGBWKbPdz1+8ND26bHF1p10/8Vu -VU2Ed36D7iQw4otoFgAMUIBvd9I/nbHSHz/aeu18fndSYqXUX0sRwPpCjjqJylnINupcfl3gFn6u -ulqvIDbxkJg66U2vyDunjcxyEvqAbt9HTRKEk0p54GFEw2VyNTfJCkZWLMwxqPZxvQDhpP0gR+T7 -pDco/PSiu0itc/LshZ+TRILHRUxS+HEOSivJ8INNqgM/TZPvOfz8rcAAtTd6+PBzw6tGNBmSJeKt -k6AdalVuNLh3fQ8/SQ6Wx5aYxmXg8BOcvoGabnJdDocfgNA0NQmSU9M66elTJ3eAxE82sZt/0WJR -10msUKjWyYEtzHWSABoPOMyx9ToJMnC5taj+JhE/V07d9ft4plLix8Ruia6TOCp24Enrq5LiafZs -wsgPzNz7R7cU108F30mlBJUBkA2886X4TjprsjO9ihxTv5OQNERZGyZ+ZnzOncXET4LXwQ1tz55V -tTDipwJGjVHVcl8hfr4M08eKikURP1NJa7tCQvyoZafZiB8nj/TgLHeYoIv4Ia+D4FAPZ2g+FPFD -GM1R5LBWrh7xk6UtzVF5QJ1QJ4EabXR/IDmpk1CMm7Kjw5KtAcQPpP+Fr4OmaDppd6TzdhOzn04y -EBxDpv1oQdgSP/YM1NFUMKtHdOIHxNsiPz/8a37Km7588LKpPTFAVpE6GvM8ySwK2nLiOGDzE+Dh -yJeOxnFnzo9wvsMj+h4/zpOaZItfO6r1KGr979djHAHsedLpvd8mgsM676RpZ/KV5ptgeJ7N7cnq -JL2gvt2j3wKgEAh+wFWeF78YhmrVSXKZTiaxCg6CnyKshHnqJOR5RB74OhnEkiAFP29T0elq6KaT -KP5FhqxH+ROmkygcFqh0t7PppJVe2a86XOHRW5EJcUsuqJv5iimp0GRIPHzfkQE/2doF16GwiZdM -m8nnFC2RSsOlAT8/0hy8dviHbWS0CiqBAuCn77EVpSJ04qfg7UjuevEdKLjT39xXwfjRpvTfJViW -QHX+ToJCrLYtgbukufxfYMZP56JpWcRlqxqQd9JBGuoaHzLZ7eLn1h7YhJZ3kswU8YYuf6J3ElPz -yMQ7dnq64sd59vxDFlf84HidYAsBJuzED8gQanKSd8VPBQ7YVbSejq/4cZNT7Cz5PvlJnoM63cU9 -pjoFb4J6mTL5CcS8yXotbjRa23nSa390KtiS04ee5MAuKfGITxgpxicVPyz0ukZcpvzAu68tBTSd -zwIcPYki+AZ/XAvUlDPKz2aZtYi0ol5PP/Skq7cPao+WBB/oSbzIZm9PHT8T2nfSSisnHuXH6Eav -dn5CGRJxph/qc/SYUjW/fh6SDO7C/RjsSsWFP/4sff/h8gdsUX9Mcn/0xKjvhQstzAoU3z9up4I3 -mpR6gqN+Mt+S7Fqi/aUUCf2hT4Dop1N1gABNQJo1aVwYkFqTqEVzQD71Kn8p7L/QsPxU6iO6DHC9 -9nSury4Qnhp2oxkIbQXQ+BsIHDukr8HvLpvgDASxidSBGAxlsjAwV2IDh1jn/OuiPRzhlaIgBRF6 -eJcBS5MkknzpMSzLtL9C3cRSVB0AxLHkuEAMt9WHDPIRVAL/1H/+aEe6LAGenOoHOlMcJGC6FhQH -CYSMdXUQe270uvMg08AjriBqSbemU4ZyLOWWUlo6JENHG7Q096tINP3WkejjoHtMSkuwTC1J3Q2M -9oMa8nnoDIPQwnpbqsRbCsaYfSNwieMyDmsl5AGc9uQSXns0Q3ZCqfR1aksUitYl0JHB+267bJea -mDzxu/Svy+XfweN8oSqhhWhJG0DGhTjTYLhTL8ScT1kGQ94IMxbGEHWtU4l+6QUt+cz+pcukploG -TIK2XmTbT1DJDWUKSmeJcOhTZOIth6RcpiXqkLwQxmOHqUoNePEOUrKK4rMQrbTsMFWMcq3CWjrC -wMCrO3+OZ4c6TAVUJUk/wIqILVY/vJZWw9C6IWoME7wCYvKaNZIQw2QMTIPOPWyQZm45NK1Itv9d -pTbxLDSdjUDyNwWPU71/HFBRr2aMcOiOEFvx98E0ZM7IQdkvKcFhHvIFDA4FycBiZcohWbzsO8b0 -cTCbO2QJGBK/rYeYMlThXrC1yD2EV0cUuw8B/ZriAKDeqzLECCJlJpNrEcdUBh6m0lYxgN9Lmv1/ -Php+MPFSS6IBpUrDUL9oRNx0j2gNRiLdu97GJ5F6Q8n1XCYBJ81HmImE4eBvNVE8C6J4TkTOsaVP -PpFEDUVp+Ub/o2hae7H5BC6RMGeFrZsbI0AimpmIg6rI9qYnHEUTuFKCntHIzCuiEjgoFmFseY9V -L03F7652aaJNPbChtYhywzb9FsUjLh7QRcejRlRSXqRjXyTzKGdRfieCkWoT7+8NIz9KGaJbjJyd -VBuwie35BcrT0QrGU5UAtVGxkk2fa8gdImfEG/ItpE0tNM+NS6WLtWna6+Dw2qblXEmW6aaCaJtq -tOgH/J+3Olg7GKmHAe28RiH8nuh/Y28Tj4kFCZiCA68e623C+5khzOeA04nLidfI1IiB53qiRK9R -Or+O5lM1chnxvdUlqct5E2mHEWQwzIzz0jYZ23d7JtX5hLbpbIi17r9Wisdqk0BgHnGOK40q2m93 -353rrjZNBvaeu/zwEm1at6ctwma3lGhTzcyZJuVQQxw0uuKM0prC7QrjQSMHb/NUHqKPg5CCRisg -TIjWsQtZwLErFkkLok20C1Ss9XXIok10CAsk40x5grtuQaMOD2gW0ZGIQKMGeYFeVJvOzVRmqi78 -ZpsY4bCf3snZpleguGWN0mKiqi1uioEO4Tk3mQDAO2pu+k8cU6EbaUYPMYE3aQTJIz5C6U10csmM -fvXKN5WYZ8LVhHQyZX2hI8dBrl2DU1aB2F52lF0hid0d0WQJGE48irbPiGCcQvbMgViPfvJ4lZOQ -0/UsOYW0ngd+FKNyyhjm49Qf7eYW6/43mzycTVfvzMQbZJybdkFQPpvyY2ZO5V/xb444lhgg2VHV -Qk+ob0H0Zk6WuVCpOuXh71LmJPwhS/jva3/UU+vXEDIz/pG1dSvEJui3+UfE+tCGD9gGIpUGW0Pk -vaLs5eYfqSmm7XXKJFYB/SMUGTVpf85k/KN+56Yea5GCyj9Sj65104B/9PVAiD8inRIde50Dsas7 -ID/7mfKjHMoxHFHuj4CAkm7YXnbFBCToMZTRosPu8YKWP+uaV2bmlKcfYYRRRAO7Yn+U7KIIaU4V -zP5oQKh3mGp/ZA9AGULDiBumPzHRdzlhd5DAs4Fko/0R3HJUJSDl027+0VgNpAjdo498EwOxgVSS -RwwHUYn6BtKdYR2nL6Q0AuaDm1+DKSV5/RgBybIsqw0kUHZ1Ii3M/kRAaj0ll2xOz2Dfr3xTKvQC -knTZ0GolsVKO9qPO5rTAZJMVV2+IUoxdcwoI7a9aEPS05kQZOIhv/zP7WHPS4PNmk/YJIAFJwmlC -q1IbBSSEh8hINg3cL54C0jQFSedk5M6SBJ1TZNPo7vrGwQ8iHEA6J3GNDp6j4v2ezony6BfvAyVd -MpD2ZUXIqiBxLqStrAMUFSTvJ7rgZYCi+pwucpn1ZQRoyzAUJL5KzU6/PjG8lwAyQbLrSUKyF2KC -JIHCMD655QsyfE5g8SMSJl0NcM9puV6hgFDVcZB2Z7+EdIwMilg6UV61sIRYOvnLvytf0m6qpVMC -5AvvMwj5cSHRIDikjpJYQtLQ6VjBTjAyGtnSKYMjVXw6AeT8rYp6JeMLqZoloixmEhGzgToxzkzb -oHmEPajTV0TvJCP3pYqwjCEAdfIUJNLl/fRH86BOBzkGArKETKc2l05za39qBuiTXg== - - - OkWQGIqkQG5CqvQzyqhEP7yw5KXTDBlDjXJbEUxIMHhpkQaOjKjMNa9f6RQNCVJJKUs8grQmpKpS -bqZm+4C+WiYk6PITlVk8iVY6qea3SjX+Uy8HCa923xheStel3waJ8YaVThIaLvUqQG+Tcac8dxNA -KJLDSkKy5SS0vRLoPgktnY5hq74VHWMhIRUEivOrT0XycSMh2aQpk6lkSUeY7cRDZrk1oK/dBimt -ySEgtHQCEmst/YCvBNAsnZIcB2u1geP0QFQlMgcJcd0zIgY5hoMEiIlKciOOWtDifcwgrxyk0H/p -kewzjiqrIVKQ0FzavdLpx70Q3KUUisVBOi86hXsVQOT4StwNEhqCNsTB0JTJ0fG4yLfwruW2nQwJ -B9zsnscWFp0IujGzJJIxdfVnF50wMJCswTWCLDo5Ao/nvpD5mQgSN3VQxEUnsOhlZdThNEEaPWDp -NCARJeiDG6IFsUHSSevvKo7rdbJwgyTbWbh4hy5Uj9OszsvUbZBsMEEV3Mnri/SBC1Rso4NLtxjr -tKGmR0LdGzcSUl4A8RaS93OJNiSInwJL1+kynh5W0tYeFMjkiTeLIr2Wmu7UIiEg9gC4Tur6MmdL -KXgk+3Ukg6SjeMVgJMGQvz88KUSKFXuSYi4m0EKvCXkCYo+V9T/KSkJ6ymotyRBHIUi+JFuDpsSY -hIm1B/FMogp/eCJXTzUgFbsmnDRfJ80AnKQnQSI+oJ/0hZTCOHAdKUcZjk8UxwIRRml1lFhDdO8d -9KlZkEID6o4CKf33+Ar1iTj+AzP2qZPODg53SnvYlxCikhEDLMq6KWoamauf4qKUxPuJdMmTkZpp -h80UAj5KfjH8fN5Pws3JDVnemHU/4SqASZ4uIB7vJwGCdkD6I0JXyS6fYV2mg5P/XaVWvZWlPNSy -RV0lMMgGTrPwdpVU/H2NeiDRVaKQKHWrl6Vrr1L1VBVjysHaOUJdV8BgsUhE81b+3Lon/SAlqOqO -nq1SrwRXeD9YOhcysFPCOznKp8U8XJmN7z4a0k0lm9AE4RVP75eg3awQM5YAA4pY4CWF45CMpYwb -1W2zlJmel1mA8kb0hW9I3f5eLCVTVqDnh7UcuFhS2jj6LHYBSqXBMOMXPxeghuGnRC6ZFIC+qy2W -DBfUAGN3AckRFkuhxchcQy7qRLFULeepuAB8KZaMRVQWS2C5LQ1QK8lRUu69kR2gLgAzzYVr9w++ -YqE9igLLTP5NG40GS6EvBEveNzgrUAvTgUYQ+YyoN1I4Ms89yhriwEp/2ajE7ppKQqUdfckypADq -QX6PD1B0vJfwnS5WQgmjPeTLqcqPGwMlSadfp8Wv5K/ELJrOTgIoJ3XNic9CIYx/JWDFkxK4a5WF -v9JBL79lMOn4r+RVD0n0fqW2L3oQwDgAZb/mk5CDDJcJQC2kYmSDrdJjGzFYjzHWSXJThmyaI5vp -Y7KKpl8JacPblnmippm0BEgIpS2JcPN0VwLNEv/diKxcJS5C9NgCCIeluySK+kq+5GbZT/ju1YlK -5mQ0DpQy7cv64jR5vAxcCUiQzMy3T8+DlmrIR9NvYFBvszI7YfF33lclDjtXR3m1Kl3ScZBixiCX -EX5aQbTHt588Izkopi3e6dyqhAkBNfShXUWr0rTjpI5GEMa3zvZTYnHXnxaGES2STSWhUUQft2cX -eP90ptc2lfpG6yB1K0uoqZQA4SduEjxcCEnGwJnO0SHMEtwTynFVqTyC/kZIMV9Vil846NwgkLb9 -ZOKig3CTt+MGU0x/QgK5KOqpUgmYpIMcQ/AwVap/pVqSP1FMq2VZyfCV0q0E17x17hkJXvQvBGDJ -mPVxsYol1gHPAgNq6yFU5SzxgH1DLC0t5JjkupZURJ3igcLxcW8QabEHKCK8JBePXDK+glq2BTWA -iFIFCnxsdNolUHv5O4yX4NNVU/ZSYLhbqL7EvnQp6i9pduKyDUz9YNI7rgJtJHC4k8rLL0NMm8/n -UlVMP+IR9zLq4+UxPeOkel/qE2oAkz125BZp9IcqPDC2sOcKFUck2FVyhSCSIgsVObjGFrAMNRAd -qWeOlsdrQynHKUSLTI1QTPmQokrsHVRkipPgsErNyPSWMq9iMi7Yqxf2MzJB9lh2q+0u/DAyDaYB -TO1lChgIJhoLNQ6nPBZFpgpvMCp0dHdERSZfHw0MiYPoPgwDQTOJefkZpnvu6NEIOTMyWcdl1LsR -+fFEtJHtLoRAomzngSVgY+Qjk4mSZSRhQpXb4wGUYUNTYoZqc4LpEASgBup3ZGK3d+kiRDkyxQv2 -DHDGDLULOKOi9LouoscUWaT0Sohz4d1NN/6m5ssw1OTaBUrYunEIQTlVKLSrQP0pLPMf7OwhtqIx -kccni9FAbYKH/y44vJKem0yBA5MKwA6bmTwCmaEqqNf27Z9B7IbnWGY1bo8p23IhhGyl7DHVLYQ5 -6NtVtiAHujH2jc8wSQl9QyqlDrKSKD985EaEJvU87TFdkjU1jUyy1bB1lC6hMVPghHupgIUairNj -MyBPx+PCyPS2cY2ZtGMAq49MFmcSzVKhmf2rvKoBNuSaUbIcR+nBecdnb+o9EWRSutOiZYpEg4AH -KdnnDXXPXCxwLbPCgUeZ7mil8TRi93VDWZhVt7kW7OzvCVEmNquD3en5ADtnSx/MxkzwytMB6jAi -lWPgHJZOBj2EpWYCZE+PAmU5Jp3EnTcUFvVTR4sIJ/+kTB1q46LFS1QNWAGPZbNYO8y3BbkWMMix -hd5Qf800C/Jt5bVNCFP/ucEtJtK2H4x2GqlaOgC2b6jFxVcalryenrpSpjzpOEIfs8oiHtkAaK81 -JiltTDUdJk5fEp+Fv7GOc4C7yWc4a6jBMlefVCzP5hMAJ0L2GU8CR5X+mDdO0ImCrh4YU/5REn2B -EOCxJf+VZPo2gfqcPLyRJM8xbP2y/PI6LNB2Q6RBTjzA5M64VdqZXaphNUky0cWnoUh4NR9WQDAN -JdbOcedC+R5ipcYdiNpgMRmaiZhQCiZbXgoePnV82gHmMyfI97uh6tqQPM8Kg0p1Q71Y5qU/V36w -gMZMWcLEmFcn+x4wHGqovy5PoyXOJBOGhadMgMdts931fOINtUzGXPUHnEZe+j0LmEfUA1SCOmXy -Peab802x5w01FColhkwmBi2BdjLOXl9DCT2wa361k2dhFXCE6ohPTWMKR/5DCtQajDbfa6Ds/h8y -2TsiC6JF0FmyE5dpSi8iBTbKtIdMihpdPGTiuodM3LaFnteQiU/mj9oLLxNLKZ4MVZDZqqHmo637 -P2TCHEfUCRGZ+m3W7ogXSjp4TRig+a3GfE0mxzo/zUwQQw0bbdwCq6F3PYCZhnqUnajuNu0HYsJ+ -Q8nru1oqjm0zkHwT1cmIP6ljM8ikIVIEl4JMG45b/MeZVAaZtqbl9akkMkHujtBPYyBAEplcLHwE -WEzRNM1vRKbwhRyhsWVHKsxQJniV6lHZZTG6ejrpDQWfLRTnULDjzZPp4sG8TC1mpgHO2psJ4EcY -4ZkAcbp0GeA3aeYI027QTJqyPJkYTtNLnNlSEwBH5Gqi8RTK/tb0ELuqSlEzYRAEWRqYkpqYU0q9 -n1yX20RG+SK43NSBioizdFGR1omDvigsFzCTWsOoHJ1v9JuIwIQWnIB9vMkI2G5exv89o3rH1aYY -xQiAgLXxJt/n4eHGCUd1zsms6SF26Qa2Wi+dIrQ4iiiqU9uu0/DBcFVodoqht9NwDY14pwwBVcE0 -RYKleXiw/mdEanFCKshTl3JIfS9n+CTNE9EsJKMnAaVSlJAJk+CXJfNgx6SC1FYfpY/nfn2c9dRi -CyApocq9xCtQ3ka9ejLxVwZ1uv+Qa6ReGyWVQ7bWSIXWeHoRE+gr0RPn4hlVW5pvwSJlFl93qjuL -VFk4J0Qkdy/Gs7tkMwgI3aMnE5beSIm8P7RPrW2S68k+n5z6ZT3VrRbpE1pP7EWn5+20qJOaVuuJ -hOCfo2WcjtSnKAqG8gqQIU+QkRqWpl3X6fQE/V6OVNnOo9sYvOdIkf9JS2OwtISkjmeES61K2RD3 -dAFaI67lRwD3RDemW9rbr2TuKU3fsVIuVAuKe1rc+JIesnGAe4LGkCg7gavhnq5UgBfFlVW9DPcE -nvDjwEFcYIWkHmblnKIGu1UhKQlkrcEn08ODaEmF/urdUPAJgdmI6v0jT2W0B5/0Zn7xESd0DFhA -fGD1dcFKCgig/NLvHqpPWVh2vfeJbrk4zU+Soo59NGDeavlIpYg1zsZD8FMxghRgAfXaL6URg6dU -ObX0OlAB8H5kRmFsgor6nEinF5Q/RlNbWIql5aHjlmXkNMDBQa1vLRWVlQjxUwm2lgp3TuIL31Js -lhF5qVBwewzFWg6lo/xYFGWlMxmKHt8jS4YpWfxpPjvRw4mq4fr8MTV8PLCOiwmLMplIojNTl1Wu -i3mmMH9u3v9NlTGjyiflk9o0JV9JVV9N8ZEnIIBNBUA5u/a0KejEsEl3+QskoTn6KDEb7w5AatLG -WTznSGEXSVEGUiCN+8CQ0to7XJECDiz5OfWGxjRspaSglBnOQShSeP5RnuEUXTZoPzwF+PZpT98i -dGXyqVJZzARLnMvZlXpJCMV8s5Q5emZM1m86+S2lrEbB508ZTKVa8u1qAlOeupFUTIngZyKmoMLy -GLCyd4xb1sDSVFrinOm/piTWkMLpcGrjUWxqosLb9GVZOWYcHyuqWZ5C+256Uu/O7p26tUq9wpLz -lCx8anfJoTDkpyLwNVkWpAohqMsBqo2yq8UFGVNBVQGFmxMqLbYBFvHOPxK/fVwRgupb9Dv+f+Gc -CtODNp0Fw3BR+fSvrMqYRPlFJfik+EHpsunuQLiw8ShLh4Fv4DIEYFSShxYRQAdf+GG9YVRcqYju -PLmgJQ1GVR1gwUeV1jkxKtxo3XGr1WJUKsrghGl1FTDlHhUjRqWmD5cXggfk/K+TH0i2OoBjVE7D -ZG7G3HxjVFXZ5zxSAKq/e0Egb7ICCFYYlbMXTVgFSCrdYEdxE4yKob/jT6zSeVY0tow5K94QkoPN -1bFHE4DZJ8/AqA7JXmvfeQnkcPfy9jsGo2okH96xsedX8wSxJckkGMKonCI39GJwqzyUTiWEK5dA -nxzQTyEBGYkjmeKBUR38xYpRQbU/GdVRwn+R22RaOOPNqBZNaVQvIzV/NRJVAYvhVdVFDG4B2NOo -kCL59dDnxgcXGtXdNqM6AoVkFKS8E8/NqBJWNfNiMyE8gjUAn6SnubujqD3PqMD3ndCoMHGlRoVz -LBUh/gDPeaAN4hdQgmSjYsBbq4QlHpYnAFTySNNN4EihYydP/6BWeMkflZqs328wLiqil/iaB5bf -pIsxP6oCd2DAAGGb1o/quXRE4FRIS7maZVi/TDxViAwRlagumW5VnvTXPyqMP01eO/RC2HpUuRZN -6euBAX/BbKlHZWIkdGD4oHKP6vp+E2lKOtVNAg7cGhVJPSr88HDQso/Wrt3lQLc9Kg== - - - 8iILPx2iPKqA9czQuZVNUjHpSIH7OSg4EpHDXYChRNwhj2pjsD+MjNx2shy88mVgkGxT8P1QWeKC -LB4oaGKnEZW635fK+AjV4CXLA1d6aK30qCA5NPgVaFGtlR/w1mEBeskhThkrMTK98tVfDgrlRGDJ -vdIeFdCwalGBJJTCrTTYGXw9KgimOQMp8XTSo/prUJXuB4KTV/ao6rwOXRoNxUmPitfh46B2r6B7 -VOjjklXxqPzlmkZZelRd/HILvUGK0CL5UBLRFnCGgPiFyR6V10+QDw+iYCEwN8+D4/LLFitV8NdL -elThefRFKksjmHlXj0pjAbuyYNxW9Kiq6slRRkF1GL/drEdVupQ21fWEFBoxJAGk5QpJjwqB4Wcd -/ubWw0GoCVimR+VNg7D9U0olSo2c76ZHAPJWZT0qBFGJpdzco2J5pKixBNGIrUcFsy7MHICwSyQT -9Vr5yrdgReGDncl7VGBPDFANJNw4AH6K+EN7jYNo2MfTOi7iELdePapndE4OoYqukU6lQa7XC+Bd -UfjvUeExWDJgZL9LOv0QY1z/EcWMKkTlTBJCGqEQEp2gUiHXSPSupT5L4VElIXdLWo4zV+aQkTuI -iUfVPEFXym4mfPEYj8o5b4PYUekQVX9BjOYSY0dViT7hf8BtRwUyMna0clRjhcwPMh1KIQelz4VK -gkpeqEB1dFRNWjUSbTLnOSoSZODU0eXfX48QRxUrR2oO51ZFDkxWACTRU9JpHJWdrYbG56gI7iOD -ggTGvolOA7Y5qkOLcrYCoZOKiBE7JL5XjkRllLOb7cHyP+t8jsqOunCPclR1FAVIGeOoepNMASEs -IHFUCCDTwY6wlwiOaiHmwrLLpENrn6Pa6fENmhzVja+KINMNgHrTLZCjOkJ2XmmO6n261ht9Neao -WrtU4qhgrYZOOSBrt5O95vaSr00Aq/D0RvUJ6Uxlr7tRaU29cr70zX7p5Djwhx1qNTJZLLLedaN6 -52NVMoZmEVe8Ubltp3Fd00mRH+7Dlmoxk4CVEzeqY0w22JgsZfAbFTRPp2jeIc9vVBVX25JmW8P7 -RnWn5CNtFN3iqDoajOSlrCQFIRYq0diJJhZP3+Oo2jFG4R318DgqhPxem2IZiOCodqeutSAOvRVH -Fbpos8xi+TQVA1XgqPxLaW5UMJdjG5Ur/rqfXXZGssA+VeM1gZOcqvyhnkmTVFwUnec3s1Hl2CHV -vFcWFIQ34PXvZLZRkUxfYf2y4YmUjUqYn/zmmCiivDB26ctiEt0rUN1I9bRZXE+uAaKkwFFp6n8c -U4qtjTLhmH5MHNWLS8QRVFkJR+WdlrcbFabt5KLp/EZ1TBGJNkFK8UZlc0QEWPaqyx3YqGBtBkoA -1PGpCJhFPgFUlIo1pdBG5Q7smO7Iy+EACZdqytRG9TbLeJ+HqVH1Q+ayltYyh51GNWGEQtjoS6MC -wgiNsaD7utj61PpNoyopwMFQTdZ41Y1oVGEGxBrVdECYrRDYtYRGlfEBRKNa/7SB41cEIMPONF+6 -9zRnEMacUUH46Urd4GRNuX7WUxF5ioZs4/7RqKxQr0EYHYP0nrXFXY2qFVUTGMac5sjDlmrW8lRv -WR+8aquEJxUb4/eXs963Q3dQozpLukijAq3Qz6hMSgjdCVVn+BVLkPNc8Hi8zVddS9HZ8u6oDO4o -pp5CNvn3+2c6KXiEe4J/fQVfRoUVn9EcyJwho3r8Opfw2JG8V5cQyo1xUMuQURl1Ao50ux0Z1SRq -nDed0W5uV0YVXpZdBOaKzyb8a/obzzIqo4oJu4xch2BVGRU+ToN+8qJNFg5BiZFRQUz3xyT+l1DL -qJC61IZ2cZtlcDKqDwXNajfjAplg4qfXp24hWYVGZNyvyqiuUy25+BHIqLg8FGZUTpBJGtW5O2y6 -XqNqsZUol/MlolG5MzLT6l/wSBoVzgHqOcsxo0oLWFEfVd2PEcgqp2ZUIGMf8W5CqvZy+2dU9DWc -q4rzp3pLqnK831AN3jW5T40KzsMls8jiwJ641VKjwohTny3ZQ4/TCUpl5i+1NKo/RErtlnBG1blS -nDGjSl9gigFbQT+qAaI8uB25xW56fJU9owKC0RCeBaSMygecZOiAdElGddoPrIvBcs4NHAYnf7EI -sTbS94Cst4wqw6JM9q+aBpFpy6gI+gRAuVS22YXgGRXIgJ8UepYE7cHqGZV/2dkSSU6z4HZGRV4D -F7xJ45och4plnmmid4RkupFEp36dlpVRwepdx8ALBELzk7cXRn2+d5dRrWn7GwFv6SuLUf0Bms5X -oLl5JxR9RSNGhfcGry1TjOp+OYqtHog7rfT0LVLuLZzMvbL1YlQuAyKawCp+33BjcKaLx4NG0kpS -I/djVH/bIzLo3Hwu4LemdjzwoDVGxRIEue0vnAaPS+spa/fHVYxK2wyz6GNU3VYfEsLkmQ8Lw9Xf -bGItqy0RowIRw+4zSH5mwaj4ayzbe6V+b24PVGKa1XMsw6hAe2u202ISss/gdW7POqe2Z41gmJSw -nhZ8sXyqxv2il1Yqwbl+gXs0c7GzhFGFoNomv/K0FxXg9wDyg7PLMr+opBY9lK1dE8v7RFDUupFy -QEWkiiLgi8oN67qxjjGFNi8qxdKXl2cvKiBM7ws4RKJsLyqTgQpWmsuBUTHZnTKdiBNwL+aUiYFR -Ac4V52vu0t1sni+af/OsC7dSBVfxtB4+IgEai5TKxVQdWduoLIwdeiqQBW67kMTIvEtOIsRUsuAZ -wy/AYVRt+vWDDp8Al8KozrDOKDoYVZOW8x9raBeMapgcp8FuKruzwqgw1ndy5rogEEaFW2RepWBU -gZuCUg7b576o+jUYMFU+vaJfL6rF0tVc9OWroohMcQlS5RcVFNpIN+yF44L+ouLi5GF/GCAxJc53 -YEyH1O5wgVHpH49r0nnvQE9tnepn1yDG5JuK4WrudUHAXg7VoP8MRmWsiJhD0j2MUkIYFdimAsIQ -Au0bVYsqTGBUdS6jdEkZLfFXs/ulXWBUabZe5Dge42o/gaGPjh5G5V/+gqbrXvRcHIXOtiMTRtVK -HMbXbUiM6qNQo3iljHiDKoKhHm7gRuJlt8WoaPwSymaM6vCfFKnK8NwBxqjAvtsw+BajchT/dhFk -FiuDyxiVjrCGxajs+ivQ3BJDktxtRtVMJ/y9zrBFrJtRdRcTLTanZcafZlRIQKaiZg5smvb2CBit -yasUBWU0qpjtHYXzdmNqn0yjGpbPYxHusRhcVeIajQr9CoRyeQcdlbQr8mzYGOvi1uekUcHYz7ih -ua1eAjSqOD4WT7WXChrV+mQCMAQ7kE1NH+HkNKoo+OEvukZ1JdxHTA6TjtaoLpbqx0TN25CZ8hqV -lPS9qnWtUWHxqYdCVPpSXBzcIon/0XOoVqcwwX3ANaojmawjNSrSGvOfr5Q1KrI3SH4UMYHqEKJR -mVn5EGhUUASU3nwVdhqVlpg/Huo0gcsJySkBhmlUnGp/wwH+pkjZsjUq122Y13Mu0mFSeRJgIPjR -S/arUaF1PiQpBpWZEjika6OScZXVW2Fip43qs4lWa8EDVXBoqUC+ocE4aKOStbrUG6CN2m1UHe7h -lhYB6RqVr3hnH2tUysM9qsfm6undCuMjwEf4gxo7uxewUeHdlIbSc3FvVEqVoqbVkpge8LlQHFUJ -kJAfgcoMBSqrI4gusUnogxXU/jiO6iyFVItwVOWMl2kH9vEO/OnYjwny/m9dk47u4Pyr2aWQATUU -R4Ug1OJX6trD/XWvytG5BNq3LbSu+ovzEjOCKFU/RyUf1QKAvSqRjspxz5c/QWYrtng+RFOEwHtA -ooZUACnrHisL1kMqeIxIVVoZIRYmFxU0tr6tuMTanEhFj+ovRcC2ZomeVKrbqidpfStc6snFdqLy -9516o1q8k13pHnZh7TD2smyAe465jkj1M5mF3mUilZXSg2X4HUSq0NipyUwEaOWGWPwQJ+aoeeNR -MGnBdgJ03qTiD9VqP0MYIBGqQaQK+dNeSH1EsbyRSibi9jpIUy0lUiXJbeFvQKRaI2Eu5rQnIlJd -qdeKUc3MhWspfhVzpChpNVI1BLTK3+BQwJfRSMWGxLkuWXfGzB+pXrWCukc0mZwBxH4LeVDZqRuH -xzzI/mxQtueR6mAbqls6q7mIQkZFIfX5jlQ+2zieEAL7F2A0Ur1Dw5SpTCNVxdYnGzMQhjlSw2Qj -VY8XrjT/yHfb20h1NvF/2wW4XXCRjFSMFCO2dr4xQmF2Yw//l2U8IeNIdRH/3qFU1JHqaALkWcKM -ckjJF4t4SzlKnVSC7HiyIUE/deSkch311CfvnJR1oR9+nVSU5lQhOlpNf8F9/Ul1dmQYXAJayWBe -7ifVDZ2GSPqZAHxShXQpou7gkCh55tPsSXWpZPNix/mDiC21KVPzoiOfJxUBUGXwmil6wsAnFeVL -/FpbZdLKPv+kcuwVgM7HpmSfVJZZRdSi4Teq7p9UNmRDlrc/qdqIMlgd4/eTaleuqkq0oRqwnqhA -PakKYBCuWZJnwWw/qayPp81Z655U1Hp9zgMQKU8qoLbuc5YJmnAjEP6kksdq6EydtXYI/UnF5vFV -si/dLWcQn1QzKh/v+6RqI2pjjTPglnruSfXUJOUp0G/xPakqwb7bsnS4/KS6vE8igez3pAqnFTjd -80nVXOzrSyNFTWoflEpPfGoX0+KVKECpTNKSPU55bq9BqerGDDVr+tYRStVIYPEYFCbWsFCqypFL -5lc1y1AqbJLztCuL8RplR6nUWU45VdVso3SPUtkCEAHXN2kdSjWhCiM77ZEp0IBSHeN0PZYdB3fT -oVTSp/BVrRVSwdZLtmmoyVvHp6BUzRi3qyeUBkGpvvMo3FEq1Ue1YxLxkjBqUSrrZWnBnhBXg2uI -UhX+Q8SF5Ird5/WZHqJUebXbOhktlh0nSuVSZKbWej2Bo1TwaCUklMF3oFRKFWdIT2UWNjmZu5b/ -t3d3msywUqpeE4UWDGd9uyMFo/pm8Y99gqMqZXsbvMmwHC0hpQr69voppXqh3OPNCOlVKdXxlA+W -PPYrpcKYAQ6lVOfd52ANXQytO+jsM1XZn7tHKZUVrPbwEFa6RSSlkoCZc/hDGRRLk1Jl97mNfz2H -WdspkIiUascZVvq4q0ap4PDvU18oNg3tolQZotqE6EEbR6nSD9BKAcfUolR0JHeY2OjKRqmW/FXy -AP6jN6NUZUq3uc62lKqP2zDdM0i4SalAng3XGSlRqqLfTMwXYSdKBfv4c7xYShVvwO2cFqXCWoTH -dCtB6WvW/pOvWJTqJlMxjk0nfZQqaXeT6W7uLKXSjMdL6ZNS4d5W3vqpNV+9o1R1Get9iVKVUUN5 -agTMlJ9UFEtcoswn1T2HVgJb9Uz0e1JFihCLpSK1KOOTKgCU2qPc+ps9qbAm8K9ilIwAGOpcGTth -LPdAonszq3tIpKbeBflguu+kuhuSkIRsnVQQqcbYyeTb0MRJ5anR45YnFfMlkAl8ag== - - - WTypWHfn2rfu1hORT6rR/XKRi26bqjg+qfhybzh2t5U9qS4uQ08+oAkX60mVtwNUN5o6qa4e4Q71 -MWOb3cToN/JMk6ofO2Rpxkpl/OfqbgRFGFB5Wqm0eJqcsVI1nrjcmYCqSuUzjcZYpFLtoWNH0qX3 -8tngGu81qVSQLFhC/yL4pmkVVKoogZeUijrWCQI7ygxLtSMYaNOw/3LrEYHTMF/AcSxtlswRCQ9+ -3//Hz2ml6u+fCEOALCtVtM+bcKEplpUqnwEMJgCN6eCWcLiVysdMioFVxfAc0p+j0twx8IE/YW5V -f3ZQPNLD0WwXKSsVBX3ismoNqYiVyirIMI2uUiHX7g32MESaFK1UIRFkkVfQ7YfJyi5j3Uplm1H6 -f3IoG6CHvVIx8mEN9s/dKxUJpNiNbBpyrpWKJXVLh2KJqns1k8srVeF5ApszqGU3ljYC90i2dtj0 -7SuVyRXhStK+XKn0FjCIN/X0lSqAdhxosUIsZJRXKl7Wi2ZmeKWqNPHRIYTrABZXKgewEiM3UGiL -75Uq0L6TM3MGosjtlYpxNdOgTxdrBwO8/o5rf+4Sr/pXKi3hbhKfK9VeqeYebOohUjLelSpQz6zk -7TOqfeRKpWYzHFV9peL7+lFPaM2MB99XquahUWMJcJ0S3uJKFaePXYGQcgSwVBi1pYH47KKxVDEO -Acbm01rmYKnY5kerIRlgqYI0FZflhyMRS/XwdMN2bUwKg6XCKsOBbYItwysVvNnP6JXq5eFRpAkN -u5c0xQh/JMi8LYMrFUVcfF9cqRzf5ywA81+ppLBNzhVvgEg3St347Uq1QcEPqhB0vBm84Avo2/i+ -UjFLWb01QwRXqtzzM7Zx1r5zpaqCkKqAPOr6SpXa45GqhpTNgz2D35WK+jdCTDJsIkJKHms+qVgq -8rKFaUXOlepnoOzKv2/IrF2pbONHGMP5XqkAQKlSH+iJbX5hzf447wtdqWCsyPgUS9VtpxqflyvV -xQYXmKrWcJgq9N020cm+MD4hTEWzb8Vjdkc3iViZMNXBksb0OmGqsrUiWpEYd2ikQCNhqih8vsVc -XKWYSllB/wapLqbKZAE2dBE7dzHVykUh9CqWtoupyKcG5BBoYirYUzQPFVP5PUG9usepAotMNePe -rAoqMcl2sx+5NvW4k6JJbEIDJaYCqEMexFT3DZcwuR6Qvi4nEljCqQ/0rgtoUZ3rj6kIlen2aNBM -ZWU7gDJkvUYqrI8ofsdUfdJS6s8qpqq47jcTT4mpxh9Q/BXia4uphqQrVLbOYarqHoDnZyC2OozD -VP2KjM8afDNMNc40An1zEpPYaMlV/v81s7swVa/me6Ri74YzpEtIlJKyAAmYCtzqZfqg6WVLhLpR -hh9MJSG5XEw/zsSNUDBVpgOJKg1aDDIMpprUQNSiKPYC/lV1QMFUO8NR7zmlHpiKTuwaaawcpkpu -qGcwKu51xgIjTDUaxk0/TKWCS5D+IxN7dIsqwT7nmoEuwnOYCrjWx/3CVGxGGhyeV2KvYao/n/XB -RhKGQhXFVDue6tSjRd1cxXTrf9TKlAKE1gSENItV2UD335xtMVH6mbmQKJlK7ep0+AGSqYZtWOyQ -qWaxdzMEcI4dXj0ylcbUphvT5KrRVraJlSJTgfJuoQruEjOZKq3R8ZpkKt1gwUC0Ll8p9EeXIbgk -U51x9YvCI1srlOTfKeQazUiCsSyTqcoAbMNkKoRarXU+mQycvzMlj/5qICNTuXR0rBWdV4vqC/RE -8UgdMlVk7jfWg0wVN8mBQFjh+4CTkRR2h2Sq5ememHYJzSNl6gB6FdlM9MhUDkLBW5q+cYyaTDXH -7hB2iEbXPYE5WQSNH5lqV9xLM2T0/slUHUjKh9M/uItvDt/gD3J9C7EIYUpMprINCNw697qWmltl -+uuFJjpGZaqnYuRpq12XAFemcm1CyAFA9i9TeVzoK98nmaoDjCtbR6YCYY8Gdi/baPCSqa76EXHT -Lx6OTQBjKh94/2D6RzOmUklk0RzAoRDQhXkVi4SKqY4uPnMQ3N7YsFHM1O8XN0fFVOwDyO6Uz3t4 -QWhBQWiQYipy2jNiCaeRbSPlQ8zaixbjw2xiqnx9CqLJVFlTTij54ARpej5bkKmSjnzrw3uQZCrD -Rhr1H7A5MlVDbohnW4fjRscUmnMU5mSqlgHWdFXRCyGB0pJ5c2SqVhvHE8hU2tanqIhMhRU68owZ -xitT0duc4R4yFT6sRjGZFWZWqbN9mao9nOgHpS0sM1WMnuqjGvnOO6UQQmLNVHzEmdUeiKaZiqNL -3FmmYts1BEGZChVBw9z4QNZMVQNyy5CUS7lkMXJXgc1UH1F5lTPSqJqyIVJ8TgkzlRcIZQ+URL5d -hMxUO05kohI9ZyrSRFrEjvVSzlQbGkRRID4tctSZys1bjVI2U3MzVef8Eb1xFQJmKj99wbF3iM2J -ezMV/N7PEhDI95qparUjYh6lwkwVpXadhmaqpCzPQSzp8EIY6eeiZ6byM9rUWi9XFuVnpmLQC3YW -y1SXm5rMBglXZao0n8zeq8DJadiSypGpuKp1CXtiTabiXqZKggLk6f+cGLEql2x75ehuVHx8BsdU -GqtnrfOuLuJ8ZYEnPL5kqrmjhkiig1RjMhWaqps0DjKdZKp8mmheEUr+UaZa3tAF92Go2JepkDCp -ZLZlgV2ZqnRaKeY1D7ikZSqIrwxcnBqzwZtnmepQjhEgk2X3mESZinBVdZfZeZnqAoqyhcf0kjhY -pgItUa/jekDYm2pWKVsElKlEswXlUaaCHF9I0vox05iKwLLclS91zTHVBnlWwDWDSZjKALQBTLSh -epiKTZoM5TH6UUOGoDUZphoNUip9voWpMO131FKipnLLtcJFUJAMZABZ/yg11RFzlgV85yn3d62m -kgzaoUo1VaEuMvPWNFUEdid8BpYaws5QU8kScxly4SyUUFMZSwrH1DiylF56mgok+Ti0D/kV0ByS -MY9k0GG6JpZGPCfZkHTDhvDo75g/u+ASOwuvqdpdeNnBL5trqlZKG6htBZ1fUWwqjfa3Ry5/baqX -CDCgVDgWGzYV3t6UKs2+BGwqWHFyS0VCzqa6hn6U7iBi9k2wCBxfPsOa6uySK8Rw1NdUz7jpKT4C -l8G77HqN65NrqrtSmKlA2vv+0qZavaZ6oQ7y+jHeV+hUj/xWLi7hTN46MwlCp8L+qL6RUt5Lp0oq -C8vCmGk0qRIxrP/ddKouD8yVQ33Fuf1kCJ0K4M9bKVxSJrAWneodhRg3IXwCXa4b4GfwM/RqODPe -rjKkUz0SLUbZAUQZ53KqwMYb9S05ld5HmxsY8p1bTU6FGoU1LFjyM1xf5VT0wW9YPIsEif3NyuZU -Qz4upqUfnar7nmPndbtvGRvvMCs6VXlb2NnClzrVEFEw56zyR6c1fiHsdj9U3ZTyJlenKhxY3Om4 -n8peNnAm9/Wpvk/Zq4o+1Q5ViN8zwPL2butT0c+qjg3sU82bj+qV/D4VrlHK5K9Q4eIDAIDHr0+V -6vaCwKl4oyug6v15odenQrcZg/pb5VN1jlrJjyXFpxKc8gTMAJ9qtdglID7+S3yfSkUu4wo0TF5R -lSCmg3ZSNz19qn8MUikpR1wzfapryStFsja7JL7lq6VP9a9C2ti0vBWbJdWG+30qyN7judNPRdqV -3xApqn6qeiwZzOIHmauIUWPlp9ou3JLU+p0KpRZ4lhb9VEbP0lbQZX9PgSXNa1/WjrhbFOM3vER5 -Nx+W8o6HgvdTwanK4sxDOYsUP1W0nfiUDKPpkZbAUZKScdLtk7EL8FYGM8Lyrg+A36CFXnnhkfKt -7VNValslixfuNi8pg4k9XCa9T2UEOeZk9wn6VGtqRFfV5UigqsKxfySsiD0CVTeKjFnNlwUMdXgH -qoDcGLMTDkZ+okBVM9YD5b6gCvAfKEBJtlpN4SqoyvKG6dpoKvF2CaraA+HKKo2+B/mIoIqKzHS0 -aOk1I4oVEFSlqKOwfU+iZcOk7FU3hBYSMC7TrBZDlHkiraMSIJJnG+bXh/AiJajqqehawc5WxsBq -pYKqH96wIrz/OWhZypuZoKquig/oKkcpVcIQeFl9DzTniHWXKm7dUiOs3ajTthZUFURsB1VgI7KE -Knz0DNRlSBWFqi/oTK3s54hNfF8Rqt7eDH1WOe1B1Qdxl21dTDI2qMoLp8IP2IYxqMIlv64u07q8 -BlX2Eua8J+kgSOoLqlgaTRYBSGILqvT8izov/lFLwMUuDQ8zi3rulUOiBFUVy0TcvbryvuQzFiyD -Pw+ml3BBlWF7QZescxspAu+npX7egvDLuDCzdid0L1+KFvOCuEsHzs4KqnLRXhunQRVwvPU74xYx -qMrlbfl8FK5BlTsBchy3zBa8DaqeMIxjpCnMQRXainl2rUm6RRrsZXyB9R9UVb9ukJHq0+DUfYaO -jPYlYjXMksLCCz8jQtXncM/9O5TkCFVXD2HW4g4uQoIsVFVhrieABG7CsxGNE63MepF7ps8wFegO -w9Ads64fFfkmXgQMVRBCbx6qrGXJKogqy3M0rZwno3CIW74ekxfjU7JFDkCuTDZJv/uOfhBVdcy1 -/JHhvxFVwwccUkGWhAxR5XY3f0M9KLsRVWCfOqCKuJQDUdVpGkI/vmseZYkqbp2/gkdE1Q+LVJFV -iKXsPVSBtuM6RYV+HaqwoCJuKCFe5S/WJh9pFZuHqo7kDC5YejTLGeUQZx4t72130NmKOlSBLyfo -6BDeFS4S7G+Cq7SF6RdnBZ3A9oeqKhtTWTMTD7kp6I03TAJO1M4/VJ0fQXGKEVVF+rWtDJ1/uhyk -Zwscoiqnp2ylP7mMAYV7jYtgpAnJHMdEVC3KdZJ8i2G08i6iiqyocoZKUgwjqhbOJ4Xg+DSIKnc7 -ZqMqdvi/DsT1sS5Fosq/nx73HEnerbMTFSlRdTkux4KLKrsEM0//oU/JdTGe2+xFVUVR6jlaHtEw -Z4sqEVWM+trQW1RpMx+kbb0UCllUQQM8KqoQ4f6UqML6hqxSnFLL5KyXM0FUWc8PZYqo4q3dRQvm -S7iIqqX6A0yhiCqMQS04EFVzikIayUMgqv6F+puNiCq7Ubt8WY4nAWxVYacR0J5IVhzqa3Hi0dU4 -UXWvc6jy/y5+yTih98ooBvUMXkRVMD895gOias/+iDZXszNymD9TYJHnWyuVlWW9IIXve4ouR2rb -FbYsEFXv4K46Po4z1V8Zogon5hYA8itEFSG7btBB8XSyAeuJ43awa2gJspq5VxVgYuxJ68SpmKyp -X8nEf19MROOJqrrqcDloI/gjEFVDPuFm6VD1DbmD+e4EtCTKklmPluZfH6rKSy6PGhF6SDdLSFhP -CwPCbL0pouq+Rq14gMQIiKplr4urDhIr+1AjqraRH4eYwBWaywjXbQ0wDdLHK0SkqakOTH+WC4Tx -UVoEFLbFJ6iNQ0yFqDLKji/tx0FElS2biwoA/z4hqqzZlVF+l8N1/2f4lXqwEVXpAA== - - - 0mvHWO43UfUkv19tLnggmo6xn5KWqHo6usSalkQVOOJS+ueogkQVydTyFBPIiFteklR9gnsoNlqB -47MuNqgI1S6BJ1JSxaVnrCKZBkqq0hhljLMlVVW98nCE9qyOJFUex2y2kMTxLKma2b+B9FJSha/H -+aFQWZIq9W4jlFFny0aq2uHb3ISRqgQTCd/LJSYZ76EjzsrPTmNJMJEq2VIJgI1/8QgY0kHD54Al -IJ8EkSqjfwRbGnRUy5bTpr0Hf/Q244iY0AmP9mEEqVKiWvbDvwBeUXK/kCrIH9/zI5I81QBT2CA+ -10cVcDYf0m6z/9L6Znv5ZBhOVr1m2QYsyYaV9lEFl0LjkS1jj6rR+/z/ngr6qx6dslMZ3YkXmzej -chf1VfyouhIoiIreIQcA28pHODyqvoNMaaEfVWwCfSOPqonL2ACpghyL0BkHLIJU2fps6xw/+bAP -kCrCzHtO4A1Rg+ACnALgmbVWHwDCAcAetXVP/1X8JDALloyAVCnauhvEibmQ2WhKn+xNbQ2pMucX -eM5q/mConZZqgbL1zyDBkp6zqY8qqD9w7XVWtrSEYvukPiNf9tJUGzjNHcJ4TT1SLdpywm7iqJqv -kqlyG1WN023dYZLC1aonfwioOkg4Ca9Gm6lGVd03dLE0sEiB+WfCg8vASR9DlR1fWaOqoqyAa+TS -bVR5xXxfjpCOi/QPtFGF2ybE8Aw8NnRUwReln4zWK/O44l1V5fbxvAGOi5+jKrSIrUu1ekuSG21U -IaEVF+bnRpXdKxdOvBEG0vK36D2Nql6JdzPeIdeJpXzhQNwJ3Y4iaSyAdTOqYEVI4RoDWNUCdydP -3w3WnVH1kd+BQKppuw+J1t1bJjKqSt7oQvGp16UlqnqTAnK+QpvimHdQ8tIvqy8eIUXD0xtiThg6 -bsh4a4/1v6JI/Ao5zMSi+eYq2StRBeF2arb8RJX+y5qaRFFVvwHG+QyVpxuGPJw6YWVGFT76o9VG -E7I+dBYaRINRdU69psuoImk4hymzTUZUBQVRTrGB3KuDmFWLKhy5q38dSFtUZcCzKdcfcUx6PqMK -MolQn2nKwcCo+t8Rsc7/PJIUgU+p4P7TqMKBwfPq8GACKSpY55hHMPMEpGvKr1TG/9/siQnCwCfP -NKpe+WLfUQgeNqoiULMT9ZHURlWAXwFkHAbaFIZqVNmIHtUKM3sRWApKwX0aVYP3ZritJ2h5VftA -sKhSyj0XVV+0e3iWLOOHid0U7R2QoWD5aZDYJoxRBWH0MN7ASxPw/0v/zL6v52hCLWci65wqVII8 -/VUuskyC2kDLwPMTXFEXQBdnVAEWBjiAPkS+EOmIMaLC0lWVUXV7YHOySKjOM8syKziA/YpR9THU -hcWsNKq6PM2gG1X8G8Sc3qlwDLOjymooQoKoxbqdylG17a9RdfagAwEO/ZSSDSHx7vrwwnXGJb9m -BmWOqk3qGAX0yrdBjio4McgNnVGajyZ4d40bVYf/b6fSaIQMPtyoAnGE1YB0VF01ibYvCXiXFvBA -ibL8jipgmLsUBo2DcFSZTEA1XHdUEUhj5w5I1bkTEyGFVAGjv5RvNjvvWYko16sKrI8qpEBkHcWi -PjmscwcilGfXgnQhRlW9h2wRG7PhVmaNqsPU1nIoyKQbVUf6iC0KRhUEpB3K6vdCFMcEe4yqegNh -sFtu5TKqenO0YaWltw4FjSq+acEcacSz2qi63Z6MkzOealQREpWEw5YoYqVGBUOjyhT15OwONUWb -RhUaxs9a2ZaX3LhRBYcU9JIOX53KRpU5xvqRlkiTA7ZRBbJsNvF+flZ7pabkN6rAbV1RcX/0Ufhx -Y0KX/GDYqMKCRVNODTiqVN3Tw4lNmaQmaDqeRYovgvGZFbEwhkqRKrO6ohT5B75VbWKjqlwkQNNF -UE2jSpE6xsJEfWLYMgZco6q18Wgl9K24G1X4bSPOog75/QOjiy1V94dIoqP36vAdQn6zbqlKhnV9 -XKrSjC4cVYAsUIUqMzJhezDqAGihmnzuAqC5zy5YKexx7PjSpBPKsNLRjlO+fq97shlbJBhszoFE -zJpP5VUckvGphBYKQs63lvfxIjEpaNlT9c7nMsRvMIej6EsWZQXsqWzk3AP37am69BPnG5+Mu/WK -UOX+msrPqQslMRDBI0chkFrYI1SheskWvA+E/dZrEBgQVB1tIFBwBr10ixCUihA0/UdCWWQJVVD2 -+DAeEqpQ8F9/hDgQqnymMJV2gb7BwvzEEsKEKmT/qlga5kKMUPVjIcuogTtPPsxjDUKV7diXorHk -FaGqu0LHNGB9/11oPiNU9RK0DQLFwGmJzEsCCVXlPLFExsyvjFDV+RO5oX9Hn1AlPKML6lhIQKgy -c5CYfEUQiwT7z27/hKr+fPOpnV1hA4RXQhXAtLeagNFfiAhVQg/AuFC6hCro7jMUHQ2q2kJ5sip0 -RHjICFVrMOPdmppoQlXlamgTDdvyFCBUWadK0qDW5kvLQbaYTagqJwENtKBva+jwxaf3hLW+TtXT -qz2/QS97fx8fjd8zZ2GvtmaG4rIXzlISC7Oj4RHgMOooMEVmJusygzi1w38Pv+8wWKyAllowCIyU -XKK89c60xp3su3rroi+NH8y4r8VxTXXYV4xPbYa6ohKflUW/p5ewYNf6HyHKcvanRmnBh/mQFysr -jzopIL2MfjyFF22N4ICImgqGgW7Ul6tgwnf1pbzlYJomkfVDi9V9bG/b+ApqUImY+YPQ829KojB4 -U9wRV0mY6EO+xMe5YJnu4A5h/FQJtleNdpvZvlhJOtMRmA18/uaSv8hVRk3qNoKBNJJUwfdPrH2Q -MgnUMY6Orq4WCLg9go6aV1mL2ItTgRhONC3kjL/LSicXxvPON5GKLZJVddR2iDhIq4ht8BD8MyQl -sUuw7EAfcX7n3ylxUZX0UGQfxZwvOnIdrcWyaB4G476Go29+P3KKafrLxEslhT9eOGgT+P9W93y7 -yEYspfNsdeWk7BSd7yUSArmclcRvfmpNfHRyTRKYZYrAPQDQx6rMQe6u1gGptxqKDrsdzoS4KH+I -/P1FPay/issilVXTgEQaJWkOZx+zC54fo+CMR6tAN3vH8ih6md1WVZprSe26uzwWb5HnqS2wSKme -2R4NAMuIvXSLQkIYgNY3QKeRhjhGaK8HZ5QHcOdSs8CU2A0apIQexBAkymIC83rQRSumqQy8hH06 -YCxDevgoHZHOOikvuEkI5q0PYTrzv8AmcrQwMBN1xJPLnj71POi6mRMHJ58ZwD39/9YKQeUTZ9TJ -wjTGK7LujhU2WI/Q0VuIm6Yugo+ROQLl5/+Od4FPoBlGRxFSCYSMAz4vNfacbRW3s489JXM3OVIX -kllLKMvJ7xGtULlg+Fyo6TkISiT0NzSOF8n4BKYCQBlYirYxObsbqkwOxLTNekWEmq389sdywhAN -feAkxECotoq/sPNi1n7JuZjUtMH7EzVbCaIHyAdydWbd/nWv+SVfgNiiCV9T7fmSwmGA7lFyjew/ -sgfmShTp4DLsxdzPcZgDl2xQBpi9vKpjYIphGKGrMos0EVWD2yuTaQtTiNpF6Q3Fv1IBLn54Szdt -+89McVCpOluY7+PVfdnQQUbrZgm5jVHIA4eXbGYuEjpbfe31ESMy7RGaLo6iHjDTeAPiVEcrC0al -s1Yu0T0Oe9VDf/G2dBs95FhXLCR1XRv8LNsqJV0diXnCncCjxC+gRkxpY5AftuJ+wLjw8rXqPzwV -bOd3aODq+zPDxYleA5gNe14ZRNgxBxhTrpKVsFAUXZwXDriUsz3I13EfGDGeZpNiDBRcju5RcTk3 -3Qk+60FVHQ8xFABgE+DwLgWTXqC/Ovo3m47dq6ggJZGkhWIx6BY9LDnHlChQBU0kxs1qF1g5fMt0 -AlqZu+8XvctQMi90ZLoekWyi9JgJaebsC1YRTJ+v0INUE/6F+wj/GtSptU50prDwaq9Ik6xzsrVn -aLkMdxvsClme51Jl36m6DTluGoXwy8D02ne1OK8VnIPoEH3ObWkYRsvBVk0RdF1h/E5/eMLx9Lht -d8z0f23CA9oz6QdJAs/Dz1r/BEUR8NNZRwMnjmMT4mFZsgv1tX3vte//46m3noFkIqPG2GOMCxar -RS2onMDes4vcV+q450iZNS5D4FtJqrnSZWvd6wf/FLKSwZq7GwacRsiJDnRVQP40WTskP6qDodbW -SyQzlWcu6ho/ZkYeBEehgCPfEyLLJoUzagR2XXIHsu41h8CAZ38mkkeHxUugjGfZzRAGxlsOdcdn -eGL90gPDCVbU0IJ9wdR8ZHBaNJP42JbiV3s6UAi1HRFOpvYaXL5wQ3xz/s5xdAHAcawQAuhsneEb -vzaFSYlTHvbc2sC9y9OJs5fDp80QEMwFf0lJeM48ebI8DfvVLabUM1w+NZXeb0RSSgmeeyxQayF2 -BXr2Aa5+onSF4YXaIpwy3B+Aarxfo29+xaDZda4WVJcKg7s/PX0jwUCdMHvftOzyvSoxouCiP1u/ -PsNGqtYHhDmvyW9DokzOkTcvMrxw4Ed+fug/hcC+iZdB0nr+VoaBwcnnxgTAVy+wH3pgvUlc6ZbW -Z20yRZCK44nOfgxXiZFwLz6nzJo0AyAsIBq7AwK5/ShYnlETFT+/3ruCmjyeAuKIyBITOPsIxfqy -xfXvzluW4fRCqAX6Evd0W/aQXwwAp7RHVMnwWyG7OJRywTTsilTwzrSVWlV+dic43cNl4RiSPcNy -UbkN6olBQC9HxHpYRhFHU2JMsxmIfi8ZUciuepReW7qLdxIIqpKB74Uj76sJMoMCoJvooI4siMUG -W4lwkbRt5FhU5IUNqnsnQjUKiglyl1SoLltZUFZnHykCxGKELlJeS0wp5sHUApig9aqLcLoSAndh -CJcGDi6Ya9Jt2Lr8pimoHeKcge2mC81Yhux2DhX6oXzMAonB2agga+w+EStCvO8n8I56Al4tvTPE -LChkGiP6p7dYBTkv235cN6rgwuhFjQtAukzdhB+M6WnAn2N0i6DskAggMkLMEMFd+QiNWutImNXH -/8H9wdVCu+42E5s3d99h9WPn3g2JCdXUCD0T6nE9pZYxLQFeNs1RTYpSMhYY7PHfaAzA6JEFARWw -9ut53r+cMVS8EgYuBoEDtP/F8sApoIhcMIAq8RWZbtmSPtMzFWwWrD+hW4715iRJ+vELKJmHag1Y -v7DRqkU0STbU1QlV5zwvrZq0CkufuQgRgIPYQYpaguaULLpJibo0Q5QskGKpnQJBdhjGgSw8+8Eq -qVzSWGvvaxOEUtZCrjNpYx8cwaGXHm6uu5OJTKU0myG+yz2U5BfQDFtGJqkw01NPvI/hsTtClxdm -nrFX/6PcPOPtzwP/1hwRITx6RgUhbG8mGpc/EUt/fXHr2HbJbQp0YBC/QaZLxvUJZ40pe/2K48I2 -NBcPnzsz4zwZLihw1HSa+zSK5bLJVPyN6sCU69kkFI6QBGwTLUnvKSUxmFbWhV7Wgw== - - - RExgcdWnNN+nsbCG28LHlErDxGalynJOca1Flwnhr8foWtdppi+5x9u13riUCFt/QorDcSWyRM7x -2+WofzxYhnn580yiQvRFiHge8rhYq7wxymNBfMjhHJPBzV1Dv5KTJOFQN22gRXHqJ4ykEawCmdNh -2jgQOwcSK+WOwuP7FC4QfV21WsK5FfZNtUZ57byL8CgDoLn9T3ZZZjy/wotUs8WRSQzP9rL1YY0y -OgQbJMOYMSSbXe+W6OHgWS/rGag9H5AtnBp2qYCPqnZ1sowBOC34z8ItC9pfA4IB1htCTWOnxfO8 -v9CEYxjb40E7I31DNwjUMBKQsZUeVtA8bRNyFZz6pJ3MxDpLdp3qIX/fknFKaVDVvCEIAkSCi0Lh -OLl8DnFcYnykCV5TPSYe2rkfYYaTQzktRUYp9/8iLXNAzy/aAngXHPqHl+sIH3LKMNeeGHdh3XLE -Ut5InlL6s0tAgxEn/8kfDeteo5SaobHHOOBf8BCqDmtNoDTFLJ4yAbd4VgYgbTT4Z0JAYdu4rERv -aR/TVUCVSg6eDLh6Gtx7c+pUwg+smGWCNautqI0vOkYeg3gBdAQBnjfjQJG69llN0A/eeJ4wHmIS -SGTmAhy0WQexU2x7Z4QXzE2X+znrgeUZ7ifD3Qz1Ugo40g6qNKTChQRwy9X37pHfG/5A8NGrPzdu -lzws1DERb0awUOjF6xYzGRsAU/9rebEPIHPcAFbQVqEgZ4xfaD5WPyUTIe2yJ9MDo8v1W+9Rgtgw -BVStzcJF5NZ2Rcj/yM9jgs3RMd2MhVVdHmsZwpU4LOokFnzSuQRBkGOE4pg1zb/saKtfxRcVpIOT -9JJfpK1HN3ZbbP9JDZzJ3rhg6s3KfbHJTAAZFx2ZtK004jbQ+9BAhjuGGEm/sksbL/Vr3KQwYoDW -ceFLXEw3PlSMv42CAykfeK87K5IG3Lf5vyNGqhfbCoIdkHPGCsAhMubwVXlH9cdF9AmLd7TzlAEw -cRwOn2caAZ9+++nGSUtWPyqumo2R7XtTl857vIACmt5YGA6wAQz/K/TELCKFVNtqQYMBgwF7ATMe -bWY8g7qL29aJDhfq+KwKg8hRbMGwOjQTeG5nu9BpheE9BPmsIRjUxjZeJ43YHHgJjszQl5fa5YW2 -XyMWooaw624kZrNxcGopRwJHnV6TOfYREc+hbGYabEe+pIPxoAkJRwiHAkM4OE+2MIqHPyrdjwc+ -xm5mouewY807Qfx8Dg+2R3HwtGQUmRpDmZkhJzIfst4nYSHFwolaI1RmQSQEekIIDqnDufNFg7Z6 -a5iHBTMhVMkk6+6FsG1fQboIWUV988n3b4InU4nXsIaRD+Ym9mKWKSyCQy9w8ydmKOVkQkVbJ1Fh -+zYVbiIzvAWpMgeGpKIi8JTZjYiRKWwGa/FyQli0DHsRi3URumCELiKqqDnGHzRxlhKTCNJUFx7K -WEPEb0xBcTafhBfMTeA38paghUOTh6DtYRwXoIEiAHaXWLDEFJSYxBSMiXVi0wdv3rYQmoOWAKzD -CIm+M5sY3kJwWqUfx8KohRgXVjLEIuIh08zwEg6SEw6TDXkrjfJu3JMbDSZDWVFYFDQ5FwUlLpL1 -I7rwMqKwRxQkCOKgkISzKu93wtVAak4JFE0SCifvBykCJ0KS9JnAUIhjiFJwgxYPS9w+xOwhQrhZ -L2TCPOpSpMDXUwkMQ4lOsaOQkDNcr4tiZb7qKyphImo8ODAohSDDKbJNRbIocCNyTCic1OpKVMO2 -N4bn7WqG1U4JTi0pzLiHEEjQJw3lEFWsmt8jUYWhZSo2hlpDKELosgmWgialEcORZlPxhyMNBdkQ -RLt6XZJyJS9e831TOy98pmEu3Ix+ys/j2s06rs4fyggiqeYMh+9Nc4YZZpiy7Kn6fFMJMss+d6Pt -F6kfoQnDL5PcmJHQj5SKxH5NtxCCTHjmTym05+ENwZdQb/gIfuVREzOXd5voyCqbRY7nocs8XpmH -13O3E0vEwx4JLdSzEMR883yhftziwpxuFR58tSILsV+kIWsltl7q8EvjH2kluBP1IsJswi4THjoz -pGWuqf+O5PV5mKBkwcxGMZGQiCBjYUFJCiYQ62U2BW/Y2uyRh7Dlmx8iHj+oEg/vJ3oWMwI5oV+R -f54/VEItd7zz12lTrZovvPDC2+aWLXsbDechNKYS9o5mRppP5qAC+YfLP6QPc08lSM0gypLnDQ2d -z2VYHlI7pUkCg2r520/kH9Lf7kzQI3XdVTaeCO9mTlIRSZhBPmGac8mNRzvxeWerlHl4x45QXbhH -aLi8yV+oPVvmYc6H+afUz+lHvWrL/O/MvG9FlWkZOjc7YcT/FRwY85B5rQlJHfPLbrwxv+xO18rU -ZDSP8G/a/Uinz/eGuad7+37E+GM6dqLaEGb/1444+mjlmZD84dYKJxtuOKeSVxTkYbEg2+OiP7P/ -4xNamfnVCWd04bEKHy7vWJxVpfKH9m74wUmD/6SLCEGTjv+k64L/pBupu6nEt+Yc/6UqgyKkO8za -cPuxLliiZTTIqIUzoWLVq1WRCPEgE4ZrCQ/qhFcdLjwEyjUPgdKFb/qgSrQyHsPXN9rAaUo+FI0w -XswYWgNlNh7TigaVw+aVJ79WTBQRLBYb85h99nijqsTnCw3ziVr/pgtRieIObFCH3xpYWhwj/9t9 -wZdyY8wQ/kDFQ7gEKtyMMKqI5mFQCEJKFkRS1EkPOYog0erDrgrDKgw9IajwYpTmQcUiSHHm4SHw -6oNJr+GxvhPy8FBjLnIUOKKylviEfwzJRAnhEyiRoCCjmBAugW0bIjycqkUixEO06qidFSRaKIqh -SDH08Kkh7qPpw8ucSRGdcDJQQRFYybAWi0OFZXeuggJPxzDESUciHIf7l34l1nH8qky6nytLeeZ9 -habMw6vSc4YG0bzjoO/M+KF0JTRneBye8CfUExNrVFPJ/JzhqebTiHAlLofEJY8pzxUObkX+uRN5 -mBtE/jksIq6tSkILkyCeNPzXZahC4dPSiuUxXrBk5mD53/rhk1YWAy1JDJRkzcsFWqRXhGKF8FMS -Xn8Cw7rQ+bAiZUIjBG5ueSSWSz1R+dCevLVadzNd2ATxrXnFp66rST7x0BiLO3LQIWSYuASlaahE -e3uu0QYAgxZwwBAAAALAYGAweBr5AxSACF8mFmYMBggSCgQYQmChI3EHAMgByAIAANCyUaEw/Lo2 -emKVHKlLzWIjTQg+uWtsVChwuglowdiCHAoWAhfTTojEJnChBTB+MgDHtwKflo+NCnkqIdt/jwSP -0bBRIe1h1HLaRgVjnSf58/qNJlICF3wDWKEBVMiUmMAFKybWzY9wNtyocHMpkPgsfRkbriFwoUze -8ryXF3TBxIVokFyptE4aykaFum631+fGSJvARZewU10+FK3eAOszVQjhjQp/8pTnPhG4gJxHIV7y -ongCPoGLq3M3GFblxDXDRaEznZUJakqO5GsCF+beOx5aZWfZjQpF0zMxT68teaq8B7jJHgpczPxQ -ozlJDlOAEhW6vT0keEvUM68+KTEcs4f8SlQo1u5dFyJXCgpcYEnHoUkrVzQqcPETEx8CqXtSFrj4 -nFaoC5VnUV9QwX3D9fQGBkBhDFzgZuZkInaRYSJGOgpcMGRQrwK1ftqU8xQKtfGT+KrQzENQPoRk -/XRZjXowc02T3SIXuODEwimJNnAx8UbKOs8e7KgDAxfflktaPn5DNgVd3iIzqFhX0ik0cMF1fVFw -2Cl1fU29c7UvcNExO4wGLVmJp2MKXU+wKFHLvRujW6vAxVix6ZDHyKFlAbpe0c+tNFGfybG4t32B -C0fQH+K9g0gLt5h8rBQO9EgPKTBAAlL2OI9VBi7KfJGHrZIO07K2k/wmBqWoR+mI4SvstUDePcXJ -f4J1bIf6wMU4H2RUeGPrHjVSiIqbOej+Y2Tp9EeA0/BMyNzqEvEHLpAlL/VOWt8jWmwdCR+4mHKJ -0f1s4P1Ilxy44Lo3Y6QgAmh93jlwMfR04U8TSHYJ+721UXA8vGrcgw9cdC227xdEA39U4W/Ysvav -UQY7cJEZ5kzUnwcuIJj0vM8GZAcuhIMiW+evnQh+By4EqNZJUgcuFCVFMvUQc38BxBHvu0IEF4qx -8FywMGaNl5QEFwr5uZxKg5E3wYW4YX8eq7KD/hRVVHCBnZ3LdITz6ALcM+NQ0FUHRnBEGEclOsUr -u+CivAX7hRgh+fBmbfbD4HMkpQsuiobEtWPXHpDrAQsu0BG3thsIDGALLmbt9hAvRQ5fjb5et+Di -TQcFuqAgFfo1Qpp2fh+DgkBwMCHOWUGjpQsu2MRYTgUXfT6Z4KKW1RMhUYILXR1aT/VNdQ+BOhgB -ChbCyGl0g+jpCC4EYCXEkpmtaJFZ7e2AhSmCi2+fjVlnHwT3L9TVqsMOwUWJ+Qm8lAguZlxuq+hx -kLbPDiS4gBeK3ENS20jOD8OSSHABWfvKm/4xcFNwUXibl08TG5O9/CxGbU/+FxONwO+UOpmBrIIL -Pfja/mUdHQ4/MYi4Kq2xKsHFZ9cFjahFXOvLFMOy8QRl4/rQllJQXhu+SoZvgsw9jKOfQHDxhb1K -QB642LqWmymzHHz5sRBt52M+nTHAI0CCAxclCVWwB9uBC8lkOyO7AVKlpOJ0AkEVFyhVQrULwUVd -+SPm+Gn8wIU4Vmti5tVLB6NXMyesmZY2AZp1ypAHLhbk5hKIdgwWI/9HLiekEGgkRQcuMH4pu+Di -BCcKfJ7V0lR+WZ48eBQxOgzOxquBk/YDHrj4IR6PRaWt0+pvNHkTKHY93gQXhUhiSRhpwgQXa62A -HFssR53gIqOShMbFCNUEF8zeJ6cggKO1Ct5LcAEjaHuSnK73xTYwlq8J916bQEtSvL9ppHw9VYTn -rniA4KLysDaMJJF7Ro/gCMQ6FjYEFz4QBu29CTiWF/ZJjppgmUTvPQIJP288jJrwMBPkvFoct6zY -/OMDY/znJHopoyboNkkv601mtHE9PQkuSmqBfA5O9gq2IQDBxUrMs+w5VJa4g8WTGjUhRCNQuE6p -7NYHTEbNACli1ATbwzduYQApjwMXVtc3t5Yt39/kuzpwcfNcQiGodUsfUKsu9uaBC+XNF5wzaTRU -Q5SkHHlSIRk6Z9DxecRHmgMXWncLWWUITgG0I0wNXEhFIiYYvPL7wIVJhpX/8giP5f+EYoefxAe9 -HLsWHcRyxiZOq4c3liBA88EDF9AiuzeCLx02iB41ITfi7LJa1hWsWItLmAbbR+OK3KvcVVoKamXU -hFZ3boBa41gU5p6Bi3YlN0l4YY3RCW8ocFFHpsPDbGqjyPrBoiY41RSaRKmxaARwCgMXLaWkJaTM -I45dckVNiMuQd0zLyQKYqAnCUy55RzdwIcSxaoiU22aBi44AKeJNoKxLClx09FmLLHCxZV7sVVb8 -E95nSNQE16u3AsQxERnT7n7njQKfStQEL/AzA4IKXGQj+buhec6W8t117biPWSmiRA== - - - 1IQipvSjNqT3m6QCQ80p0G/754vYgoia4HyDfBL/tRBXyP/54vyswMUF5JK49cyg7IXrfrpb63n0 -4czDNSQww8pHh04GqCVqwqLkbVdRTxs3asK/UzaG7WPEYk0wtgCHj5ogqlpohxnnCEmSHP8W1ekM -aN0vIpv/FjcdgieUeCJKSgAmeiOZ3YOq8G+xcQ9GgKdRlBF+rhRNE3wj9LOM8m+xpdd2NgynXFXT -hKVjR/xIPqCIrX/WvwVHNC+8NE24uDLgT1vi9Rk4tcPxfc+wv2n9b5EK5NPXjv+IAfb1M9QuO1cG -wIXX+7+jOES7O7IboAnlBwH0qy+aaFaVNXzqzoT4xbSfIjwSjLG4ABdm2ZV/pAxaA0R9oAxJiLPF -ovWr/aVhBFyk9KMGNx56jQ9XjoCLEQXcV13Jqsy9ZR0T0BPe9COzxT1pior1BVzYo+/AG+1aEPtJ -wEU+nLLJOMEsiQBJRsNn27RZwMUGgfd/vi5zgItBL9idQQBCfxJEc9/NCnAxDZnbVbHuouKACyAf -rIPXHoRDp/HygItPWrdZYN+S2AEX4UKHLgYoZHgCF0IW9emAYL8qE04LmAQu+H5UmTxvTkh+ejgy -iCMFLuIyf0mefgIuJaQCF4zT+9qlIIwAm1ALXNjySWw5VXuBcFQ/l0DptFB+Q80/C1yYQxyUGubx -71jPJcQc9aPVDwLemy5eCjrwz+WwLx4DLrTQGKMkpnzRAy4CnM4W43MF4ZT5XAJtuoObrut/rvx/ -LuFuGwvXxD7L7OYSXADCP/Bg6Eig4AacAhfjbSdSUIGLVWaN/4Xug9tcy9YO3yVvEwduLsHE2j8G -SSDiKMG6PP11PKYtcCFTNnU/cDEen+P8p6+NPXBxtXw31eiL7B+4CAM328WBCzH0cBiCrCEcpm9p -QXDBPcQed0Vw8SK20d4nzyXUVV/AtUOMjeQDF0ej5lrQuO1/DmTBcwneEBPASAMX72G6vKRxu7uK -5xKWWVl0fhr+uYF/G7joD8IzX7wbkf1cgktnB5iQ7DYqAIsMIOXXSBLuuQT6QeHJP5egyVEbSjbX -rwlctCpKD04Y+0649w9ZAhfA3xbKgaKTdUhsmb8Iiio6AhdQBr1B/AwwlgXwewMuKnt4+e3GI6bx -asAF0RVC69r7Sgt7LkFQMPy6LneqZMFLFFb4XALW5E14gKu6bcBFiyotMmTwTS4hzyV0GndbdVMW -G3BxVFlMw9Y8LBD7eE2HkcUCTA/mUc0lFNcLwXKqWhIkNanybhRam0tg/FWq6gS2qVri64N9+tvm -Euh1raxjEgekAi6qCbnWXxuneWOxaFjHVR+lVmdOxJcIL4wLuMjAg2ptzRHrXIKNjVPYyiTmKhoc -I+CiUAqYD5FMEnAx8ROWU26xnnMJKF89m3OJhx0BF0F/SBa8JFDpNOBCAjM4blk8oNz83iilMiFw -IWzEdvcF/wg3zKDOJTj9ljr0MwUXcDGMzh6W0fHAZlQhYGpLwYUCLjAyo1JNtUS6N/lr180lFFeD -dB1ABBl2KZweB1ysXOFYjbeTAdzmOT3girLx3iHgQiWFUr51BVKrWfwLMq1ckxN9og1ArdsCbFQL -uGCt8u4BF9KlBC7cl6jcZrx3gQudt0GWbA+gJcR3vswcZ4GWsMDRgTJ9CtrXekUiuIhqx1VLoiXo -AVFA6tE/UL/dWnv27iG4+NhxYhq0Bu+B4OKgo66MoxWWglPRk+rARXFMGAqRkhmXbLyi+t25/+TP -OI/Gx0ERKFrCJZgF8kxxIwoc6aVXprpAM3ChWYZ8JdJUQ0U/L1pCz85PgO+8SUgdbEqxP4Eu+NGF -az9DtIQhT1sy/+ct+bXkM3BRiP9UAOwraRnREuipZu2BgYtQzN4W1aYspYGLUzl7WDQro23gYmpE -b7V8FBYp81cMxVMIvyxKkH8poSNZBDbXg08ULYHmGlOgKQYscOFwnRliI6xV6fRf0YSqqpFD7+VK -8VbgWT4mEtfb4iAFAy5qUQEXB+q55GqCAS6OlLSz7CbgYpepDptaQ8Tl0zeKkwtwFIohzwb4IcBF -zplHR3uuxPlu8G7YABd0yICAiwNvx0/EB1wgovCGWBpyDaWFHaMlsL6K/nSBxd0J+INqiuXcPeUC -vCU8u6PK4hIQUY/ftOWN8goPxZCKt3he7lC+iMMcBC42R227onOD82gJP9Yf0J+BTentrMLLPU9J -atqkyCLefRSRyjT1N1oC18+9b7kcQ527S0YKbzh1AheTl8I+B3vJec5GS/BVf3lXGrlWlyYAKVZH -S0Bn2IPzlG7XhBMf4EJBw+UYrIjFNVQEnXpW+9SSisvSA1wsv0jXXBVSGhXg4twHUVwhqGtrvZNN -IX79KpqY/CgnOePC4C7rxi/b9B7UaAk9Uf5LqDNNTfPREvJLJiPI2IjgpcqN4I2W4KEtWIljzI8d -LaEcWMLjrUay/f2o56Ml5N4VYNHKz6KaGy3h7SMFjJbQPk0j3+OUd7kHg4Ip4Xj5TA9V1/KtR0v4 -eBhKsMctMW9CRQBcvNf8YohJKMAALuhUjWljWWUoSkGiwyUJsgTMDuAJ4J+YJgPgQu7jNDGFbV/4 -KfMQRPth25PqTKXS/xa1XFNIYvW6EhDrVrU4MB+IaEep7WwlXIAGkbOA41gJ/i7IlCqEXt/RM8b8 -t8CkBAIlz9Lrx0qoFYDEwIEj/8ZKcLnR72d02ftYCbfc+tkkKxERy7mRKMZKKKf+y83E0Tr+LU5D -5aT1pkpIfeqO+2CxfwsPJ4UM1/Wbs6L1t3htAd7jwwCFEzpKGCv2iZXAl27pt7POJlb+FjJH2q87 -k3Gf8POg4fkPGzVr0acFNvQ+ceoD7EP8XBZXcRY+7gp+2qzSf4tzT+nMKPBgWQuVQDgZeTV/5kRO -6ALr4uSl7BplfT3+TOSUsExGwTsaGUNgb7l8/O6sPwAuJgg3GsTFLPw+yCnBW4HQtsZ/i6SR8DAt -0EC+ubgO9jK/vjGnhCS0enmih6/O4VRPnRJ044YaCpNRjFxGhc5xpJdPVQJcVInSj9iOOLZQpXPL -C3DBru4U3l9V5JZZgAsB43U5X1woYks0wMWMSSPDL0jP/qVD5pSA/m8M9NlFfeqq8HJKSDLjxC0D -K7yBnBIiz5cn0uTE33TklJAr19+LJ8AFX4K49+TZwznbbcA5QudsY5PRzROFUsIn/qNDCbiQD1VZ -UfmyVFcX4MLkmTsB990twEX2ISaLxFxSAS5Qo/NkznKyFzrRABcyOU3kIQsCXAxf3x7B/1vE7xYG -zWiOkPpcgrDOmhwo+H+LGvyx9jtB4N+Cm6Iayd4MmeysrU+VQfeZ8W8xN1rYW3S08HOc+bcIvwRN -LAnhsn7/gvO0LKCSkE1lBBFOkF34twjaJwkUAc1FsvkS8G8Bg1SlNjFkuuDfIlTpSm/R/WSIyh/w -wv23qE0ouletfQyEli839PrfAiTQQFzD3AJjVd31YP1vsVxc0BkJqCyoQsxIMKHndc7YN5tXkGF5 -Fwnm8uRDKxH0Cu3sN/xb6EhpY901oP4tAC6RsNh/IWp5JDP5dYZ/Zk2IBA79ngnv6UmDZf8W8uFU -Zp+dTSc+i8/CnST3PyHBn6F1PpzCv8bYthBHhn+LYyT136LP1TdJ82oVhAsYkBAt2Q6VRKSwDYWq -z1l9ZuqFAHDx7RA8HgU5NS2YOmQ7++7oFgZwQSU9PCp0Fd7vGZvLzJRR1ogL094crX/CRXFPna7b -4mhPpt3Zs0S8Gc0hAReSTAhZJlg0Gh4h62iH3hv/kCpAJt0RRKkVCtqMRm+xIxzNL+pIYr+v6+El -azh/0Xh3UxXB8NBFARdfofsbJvIHXOgF4eS7FTlKvZugBFwYmvQUCo+Ai9OPHOrtrz8OpwDSkJRx -CQRcsHowfGPD0H/+b39ra51rFH3bhFv4IuAiIBJ8YNMPR1LMRCP4orHRhmhZR2SYM5kmBgDgApGJ -3wuktcbwI2WEftVrBOVnKKcZZIRgkQXAKD5GcBEJTjommxlFyeJlo7K2mW3eJ8MM4EKlrnwcIT8b -bAAXS/LhnfS8tdRQDKNsqNAKwAWjuRWUnhV1QbMIA4/haSR9ZX0iJHWwvY0G6H/TwQLARSGrpYcS -s/mD2wIgQf8WhxLgb1HuNVxjVtUIZum3mK3aTds/+S2ifrQxtehBxgKdw8VvEci3d6Xi/BbZGUxc -tazKqfsW4u/nlMgE5N/pWhNWJNu3aD5jqES0mgKf9i2AhOX5y4xYJ2L7FoeoniLphHXfosYL2mXB -rQeWACXTpa1oRVbR2lTvW5ilbup3aj7Jckgn4eN9C0gfgnZqRCDP7ynOfYsKwPkUvQFE6KmEBSAk -EJZuEt7oNbhPum+h/iz4b5WaRpAyeimdIKd1VES3oHTG0Npuio/2LY5U1bfwSPzSt6jlOU+lqnjb -ByRNKjgEW30CMmTcbHQPDslsWpuRezUgrnIIxzsIOoKDml/Gdr4oaiuqedQQIv7Tw2mIGkIUv7gk -f7cwQe+SoJGwtnVN6luwCO/z6EuKHKxv8YbI/pWsYoj3vE0x5V3RliHkV7sFXk5g3q+mYX2L9iue -DrrVYqEkEPP5FvYHcjCgNJa6lMhPBExqKJ+0LRpbT5dkxtKZyAhvvsVWSvwaIaqJ5oUg3twg7PSu -4edblGs+t2Nm1IRxvkUEGE9iY8i8BCLfgnKtlPWoiKkqBLQeWGgz/SM0TzoTt5QUmRZro83EId8C -Mo1Ap29Rm+9fhB2GoLjCWe5bfvyCK/QtmhX7Z7UaKSKCvkWPXBJ/+mjfVsfYZ43jpG+RlUkQsInI -P0nfQvUaVUoHNG9iLcVLsn8pHY+7v41Nx3JM32LZBYM5NKnoW1ScqBJRUH/jYzvaINSPqND6wfHg -s4z5Fmg7lq/vbrD6ZBCaU6dDbUPzxVZxEwMG7s/WlfBLFmk2pMwT687vFJuP1XkFIVqtsB4x0tBa -piBwsIbgyZgYu3X+HUrf4u7FMSzd+udaj77FXjZIFEHm6VsoEZGFQ49v/nNVxwBXp9RWrPoWhz5F -AKp0IScOBPQfP/2D4Qsuw8tSNBBCryNexmDNseQnKwPEm67HbQ9AhJmawTCekL5FC424DB7xgGDR -NHC7otWZWJYPYhxaPOxbANPVEP8LDiamHd8JUzRxKHdBunyjSMu+RSeBH7LufVZyuAAMu8tTkV2S -MKnsddm3QN8wO8JEI6X1LVgJAw6sCJX5Li7rW5T71r21DWq3pXCaoERYzhVu34rbHgj8ZgPiiJXS -4H9MpURgnHihZMxjN7A2Y0v4fO8snVQp+xa42lmTIo8rwPmBy5qQq1kZxhtQR6nqjtu3CFrxA63S -cb49VENJxxT4gW+A0SqzxSSrKX4LdZngUdb5LT7IV5dUs5MInP/jz97Az3QnPHYLV4iVfgt+YdIS -Mq0O1gc0j9Mv8bdAJ18oX348VCO1fBK7wR0/rPP6HnXcKtzHrKQDxXhzkPAiKznViw== - - - Fn3TvACNYS8bgvVvEYglOK6u5v23KIoYfugegBjpTnyQESsDXL1cBDEmSPobJJEKH/BgFYpJ5Opc -YhRhdxCa3Fl+HlwhIOvfwstgPqJb9vhI90OpSWbQrVQNSaCCuafQJGHlDPtb5EMKaweWKUQheBOw -RwNsu7/FRhTCXVpVJ3voR8ytkq11Os5AY7Oyido6+lt4myXwNb0AvExqRSscFVTNt1Fio5VZekDA -pE588H80zCkIFXbAH73wt1i2AgAUlKvROokiVyZBSa7jp+RrSYkIGol9DfB5EDUxyKkQhtM8rw99 -Pg9i8m2fm+LIW47lwefB/mkOCajzK1rg86Do/3z9o0oihf4Wft2zXvMpN56/RT2TzmSCog7TeH0o -Yw9BSzPDST+pzrXG8d9vMTtGzM83YtZz0841vb31R+O7PQWuzMFcZZ8Hto6TYPGELBz/gyfHZZOM -OdFGGH8L8VMHw3LOgZM+D9gozt02JcvH34JRY1Xqk+1EWUDxIZFRqECfB+WvsenCAMCbrraxv8n7 -ba+qv8V6nbe/gwDVvsn+O+3zYJmx695WYKgBcH+L80exc1tFTJoyKTwnor9gMABgAZ+mfpPo3yLT -NBOoVvJjeR5C/VtU6qQ6lx3b42gVMqQ1XLMvuVC5UcuDnJy7WrlkRN8dcS0PuL3+LVwPz7I9H8zC -vwUwpqjPthq4pM+1PEDUk0amOFoeqLeMGWqi4qYocKT/FuOb5yZwvf8WYt9Euon0BhT9t3idv/0J -Z3mgD/VsGC7vKHVXof236OWwQi/x8d/iBRzxcHUYiANwcf3jWKZg/wqju4HF2mWxjKammywPchvI -K//fIumQWbOcSmIZ6YYsDxpDnukbgl0WczYpqn+LP+05vNvsIepuZsYTS42JdbM8YL+P5AMTO/u3 -mAuEZaNkswocszwQhYID6uGNNHP+FqV2Bmhp+y06vz/pn3RlWx7Lg03EzyjEog1yR2YEy4PzS2su -4x+A5xcDf5u/hb63/57TM3/Q39+CxS3jjbH2R3Hwe/4Z5ttvagrLA2GVfhYFL9Q9cQw40wn5YKgo -DqP+TOl3fydbazv6r5tmI+W63d1pjGdBM2XA8oAOodW9idJ+uwDuAx2ovHMhbc/YAY5Qv7Q5NkpW -rp/3Z+bWEeZLXlae9ir2b02u/7dA5gR8759YeeCaJcuYcbAOXf7S/i2ArCQA6Cj0ls8HrTxY94ir -X3NBcKytPIjye9iNLDdckeff4lifdTsH7lGmAYgr5G/8W2ykxbBjy4X+Lfi7mFQFg1RRSbDygLgg -iHfyrRICtRNQ3vxbhCzdBq9iBBIELWIrD1LDz+dT+7fgZCQpPZiw9WB/i0kcVjlr97foP1HoOVoY -WOq7P3+LeM08TIp2WZUHgrASagpmJlnLTUnP32JhXxO295QxUV6RabBg1nNQdQGLEQ+7GyZQYDDA -wFz8LcAOYKnzyygHxudbEHkk1FuwZBLegglgptgtZiuYfG4h8oLpjFvkaDDd2wIp0NujbQG9Hmy0 -tnBJW/gBZwtwsoUyWUJB1mIzCPvFa8H6GizdUSVdC8u6FgpGmJIAZSWsFIyeMNamBTmFKVEtHJBa -xP3TQmDTotDSQpmkxWOjxUBP2E3TQ50w3C6RExZlFn0T5nsWozOID9KE5XMWwSjMvFlgVbM4ZWYR -DrNQaMJsXRZCLIumozAUTQhFYSGXEAprMBZLIwsXKKwlZIFnwbrHYlCPhQpxLFI0FqBfLGpMGJkV -i4uEoSYWFu4tDBya0XSwtsPiMKx6IwQtTlJhsRcwDwKLEz5YALZgodfAQidg0Xx/BRmFcfkVJisM -6Ss6o7CBrxg0YX29AkhqzisO7Sn0yVW8IkzBxLviwyQYQe5rwo5uRd3UDegK1pJ1ucInBcM6rvCZ -MDBfVURhx5DLq7BvWCs66K3wHreChLYif3xLfK1wb4XBViuKV61YV9hnWkEztMK1wnI6K8iYFS+g -gQPKCsUV9pMVo+n0WJEV70eEyRUrYCXfRrHihJ/AD1eYRoCHld8EVhxXWJWvIvIK8wavAhFXv+Lb -I2U3zEXhwuqt4njFN6xbBRC3Cvrkm0+rOJQkvunOHs9xhSlZBezvbQFYRcwV7aGk+fam1lMxl6rI -PXsLThXupAp53MQ73frCQRik3fXWBargj3rhzQjjxlMBFSJHhZ2ZChxdKmRUKpoRhi6p+CSkwpSj -olbCBkYF74kKoIcKtkKFsBhUKAMqkhIm9VPkXoQ5+RS21VOMhqeowE4hHmpv8suxDC7I4LrJX7U3 -w4LKjgIbQG8KhDYFAaN6nDCq7WMTprKkMCYthQUz1JYp7K7NfjUFJqmmMLsTBn8lp7C9mkJFg4Vt -fgpzDDepaoqKgAr7IFEkVmeVcArbmViYL8plYegCX1Zh1ycFh8dng8327I8XpoVimEwJ047k7zU1 -DIN3w1ibw9K8wwoZPuxZQMxxhRhtT8R25ojREX5JDI5LjE5NAecmFg0QBopZlxRzDnCBmpisZLEr -EjXFoi1mnqYAu9jMf7GTQIzJGRmTvZ80Y9I0BRiN1RLwWvH8drHL3lh8vLFM6RvbSKnYZ9w44WDu -dCxI6o7pjfOYrwMoZNj2bmyWpjBnkJFsvMqqh+zhJzLrGEt7IXsJIRlfLskwQhK3dZfMe81kUKYp -ej3gZAY1xeTyZOEYlCUfnO5nnVayPzWFC8TkcxeHs1QWJ5VZ01YZdlvZSk3h/MqQzoqpZNmxXOdK -Grd9KYCUwOot0YEcLlN8Uxm46N94YY4pvH8ZK0xhoxU+x9GtiZOLmB0ymGIYhr0wMvuCKaQsM8Fu -Yc3sUfg3mALKZyYOpFlyRs1S0ZqVNDbzVraZrXWzT/tmkDDFl+GsCaaojzPjwJx5pit0ttuqM1nM -zsbEO9NTPJPjzjMo17NrwWeRwBRDPHw1xwjCFNQtIkHzswmmqOHUZxqYQhM+k9pdMEUX7BkSpvCe -Z5zcXITxDNE7W4LDwGAKlZTxLPERt3cmfIJDUuZOCGFFeZh1CFPcpDzt7EjPzl4K7wwHxTMWB7E5 -5fbBFIGeZ1oDBIM96/EKKXzmWeaFKQ7UZ1WVe/JgAFOWhimW2WckUytyiClOznJ9dpah0hym2CYy -ELVEU30dZ3YpZOtSLIvPji0FFw2fSQNqs+qzIJaiNT+zWSlCUCneoxSj8Ekx1qTAsaRYGUkxoZFi -iEiBE0ZIUX5ZbvePwvP2RzGWqEdRyJ9xY0fxV1pmHAV3VBsFEo3CARnF3UVHgPxZhCa/KB5/lmuL -AmH3lhO3oggjRfHeRLHfZ68kivlIRMHwswdEwWVhOWLAHYoV4C87FC51KO7YUCyModDAz7yFwgC1 -UDTvMyILhdVscltY7Ago8BQ+TRwsKBJ+pkdQSBEoPfeI4fkzPhAoiBzOzJ+VAxQnOAVo/a+btf6E -bIFW9hP44yda2ife0Se2KNAO+sSYQOvxCRigbXzi0BD/4iw+8UnPmMQn7gk09BOACLTQKvGAlrkT -feqBnvDkAhKFyxN835lyPKEXnkg40Kx8J9SA5sydSAc0VTuhMuzEG9DGY50Y2XEfA9pdnagLaCCn -E+WiEyGeE9hmTtxVTkz/7A85MYb/LDJOoP7ZNsQJ8J8ZPZzAHdBEgxPRfhNvehM31k0sAu0obkLN -NoEJtAn62IRKoJkUgNatAFrJCdzXRO2ueZfog8rTEJd783OduPaRsNbETKA5spqQCZocNZHMQVPR -NAFiQms80sQXC406ogl/DQ37mSjzoR3rTIzUQ0vbTJiuzET4oVlcJoBTJiJcMqFIyER1QztzTFBh -TDi/mAA2MSHWYUKmMBEHRLMWTNwCJuglc8L5JU7JH4wbGhoXGquEZigOmpEbYa7hS9CWoOGePgfN -C+JLbEhCg8LboL14+0vQFJxAs3wJ7qt4qQOgOZyj4ksExH74OIFG4Ussl7F/OXkvcfrPeTsGESd8 -iasEWs9LeN4l4mUE2o3a0atLABNoEa9ZlzhrLiEQWC6BZAi0THY0gcaHuQRQmksMW1yi4C0h9GyJ -Q7XE44lAy+cuBz20RNR/5qZ+pmafPXvQEmN85i9LDI19pmb0ffUza1hC21dioStR9p/B1kq8/xko -VkKSVUJ1/sAJVokLsko0AFrlBNBGrBI2738vQAMSQGOySrB0Mp4EaJIXaLtVwkYDJRr6eQUaynoB -2okBtBeuEur8/yZdJQZUJRTMS4UmkEIAza/gxHY5+lIJNgjQMKYCzSqVAE3QPhSnUdB+NK2g7Qm3 -BW398OWOCGh0qYRbiakE3+9lZJFIQMZX7s9Y6s/UxqkEUeEs9OfP5KcSWIAWiUsFcVdOJW4KaG9T -LgFNnkrYfhIHaGQBWunwBmgaqgTxIHgqYe1LwJxXDTQ/WNC0BVWC+lSi36gEsNNAm0JAc3YDDbsF -7fSU8PigQZoSFoXGWynRzjOZ8zV4G41La9uh9Rkl6ohoKqLEbqIZhBLiVTTRhPeb/qIV5e5K0WhI -PQleHM2zk1B6NHOcRHwP0vQRNHW7jLSSix/Ji3MPmQT0J22PjppvSKUhXBKOLI29kqi7tAFTEsPn -zhU9Xk6Y3CLxZtpOSYJZ05RFEvs3TRQkIdBpdh6JiKeZcCTw+rTwjMRNNlBD4s+U3EWitlDDUZH4 -KdA9SyRAR20LkWCZ1OwcEuOlpmFIKJyaPSGxZg8SPKgGK0gUSrXDQGIsqVpfIGFPgETeqon8EaKx -mg4/4jkfQV2j86r3iJmd8CurpXrEN/MI56qF4RHQslpbd8S51XjsCGtXg1BHdP2rzZ+OGIm1iOcI -KEn3VI6IN2s+4whAWqsHR9xqjdQb4aetgXEj6t7aBNyI4biWnI2AQde21wjus+kIGotpS0x2jTGN -wAqvzaERXL2mdEYM24PKjGDxDg3XNV5lBAQN6gZwHfXoUMf20fuacWFzECMwiO0cjOBIsQmDEXMZ -m+4XIcqOTSzBItr+7Q7V/esisE22Ji5i8XARFmOLaPVZhFZnEVWxiHN4RaysbEsrQtusCKfJ1qoi -GKEiVs8UsZHI9pgi2EcRnh1bH4qAsp+I17GtdSKmIVvCJgJnso1jImiVzdYSMfeyOSkRqjObnSQi -/MDZhAUJ4tl+3YgYDrRlFxFgom3ZIoKRniISEcSmbdwQMU5qixoiUKvtRYigsLVJBBHj12b/Q0jI -Nm8fIhttk+0hsLYtIQ/x+yuvezOc8bDbunQIdL0tXDnE/dvg4BBOhBtK9aO5A4rG7eOGWCM3bmO5 -VVVza5rPzTRwdIPC6LbZpxtyG+JfrFvEDdEJuzlo7aa00d24+24rNryR/fEGBcybFtDbmRtCn3qD -aNkbxA2BuHtbfOLbZ7T5NrCwvrmDnNwQe1C865uWK6AbQsMNMaHzbbX4FrJl+DZUyg2xBZWi1lNT -3RtHuTcLhG9WNwRNkJrtkpS+LbshhO2bRFk3BJPfJtF+O8O3IDz/NyIcAedqBO7NDQ== - - - ITVwDm6IXCM4lV7BEaXBbXsPLlAj3KEnnNnHwoG5ISoMZ5EaTgI3BKMFmi/0tZE0oBl19VfOmIZQ -dYYY+XBfyhDqYgjTh0uCIWA6XJkX4ggXwqjDZZ6FgJwh57xCILu7qiqEiymEMEMh1DohnpgQXLi7 -W0oIaA33QUJQOpy+CLHZIURbEOI3P4gtfbjvg2DLgzCIB8EAOggLnGA2d3czpicB2X24NJPnIGCO -DmLXEHfVh2uqIc5bH45KB/ENQQfxciY/HCY08T7cVg4CMPHDMfweApCDEBbiptavHETwiZd3AUOW -SRlxqzkIXitxS3niBq2MEDoI1ikuebLiiXuNpzi464tJB/EMVJyrpqaZn4OYYJyvgXziiA6iTE8c -uBKnhhKn6p24n+uJo+wjp4OQTtzD7p+DmFHiLnQQrEyjdBCKxS6sthm/cLGyBpFciXNyBgFL9fQs -BjGpxI0YhF0liIRe2ShxyAcCJkEXxKF0LogedReKOOq4IMDq9JsijrQZcXwgjHgLQpvlT4krkZ5e -AG8KEbgggp04E2OKU+3ynbqKRLONi5NEYIJnKqqcxn3IoLVX3ZmKG5H8OByoIEeDQ06Li9z038GD -tCRng0sOCTe5cS4I2U+OEKScShOVaw96eAxyRyiuC4JMlpMAmGRbzqG+QLscKgRB5A/EC4LVTeiw -fS+Ix1KOas0c7QvitvnMXIVoDns1p7ppc7ztzS2/IDyQyBdEJWa9IJzvDh/Pq3VOI706B4O+gmvb -rXMXXhCj7/FknJavwu+z49cLAiaxLwi2zZxRVbJ1bT4XFf7cIVO1x3iMc/8XhAch0e0s9DsQ4gJd -hMm+OMX+CHTCAhgE74BuRZQJdFbyBTpYbkEgzReBga5sQcQoBk/z54ikgycpbAUh9n7uxvRBP4dn -ifNzNQOR66gesiZB4IoggLsCQUwaHD93gCCCIJvuc6WCICAXiLmBILpmUmxoEel9LmPCcdl+zfGD -IHoAdKLTbPY5n8VXhXYYCCblOBCeJWggVl8gICBZGULnLJ3qWoF4bD4854x4BUL8BoxzjItzQfs4 -eZ1zsgLB4loFQogw5+JU52gqEHC8c7EL8pznqKeM4XPcBwian9PrgNAzoPPLgAgGnZsCAip0ERAQ -h4cOvABhJzqwn4BLYHSBOMBfji7g/+GDdE39h97aP3iNy6vkH8qZ0t3ehrDh0gXpD+HLdD76A4ab -rkN/uHY6evzB5k/HfT80RN2r/TAjdSnWD2hN3R79wKM6teaHZdUpkR901OoEyA/BV6fDD2hBMPxQ -wQzVC1xEnUD44VB8H9q5DzfVPoy+ujPsgwPrAwcWuY+mxK+OED6QtKz5sC5g+TCPfFjzGh/GiPiw -5Ks7wgceKBI+eJaYP5ZR+OC18MEOxgk5ePnreijPPXD19iCr9qCBdc7sYfCvzj/sgYEk7CFwcz2I -AQfWw4DFtrodVA8AlKbhzoqwVl3plYcrFUIPnnPa8zDJefhN8xBGNA+qLw+VYnmYw5OHyciDqsdD -NVsd4PFwfnU448GeKhUPLAp/5UM85DudM4aHkpQJBWAD1iEZeICQfJLu4BGIa68ZQqk/ss132Kt3 -IEAkG3sqoKyLzA7xHBy5A7+PH4wJ7hDeUCfrdvhDR+7xKDGtg7UOdOiQ2WHZYCM7XEvssAJ2uOJd -h8mtg1rWoWpZxwFXhzmnSe+pDq+an+fjKXUoS7llXXtQh2Yxul/WMU4HkLy8dDh8nC8CTDpwQp12 -dCA2p/WexFJYdzLQodoD22Cfw9zOcyBY5+CDkwIIFjOWV4fmED/mgOKEddyXelNAB3WnLwfJ0AJW -bF8EPA4Zs04hKQctn5nGKIexJofIrFMkh5SHdZ7IAVdYFy11PA4B3zgwzDhoZp3cxQHdrHtRcSDF -OmGJw0aIQ2us4xwOSxgORoHPqwoX/4RDhVc3y4MDW2JvVXCQMHBQOgGHx/6GjfyGiukb8DbwDY1X -B7ve8OnVMc8b7I2U5ggpUPFBe14B0LthtUBjXWg3JIt1srrBLbrh4svcEIc/yA3UEDcs5HnW87fh -pt0GoG0Dg2yDVpJenWe2x+ZSLbWhdta1pA3WBNqQr3XqZoN63zqhAYKh63r8QuJ1tHwNBLxTbFjC -ycKGQ6zjAhs+V+yQRgDMYxfguZ7s7rCGBmbHvTVUc3azWsNIaNdj1oBHcntYA3XVzulqmF47GatB -W7bzp2oI2nYiqAZalxoO7HZ3gyvWb3f04jbc3TQNFVA7qIE1U3oaGGvnxGmYT92pAUgquyuRMYSc -YTIaiHjnNGnQ1bwzmTSErHeSku+dNaQBhI7E3jjo6j9+V8pouPm7nKJh1yAaTAK8jqEBoMCLQGh4 -T/DwgQbn4KH+GdoAoT7D0Nh2ymbPEOY7Hc+QJTxROwMCrb2LzoAkvH/kDExTneZvhhkJ72wzTOOa -gTd4szQDR4PnAc4MQ+92nUIHPw7e2cxgKeFhBJzwaCW8ncuZYasJT+7MMD3h0fbB61SD8DJK4Ymj -8IQIJcfwRkuGB54Z9j02kN0phscjtEqH964zA9Mk8Xi5It2WSO6KeNJiBujEe4IZOFc8zPjiaQcY -wW/7zfDKIOS952UQqWrkCVf68lrySlE/eQYe9O5ReVG8DPCutmN5x2hQYpe33mUoaGIe+MR1r9nM -C3wUC+93nffklthlYNuHD41MOGnMM7miR5F89JaW0osiM71lvAy3O8VMK3kZNEU9XS9DrFNPuZcB -iNVrTVgPt1rPoigvg5rrORGE7LFco94LXgZb2EMqAFOyrn7EZY+UgvbOsFJ7Rbxfr9luz7zLQH8S -9y6OzrW5V9plCFn3XPK7p9xlALjQe4PrRHzRe4HQ0DC+J9JlgOv3UjfgkzGDT4MqfEA8fDsvFF9O -dlSa4fGZapHvUScfPuHIlU8MMJ+ENJ+wLgNaOd+0y8AjZx9rEKCC1bB6vnaXAe6g77PLwCkYffJT -hgTwIcsw8HxqToI0J4bDnF/Kj729YVTOb0ep4N199kEp0D4KD2bA9QF4RjP+bsoAj8vwMVoG5StD -R/vAVhlu0j72pgy2jc0bUYaxnQy1R5PBXsmQ3yMZGGkfCsq018gwK9rXkfwhyxZ+3btCCu7sBKJL -7P1jcH8/Bu59DCLwYyg902wWMRyDPmBjgP2MAZ0xhhLtQy+GV8YP0a2Ki3E3aHEVwyuKIU20zzvk -u7TvNRLTPsohBkrtc/0wELrHoBY3DJNlGCLjwqCqfZrCMFLCsCoIwzcOhilq3zJEo9pnR97aBxdg -QKLA8Fz7bgHDfPRlBTDwBGC4wr/wfr/wNb8Q0e4LAtxn6gu69Hz5ggjg0ooIX8CYPsm9oCv2wqiJ -bR4vvGF6geLto9F5oaQwdkV5QXv7vHhhEMELZ96FaeEuBHh2Qbp9zuuCTmPVBWFZpgu50mcMXSgg -IUaTK2/f3rdQIyV5coG7FD0uWFj6qOKCLODE+iJGzRakBFw4jG+h9G6B0txCad0WBm/fuS2M3b7i -tAWgt2+rsgXmeQFksAUc18IdC8L/aiHc1QK61IICTguzN2HWRizBmOtob4kWLkALPN1ZELtZuCiz -ACAyC7NjFl7OgBSzLNgelAXcAXCyo86wPSBEWCwoOHslNtKwcDil4/WP4vH2rXwIFg4zvfB2+7j/ -K0ALAVzB1l6BvNs35BWs7QpC6QpUbh+TK1Ro+wYAHsx9GUq0tg+6rSDmWqFu+6C0wtf2kbOCCJMV -vIoVcAVWCJrts/IqnMZVYKJVMOargtWqQt9UgQJRBUPbl7tTARZ9VibPn+2DoqWly8a1fcOyfeay -2c5IpgJj+35jKrDtHTu2jw7NKcQq60e/WaZCcZRBXUseU6FyYPv2YzXAVCIoXe5sHzq2cnLxte/I -NHaC6qDBDeraN+5xxZ2R54dQTEy+ZfsSUNKxfeRiRmAqgO4nrnTt8z4JEOu7tfbF9EuFBJcKIDJr -VlJIS4Wr2leahr4AMPpUUe0LDlKxKgrWvrWrfWrUvmM8MZYKxzAEWn3E1CUJ6Foq5An7pcIfwbSy -DlMB1rSvQndqH4lX+5ha+27gVPsw5NCofQ2mAkhuTyq8xBFQknhU4I0+BTa+osK19gVDBXsWKpyi -2ncKFb6WUIESU/saiMtkMFk9XaFCQADY+k/t0xa4HF79tO/ACxVmTKjwBqh9M6mH24fNtE8uWcM9 -QoUICgECEypIDUaokHxYP6HCCr5Q4X/S2KmOBjMh7TuFCmzQK5rjNixjVg1CjvahhExvtVDhlMHQ -vpfHgsvVWiKFCgqpJSooRoCsT4YKyO2BIkX7vAaZsDRUeAbta4wqr8BDBezPnwZ9xQ4VMuShwkhx -Wp/mWD8FWX4Ky9G+o3kKENgTZGmfK3UKA11bUzoFsuAU2NcUDJ0pVBRTwPJSaNI+7CyFHVUKkqEU -kpgUWCyPFDrUPgJDCt+kyONdSEFxtS/xUTgHaiTWUr45Cm5WjYJbGEbhi0Vh+kQh6zVHQLUvox1r -3xAjCoOIxbWHAuFys0LhSYRCmkEBuyAolLWPDyhM/CcIoX/CLP4J9vyEYrUPWn3CRjshU+2LxSfM -KHyCRvAJtd900rkYa98fJ9QK/lqs9HJ2QlJ1gsClaTicGV5swsBxAvnaBwsnFFXyhGK+CWPt+81N -2F5tAiVsgoY1oey1D7iacLB9nNMEi6YJEoZpAsnShOdApbsRqPwS2p5MqOYxYVMxocAwgcmBCWt9 -CSPbdxovYf8kEugS/N8SyLV9n7cEbtsnVkuoMUuohiVcpSuhjJVAQZVQhdzHg0o4X0qQo6WEmUYJ -IkIJ656EVctJiNIk2MEktF5JmHaSMN4GKfc1IoUiCSjECnjMAvMLz9KMBJ2KBNwhEoSU+xSGBC0w -uu/6IIHvBRKm577zR1AW0UcwkD0CsvEIeu0IbCEd4U2OQED3ATiC9zaCfNsIlrdG6EgjEMSu8EhG -QM99WmKEU2hTBeIvh+7jYvE+6XcRWDQMZZyqxXcfhBdBq6q6kWbOjHJxhZgXIecgGZE92YYXYTg+ -FXneRZiodhHaNK1Svd2gB7CSJLmLcIb3xW4RULwvZFmEr/qpkXI7argijOJ9g0WT90FXhIUqgnCd -VATbCOkk3qfSqQjykyrCQt63zBSBFb5lDUWQ0YlgHhPhKFHkfS8RJQJ5xCZmTyLcPSKwoA9bfkOE -nSBC+30IZvIQ9ukQYHAIMvS2KnxD0Mz7DhzCD/Y3hIa3qsn7AAs4BPrzvlHlT5VDDlHeR+Mz77Ml -DsGXWax01OV9t9E4BPy8T8ghLNsQmPI+svcUYjxNeJ9HERFJQ/Dv3ZfrjoYw38/0O7wv1HefoKyR -hvBIEI/8cvfxRBmaaQj3eO8LlioqZO/rhFVWWe8bUvY+81QNwZ3tXGRtDaGCyTl23fukGgLS3ldu -FOy9D7eGMJ7D97nc+zbDGvQagm2pWUOg/Gb7a7uGMLCGgKUZwupSPURKDAFnFwJEFg== - - - wpIKYY6gECYxIWh8n/EIgYAhhLIPgkbyQfibzz7LOQgINQiQMAj6fJ9hQUB8358nCCz0JAa+jxxB -uGx7AWh/IIRsIMAtEGKSQJjegDBJQACUAKEBgPB7/yCC+wOXtz8Y56+1FNt+UPg+WvrBz/dB8gMv -vo8l8INGE3ol3j4oXR+sKJvLY+R8sPF9/8kHZPJ9lnww8X1e4gMd8JMAH1y8ewC5PbBd9oDXXA+y -qQdcpQcygh70K/Dbii8EzoM58Gt4eQDFeRjq8qBGyQOM48HfiQc88ONTeOAEPNBR8BO+A7x7B1d3 -BzHLHWzH7WAGfsu0A5fKDsBgBzDkOtB/rANJ8FOoDvJPB+NeOhgHfnd0MK7RAdqEDkTgZ73nQPOb -YJdzAFDgJ/zzfUa/pn+yP+fQHJR+OWCelYPtKgcr8HsmB6sNORDdjgMvHQeliHFwheIgAMQBqfzh -oLBwsAj4LRwcLLvAgYm/gTTfoLd6g0l4g0PZDRhBN2gCP/y4wRn4Ib4N7AQ/qLZBqLQNwtUGkoKf -ftEGWiZga2gDHGYDkscGBoYNlr4GytI1uNcarIs1qMhqIHxUgxupwXOKBwb+NJAoy4yZvCDep8EL -fxq0qN0lO6AW/GbK4EcfqMEN7uapCj8NWAa/+Piq4DdUZwh+J4AasB0JEswvQQ2GPw0GwQz8Jiy9 -sTtQg5HiXLwViwt+L2Hw0y34gUEN9OE3+FlWqMHDcfAjQQ0kPoOfwFKa0oEaxH4amHDwy/XlEeGH -bBo7+MEBNWhuJzT+pwF/GwGRjZn6I2ctDeTB70gazN9oQBr8JtFAPaEBRoAG7D0DpeBn7gzwlzMo -cDMogh88zWC3MgOhYAZV8LtxGfi4HnjOPWVg9mSQX8kAy8jAeZDBpRBkAOUxuILH4I2FgmMPRsjg -Fw1O8CvBjcEC3hjUK0EI/DoJx+DQ/8Yg0Bd+ExR+irPHv/AbNgabW+EXrMnuyBqDYwyK4bezMVDt -afhdcvgZs2Y0/Aa2MdjKfuGk8cbgzfCbBcwzRpoLOByDUturVw+LG4NSxY+WxcekiR/3xsB6FcXv -9mXQit+MEAPBMWCL38J//IZzYzDZG4PIURCOgSiRBRRSBn/6UT1+1MUAv4rBCSYG447ftsRg8Sek -gqoMBxjsQQwau8PkhhYj/8PgV/X4wSLhMh8GflvuvMb6YXB3XKI+fgNNpFXolXdH6V4m3nePn0WR -CjKK/GggBvXfGG3k1wtiABdmxo1RkjhaUkd/wYchBuQkYmDEz48qYjANddI1YnArYoBDxECRR34q -BMmPS8lvGpNfOoeSH7au+yb5GZcfYvAZEQNuixho0D8DzLvZMWKQAUiAAZfff8F55LdzzyJ3hvmR -/CyQRwyA7tJM8yL/XyAu+SU9DCCYahE0+fEeKXHlBdyHNAxqnfxENDvKzxOT8ru+L/BSNEyh4rrf -i2gwsCIYIAkQGEi3NOX3OGBAQOV3kfILGeXnnsCA2VMOEBgEzE1i9CZTkUS4AgMjo0fsc7VivSAE -fwFm2AwH13yBf+1iWJQfeUGTdy8Y9tPM4b3ANF+l/E6scVCpVX6X7gWQY9wL6vb59oIFWH6bEreV -nz2Vo/ID5QVG8IKnlN/y47eLPQIkSGAXuKcLCPRc4K1cwFjHBZGUn1+44M63gCC6BfbXFrDFFkSV -n7IWVCTWAgblR1wtKHJaMEr5raIFjAtmQq8zcdTemwnzLIAXY2bBWlDu6UOphCzoYywQk4sFkfJz -hwVxPaphAb8YFhhbWADpwAJF5Wf6CnBCx8GUn6IrIH8rKEAgG3sKRPnlo4JYcrwKeDLMKtipKoCY -UAU6xlRQSfk9HhXwQGpIBZ7VNXWkAm0lFVQ4SoedFTBIgY2bAtVlCpBcCirlB08p2AVXUuADn6Qg -JYEUYMhvFHSTyg/D0APy/35LmoY7F1hS7wTrgoKuBRSs8hOsmd/CJ6CfDFKi/XndDKBAmScQ1XcC -LNYJeuZHmhOcxAnUcDhBk/mdbgJP1CYdMbEJlKAmyD4TkHAmAzK/F1yrWGfNSjDSDyb4rZcgEZdA -OZQmhLbImF9AEtzl9CmBXJESiHJQglwn9G598TC/oSSo1dcHSXA4nDOD4jdJghK/GUQCx4MEFf4I -pHoEE3YEV40jWDC/XxsBE42AYGQE0C8CH1sEWK0I8qdV7jdkqu+JSGJ+RYXgEMWCCDy8dQQEPQQ0 -kEPQTUwkFMoC8yNLX69dIbhffu2EgI1W9mNFCOIBC6BifdH8H7BWEHxIFQRxCAJcDAS9ufxgCAQr -CAgc/g9UX35rf4DRfkAgP0D57QN26QOQ5AMpl5+AD7zdHmAxE7LSA96cB+LJA9RePFBbfih4YJ13 -wACA5MoW+JAirwOZrA4YNR1IER0YKr9158B5ZQ4wK7+lHGB4CSHIgV0uDsw+HHg1OJDRb0Bv+Tm9 -AWHdQMXyA4kbMLMNyEEbwMaxgWz5mX0NPEKUhCOTaEkNzJsGMEoakCcaEDRpEmIu024GlDIDynEZ -KKYMLCgZWLn8HmSAt/ykOAbWWX46jAHPEwMRPAw4QPFh3Ylu+fXgBU7qVcGAPxLjWwQCDMCN4QZ+ -gWWaxIVkuZ4WoFAX4Mt0gbpQq1wgUHABessPyC3ghS0g3tMCGpef7rPAl8sCExwLXAsLlPkKQM8V -SFAr8BpW4GvmR+d6+eVTgdeoAE57CkCuKaBcfm6WAm7Z8rcKGDg5Eykg7/PyS4U/5icjBSwkKRB2 -d/AwP2PL74m/Lj8Eo7nlFyspoGRuCe2Jgprc5XeSFKDXvjvL6jCMTKIAl1CA7PLj0i8/rrB6BQBA -AXYDuvwS/E/gPXPzszGy/AlgOL9G9RMYP51++WFViSa/riVw009ADv0JELg9Zus/gVoBFKDW8UNO -FlQBBcIIFDCPCaocvw9QgATVVPhPwDSjJPB3rbnOEqiMP4F4PwGQuf0JBPcToPATEL5PgAD8HrzX -WCLq2I4NOy35bX4C1Eh+M9x+Ap3+BDjQT0CfngC+TiA7Mfet1rXk1+Un/aHt6ztXKWAfL80L61Ew -yeBvB7oTiefFCej1HweZYaBHJKgoToBPPX1UI/b/otjHQ0yewNBOcQIFPZctwTrEuVSXASXQSayh -CdTCJmEZjglYGPaVBr81vS+BxxHFa3uZ6y1oLQGk9e/IuY6VADgUHc/HDx8lECOiB21cY+voSgf/ -d1KTQOXA/mec1P/Z4p1JAlUeb2oXYbpSRQLTJEHJeW0Eof8FCdT+N1RWFbVG8gggdhnxRVUA0x1k -sNdIIMJHkMJ2gJ4RqLjaxFpm/70IDIaUOLkIQIqCSV2LQH9bWThuEeCtgXJC6cA3UsFXmt38o3d5 -Ft77LYZc+5sABQKfAlAHeZ2wl4MbAp/2JO1C4M2gjnJz3D+iuywhABnooqNtE8YMkOMgECczQYC/ -zNkUCGROg+MDUjqAQB19QELYJ0WNyRgnK7TJTy3adcbQRup4kyVdEi5Vav6cC9c8oA4rzAD3D3pr -ft49oPteCkBYHq4Dl06oBgCC8u24b5Q1DCY0D9DmoH+6hUpPA2gaRFqTiP29pkwLe3fAKJ/GopgW -dU1dkh1QTUtG0pQ5pODUAXhpQPuA2EFbz3bUQAecPHxH5nKAQl+P8XDF6EQEyzpLxwGjRMIggzfs -UP5xf7U/o1+y0QBPtXBuAHOw9Zu1wqfagFX7pfgpPaRXrwLJqn3DBmjCo26wAdGH4pfM5Geo912+ -qwG6iABFR16lcKvgNIBvFR7grS6nwmJI0YD4P2Ktpa4QfSz+gO8W1R/dkDMDeuqvMsCHuiBZC3Ta -aLS6RecDMXe5rYbpdMjUMQbUFC0eQAwYXpKPRmVp4eZ9Ws/0djBgKLxgXO4C0tD1SMEAZYQxPxi8 -lF0Sv4CaV2hclsddGvzlL7WM1XkBWRd4fb5wMZe6gPJV/NDnjRZ+64oJFwB4EpB5GR0jGraApnhU -TVJQcO9ZQEgHIpPYQU6DGAsoec+BoHqE68PQKwBIqrQCDvMjOssItiog25lOBcOSqACi4zbCAl+Z -vohLPJvLFqQAvRNglw4MBYjL/wE/TAGC9AkYRL4/dcyGsEjZhE6Ato2ahQ6vQIp23MMOoW5uWBMw -7yRAZYFUUxIuwpmxCRPA8HomYAIYJb8o8IyBl1gVvhKgdY54zs13NXwlTgIuVeFnILRvkJ6iwqjc -3jQCnF0A7TA8AvLlI7cUKu8I4Poup4uxPK2mK7+MgOYaO0sK2RjGOGykCCjo9yOnkuKMAiKAV304 -2EV+xQsBHMsyyya9pZCIh1vL8ivx4Zte0lsludtBgOcJwZsmBhsE7PQRCBCfPDVu90ANNLllP8BB -dm3q1A8A1yUMUoZ+r2gfH4A4TQWnFUvLClGwQmOGSbkoMTL23V2WvJEUbFURix6g1QfZb38HGJMS -qcbmnpkdM19oOlsHIAZXEI29sSHIcNzDNgfIDg+9XTww1WL8LoHrtYYDwOnwwggHYCYpRuhXM37J -gXcx/QHept0bOQ7uSywZ+qnni3qO/509/TO8BhgRJBvmBhR5M9MAbUkA0mhGszM3by4OpfIvygDj -REAWAzDJdV/+6+diwQAHgK9P2ZHMsl88ywsgzF6SdohlUxOxI2w+FAbhNH8Q0x+9QEHzJzH0bjlZ -DelUHya4N88C7NM/QtFtJ23FdqMzAAs/wzTdZBJLWQfWkDavABAPvVERH8yv4DQfAfJ3tbj8PHBs -P7kyU4BmWjoQBJ5EfyiAiUK4dAJYA4ig+V1T+HgVYgIwhAUCZFxGto0vFiVAGRvtExctPwKsVQFa -JZ1oEYDXRbgeObfC44YAUrw34UbCz74WySEIEHvhuxynAVkW1OwDCB+kR69c5H8d+ROTB7BnWuAJ -oRDNWYtMB9CUq0MzxZeBaVG0drWRUG0gsQGwhubo1g5lKFgLNIAvf8vxmv47HgOoFHXGuXsiQZOq -qoB8AUwcdxzfbRm1ADTPb87KlEbsWMoKQGI7hhpF6+tc0PoogASQD3rknA7T54KWJgB3np9rxVQe -BRIJgAxzQyryJsaHYK1mAfjDM2ZV3D/dbwDKYIkIvblUMIt7v6LX6yMBAAmc0sIqZkDFC1fx5fXM -tl131tOpSAArzWjo1VaclMZCRQLg/Opiic8zaDDW4SoSxhfbsVjnIhIAhhBpKLHFqrqhaDIkgMZU -86lZpbu9iATATDofqlo9qjC/qxVEAmCIktQwZ3yMUpSFBDDy+BgShwdhnFYazL/lcaCkhgSAZB94 -ytunIcGm7TINCSBb35nIwgZ8CUuUQAKobWt+htRN7s5HAHZzEAbjBTDGZbuTITfPtFNEMz9u7QgD -TR4BCEvETHYPaHwEsCTgAhJ3CChaHWsouDdXnzz+hQNqMh9LkkCeBFcrC30EQPTQ2L2MVeQEjwA6 -TNhm88JkcVn+EcBCQcijItoJaawJU+O9dOEjgL7TXG/SPAKo08bRA40H02s9ArDxbw== - - - pJk4srX2YZ9begQwbqZYhNsjtj5rUdkj+pCIs/Lj9BFlRe//zAAVFA6Rd1RX33VoZyvs+LUqt4z1 -EcAq4S45i5P/vbshA/6W0zid0lG+4OwjgJbVvZCRBTxozFzMXe2S5UcA43NbOZPmTP4fAUBP1sjF -rxqsyiMBBl1o0026HAGM9DluJYcACHeg37/D9/VpOwLo3c+OkFH2IxwBxHc/R43D2yrjjQDoKYLb -T5FsByFniRFA4/IDNDPpwB4jgDJQHIGh0IyUsjYZoD6AFVdfrlEKaCPkMtEcRgCJN9xcAnTScJl2 -LAII0Bk5QfY/T1V2ZJhQ0N7OjDcPyst8/6xQiwAG+YpEMCJXTpw4Wp7+5/pTEb4IYJEMn9LTfXCX -XQSArONqiB5VY+vGD12H55LGyssigMWdWqaWlYLgdhEA5QEtEdqM2y4RxAkxgG18wK/eYnKzHUJB -BIAXyS0QGQEwsjSBTUu9wlwy/1uJ4T/vCnFCcBOIQi00W7FaihkBcKn9mwgsbxqyYmimuUYo7gp9 -HILjKDICqLlYfJR7c1JBZDnBP8ERQOId/mCHwxSiPWNrNzOZBF5G9hHA0E0Qr4U0xPpHAFud87iE -g8qYmiNIs5QNMC0JfYCP1W4sAP6vUrS8EpJIFRKAPZJEio8A4DYcS/EfH3biuqj3oZ0wuPERgB9L -zvyVpdiw/X0EUOue7FCDLndEhH0EME8Jy88w7xRxV7A+AMM74V46Q8bVVNQ9Ov0pNx2AL1oQoX6C -fMpV0wEI94mRCmsAiNlBDUB2TYsOpU4DwCNQcQMNgL+CrKQbNADHSPiPRixsHEzIpiQND4cF3xEA -Gc1bUbRkrLYjQofOTIv60gCwhhjNbI3NazUAZaH1RG0tM4OpBuDEHj25o/tRqhqAM5c7s07GPlH2 -EKgB4AVyGleJrQZgIAVw5RnTtjnDZ0QNwKe6zss1chx0nxgf7WhBDcCnJP457ej5NmgAyA8IwaiJ -B0tiUak2c4Gd5ha4H/TJ4ZXQc0jZDutcS7SnlrbeWOYZAGYqak/AC1RmGr/jWtJQ4+b5uyaEUAJa -0HgYG3ANCgf41PbYtRVZ8DMYmZKUKUlpNL4ICtNDCGEBZgGnAZeYx7lXdSTmFdPJmhG/m9qcrVIs -NhSj2IrmiuXTpvahaRE0Iom04LBcBxZklvEqjfzW66tvrl9NJ/sQF6kYjK1OYljCtJG4II5IjiPO -Js2YjbkQrjKpmyWzGd3manbjYnXWNfOpN1pTWamI4U1Q1V/Wq1gz67E65sQWFx5DghNDTrQcj55F -NpdYCMl+SlSCSB+nEkOff+/9+ef+3u4t+/XSa0YrdR22z9lvdfypitBI9NL1S1Khx9D/tw2aWL1s -1aeNOrlFqcyr36wZlQl2perMxsTYJxsrETf/WfPvP9Oe9LRqpBaeE6yFLdfppdOJ/q+V6L92Qdan -6Fw9Fa2p5G1J38qHas/8MqXf7c823Efb/7GaHtNo52M/telnKV77v2KKnkVktXqwZDducmpjn/xE -jcUfUvmHes4YI+nQtNOx/hk1TXxSmpHp7+lf02j3U+/75fadl/6l5ApFp9SK380CXO1zj/fhh7Eq -y3zTj6xP2CupcVDVXaypZU50F8Mx19+hkhLvT8zKUtHVyZJIzUTUdG/pp7ByCVIulCD9v9KhcnnW -3fWu43rXPsjNMSJfq+JafPGud/1Xt5yR/x2ppVnbKaczLXmW8iK2Jvt7KoshUz1XF/OOTze7GdmT -Ivb39GuFMg2bXhlHnC4yUvJOF5nGxLD2+REjQp0LdTcJkVQmxQXxjBE5sSk5PWRkWCw9Ga83LRr1 -p2L/VSoFw6/NiMeRiPnrodB+0gwNizJL1VdVDnNht9xq1ZQv0ikvhtWYu+2+vDSF6W1dqops10+s -7MKXStJdfrflk/vdl7dieofF9NqnN1g6vaN+m6ia4e1NsKxRWJeNdBj35f0f++tOXLbK/ql7QdxU -2xF2UMecCfvzkiuLWL012UokJ5opViZfWJqI6T3bd/Zyw+WTW21jFqTp5jfmNp0yMSH6FN0goSB6 -ybT6O4TGAVIRJrRDj3dCKxKGTBowYFDACM8YqTCeOAxNmCGDpWE8BgwYLFiFOhuhpMEuJ5CLakfD -V6IRmxqWklZUoAdvpkSoHOMIUt0zLvhfYJA4tMqyhbZCq54Wh6jCmqhySEoc6Ox/oouIxGiqZF6s -wFIgmSOXAzssZ4I3DwezXKB8t4rcsNs1m6MsXIOEoyN1IuRUBIdpQSpqVUI1umyphJZJytCeQgKp -j6BIzQKhwChFYBtIjyXcqqbCVS3EiAPdQfKBFkh8Qfq4/od3Xp5PT87niOBPZBiUWkmECrbEkBKh -KC0n0P0C9mAHGDBYQFFLJWZKQaJAs/DKPA2/hPtUC1Q7XKISqHMPGDAo4JWPQyMQQAENGDBYoKAm -GGyWUFrBLlAwr4gCcxRIgAyQB+QF9MDAAQU9MEAgAQWrAQEKZhCBAAoqgcEECSiYgQAKZgAAPXBA -AxFIAMEAN0X0IUIiFNy2QEPKoFTqNZr/frlSWRBxpF7prKN6ROs/yih1LLGf88qRkXYzgq0Qac6K -xu2kk4t1Reu+xShmt4TMxgx3ImNM7o7sbgYnI2k1ASI9UDDxEokwqYaoEunBRIk0Jowy5FKICnZI -JoxKIYJBmhpjzEehq9VDeMJEmBrOwmyPIIobJgqmiziRoDhkYQtRrilXPyXWTkvF51EURhJGjZIU -N1Yorn4JJ86LxXFNJ6LRA4kGmaiKG9hgo8rJHW0PouKBIdqokRb1QKibIB03Irh1CocoWdVIuKM1 -MQL9HoyEN9oeRA2rUWxDtXVPoRoT6sH3Gk+FdEamajoMUg4ydhCpTVEPOlIVOkGiETpCAwkCYMCg -gCiq2YToAcsMQS6GLYvojrkVVnNPMYMVaGgG2j2qUN6kwmIVi3khfcSCC4/PI9zl8MuEsifUSr4F -UZxYwBQhKopeEQ5LiBKS/64JU5SEo7NRcMoT7M3EhGxUY/hINfg1qlid0idU6y6aQMLaP1SBRBiX -NpBIbWpUEmGzqZja1CUaYhYOJEQ1gR7DSesMnFFgcUHFKqoSDh/y4fOFiFBrKWHAgMGC98VLqKiG -8ooSFaEibcV36XwKhxaFeohCG4stioqCvxhqzZcFpimoJBucpFFAAZMXCFBIFAqiKI7DODjjehSA -BVs0IHoUCAgSCAQQOGIRA1EHACACQACACAQAAMYXrNgZL1nmbHqGK40KGJ3HlcCe56r4+8FebtTA -lxlAgm7jm0Ei5kHzwRxnRP4+qiQTY++JphLNTs/T4C7eXfhw6Imk65KOWtx6gjCQ25Fhl0qRpLsg -v/IEEpviShwjxsPehuIg/TrQ+rQlEYivSDUZPAYE5nJ9ATVnUDYV56twz4KguIpsCThDajuNMS6J -YKuvKEbYhL1xmVbWn48BIQjsVJYJwvM+8rG3H6I7OpvCj2iVgLTgrS0so6iRKXkEQOdRo0Q/wipd -EAz3ytqf9/mHRYjSaVBDMqroBFXvuYCcOAOh2EB1bPLqRRtTTBMJjCQ1SZeGcse7UGrFJ/6ij/nU -iBxDDb7+BOZGT5WswdJ90zC8ymA/moDokwiOtgbS3meIMc8YJDFIRYCom/HupfrpunwjMmOfA1MS -yXY3W3/X2kNu24x29MEdJvFt4bTG8q7plyj14YnYQkz8uM6m/ljm9mV6cG5MVleEPEv2EXVbhXZx -QrHOLKiHjKjYDRyErt7cla6EGtXW4MQQp+YpcZc8NIdG9xsKIFVV0fnLGj2mEJjqgRlsn43Iewdz -WpvPuye7JNdQgxrd49eMh5z5NktN1sLp/I9HR4iUvJ0Sd42N+wS8u+jW0Tiky6Jyn2B8tBUVQvBK -knADHVD1nImtg1b2AFsghaOVMctcqlD+joX0vmJL0RaaeLPo6rabkitHYRbZwmUEkz0EXBcRv+q3 -1LohxKXoKvxdrQ2uEiwy/A12iubJA/d9JbdEGkzDohUBdeVzHzB7XH6T3YKbgabdNCHSoPFVnmIm -TtQBMlqznoWPHb174u7P2qp4Bh+GnHQ1YLeixpikAv7xetFKoFIby/lmwy17/OI1w4Z1w727qNQV -WnNv+XbehxOnBO6r1SQy8P9Uo2Db+j+kaQIP4IYeVt3KPNztxJ2MYlUd3J2l1CmckLLKhgdSPUA0 -cDLs/NOmuovuqNXB3pvXuxflcDzuGu/o6zfJ2bqvdbhsL+TyIljMzWIyvQfbU0BQ2YNCCExmhgl5 -3TjzoAwU7LHMaRKKgucEa+zQJxWNa+M6guDKy8pINyVQFBkcyO8mespPcPyDRjtvUwxzqsHxEviK -6O6L18AeCwpuo2eCVW8YVkLmPODx1rg4eQP/g1VJJgpmUjc9hxQBjGS0omoeWMuD1lX9EYIiE9Q+ -dqDwlgdmHSIlt4FNXYdWI/AaMRmKhqA+WwkKTTO/s+s4x/TKorHvTGKGdgrZ0PXI9ioqfOKi0Uhh -4Hgkaq7X5GnpTfJmYefMpW62EQ3IQvCjxfQVEYGOfWXLsp1ZPBf7dWaynpWJBBNHTxgC4p/Kia2q -vZ8DMczfWEaA48dgpE+FH5wsuAs1LlGrR5sFlced3lOfK9GRTDuGbMnLavguKE/Tr6oRXY3DiNdz -gS4xyMOB/VzM6M7oyQdm4t1JUPfDxRUaaX4wBi5+sR/4ursxqFmO0DvjkXW62mVuMSSBk70Hkya5 -AcPQ3emPpzHsUXMML+Crewum4K+E9FWtGlXcfUW9q+netcPMsBvwKhWBx+ozrU7YIRV4iZ9HAxtM -pmtdeDvLsAwtbJOwGYENTfTLe4Xwr4zbtp+l4Wyddl4CEJJCAGMRcqeux8MrH5MVAwc5mHWSxz5w -GmZSrDXqU41hbrkOECbDAsaVO7iSXvZPqh+xof5F8EbsGawH+xmNzYpkccGXHvNQb54T6O3EZYuR -VaiSgwU797HdK5XAVAv1+CNGrYcgOEHf2VO00e0NIHEq5wiQabrq+rUdFRCLA9MhY59NFupMlvmM -3RzNTEkm13jopGQYtD7chz5FXveshpdN1zi1Hm1yCdVH1XFmaL0hyLRKAC5YqimurE1Q2DftrSVr -IOmvNL78s3lEIhigbtwStcLMCCqIBfOZ3474QPcQanUkIGjCMvuiLnobly0SLFsObjgWPEyCV4ul -L3U8w0H0PSPvQyiewtYCoM+VMYqqOw5VfPA4kWgER8t55sMhbwbHUIGZOA2Lqva9dwNrQHHvBSth -uCmwXBixY2a8ejdqoIr6OPmcTAIu8dTtouYlHi6YoaUjSIeyTGePQZ5p2DHQkh5ttQRd0F9UD05e -7f1GQPTVCh4Rm0sI5RwXyrxl1d3lJ74LwFCg9dLxdS4VLB2KwCdSb1uUZj+qC19AVUl1yIx8VAUo -IAqw6XolhwxP7QOiCDbREVGG0aXjbYNqxyiciqZEhRIXcRE/z4NJs2CcBYbrNWV6Cw== - - - QRLAzB4fnm/JNP6lkUXEBoBuWD5yHquVD2FYRGk0iktx0ijkHZp2aeK3vJL2nzgqeAoqttOP0Zue -0hdyjPZVdqq1O0rbIjdRAe+vBumE4z9N+UnhnvtZFNSRBFjFH7ghfAav9PmTYRW0AMDkJgPnQBGF -3bfVXbty9AZ3cIPDwA+f5EAZdAvYSCFYHJnDQYQ3IBDAJL/egvgrNWAd+AgK4gQaHQnVM+c+ASaZ -uuoCo80zVTQgL3sRlhKwFYmbs24kdPx7hu+6OmxP/5Fg1MLYsYiGu9D4eyOCVFzQWry+smSSD8SR -aD32kUrSUHaQ7Iz74Wgcg5M8rXDXB7f6AgYR34jZex1UecZG2LN+MK9ugsNrHzVFCL0r8zwoor48 -7V/lwdS1s0s85t107tfjGSmztEkxbFgIu3ZqmTeEAPQcEMFuZzOAuSNM0nWA2yTL/iKTvlNt/HxO -BG7Kh40E5uFzp0ZfdtX4EdYpYP+T081QMWjGyfSJZz54ecyVAz8D0oIowfWUnmbvqgwnTWpNFIDH -Jkl7OsWAbII3RL8F4oypMRAfL7yNe5zRisy6yTWl+9zOQJXRZs98FAoWrSWUpov27jgb/xxQMK/T -rd4Svq8OVgP/GaNu4tteSvikRsUkbDsFS3RSSkwK561iF5ttSj3tHkYOYCMiHa6sC5DOkNJZJV1j -YTIQAR1xwiTngsNmKBvfc49DuND8BLKFQIaa2KprsrOoN9INqvEWYPl4Bl3cB2+aMGgqOp99HxXA -c6CAES7yZQ7LDY5fDkIcRITmnp950Rh6VEkimcU6eqx36rnUw4VwQ6TljaWAkhkTnUV67rRlzsWa -zWLxVupWe6Rb7eyEOww+NSecpQZTl1EbHDw5E01CKbvwfVJR/uP8TS+5y0wNf9NtzMujn5ln0B4k -mFDFH1cPbfAQmZGhTKkAbAWmqNytCNIJLWgMt+81zbsFOxQhTFbNSde3B5HZ5nlAe4tRMRs4jq40 -BXci5RDGyzIT8ZG66uq3mKGihSdNIR4jWomzBeFMlxLX5YVJZUVkumpcFelJfnxplmiAs4JvlboI -7jgcWpURWdHv6p64w312iTRkj9qFCdCOLsfj54SO5esyeo+8CJRLGpZLuVYP1dpn39UoXbzPaX+p -BKon4JHmf1I7b3Twbq6lUl6MaFOlnm8Gs16JwUEKbMXYExkXkCroPkjqoyBYauPdu+rFB5nzk2kb -fgX9PMXYDMgVMGJyCZ+aA/svqABqQSnBdjoZRBau0zLE4zK4ZMhw4mMQUXNk8ADtRddezK9lXmud -OlIc5De/luCqwtDpK05mRv5GFDF1b9x+Yg7cnIab/BlC74PZBYiBYEM3g/jUZwbUEMx8a/Kw4Esp -5Mcq7oiI4PvcakjmAYFPC4AwvCZKIikuS2FIlbEOGXCxHRg5TObKhbB0WCH4KypbWhx7EZOUh5nZ -4SCjgBplI1yWTd+EIs0k0TQIIqkuBB0I4Vz7DoDgZPcdmBzA18V1aFYVq0hARHpLsD5tcDBQzC1/ -fATgajHH4L/FaFS0pRJ3QLW6RG/DL5Wyu7UWh7cat2avZ/Cgg2E5DJh5LtUlErh+QO1WNsbpnqsl -DZ4fwQOb9ByVRgz7BJkKS+dkHLov68aAihxzjJx1AToijjlDiQnOMluABlTrWqTlqcLR5HQUFglL -/34SrJvaHGVAo7XWIqSxcYL2QRE6ZVyxhRZAzXmDwzEsc0KPJf6RfZiDc4nEgP9UwmUjIW/jviSh -i249qwAAn+oh/fQqS+xEYbY6n79eSiTA/OgWuApd/gYOpj2qPFSvrzO6Dg24G2w8kjOegwqCqIzb -MIlvFeJ3HJHhl3esKrSN6JKFxOP7V3BzSE5xZ/cmFX68EHA32JONd0ktLZkO7bPrLqAv15L5jfFg -zRynmzBZKa3uLjiB6z+gmjsvLRR/Zx66QcRua0y6eK+iJ5ZE5xKY2WsDy3XxTDdWnOVqSePictPA -W6nhmQ/4X/MbpxiT0SunJdSbCaLgw2O9gfFEmX5eawxsKnll7VBWbXuagW2eGzCwLCOTgkkAqYzK -xhBsmev6tTHe46SoHLP61zzmMIFlUPSX2f3B33GbKJmMDQUmSl3iYEuND80f9KZ+mg0vmxRVKdcn -sR10doR0MG2qCwEq1iTo251i/iT+2HOCXB3lr1SUFrNhSzHSDuHyrOpwEb4e9nQ0j1dvnmTYApGH -E5zKHKzyrmOhjSn4oEkqqPvb3/i4XLhP5cS6+Zi/ZhrvVHjAFSjz+e9NhkNx4mV0yBHMaPzh3naL -ruDwzjfj3oxcYTHUmBLXjuHUk2tuk67trlpOf5pgPlvv4WDRf/7IivDaa/O+DckiU8mAwWB+MLsO -VPbx9f5cykEz9tN06BD4xkeldANT+GPcyXN4RWcOu5AzOo5pUJfiKhepxbsWH0PwE7AmaDK6r0aq -NI6YldWiGPIfuvr8EUg0rwI7MHU88/rSg81gk7IqAGUPAu98hb9J5HOWJd4Y7oQ1KHWFZmRLDeIA -u9wXukYDNidMoyswQG6bgNK6XJsOrZNCSGccXWLrb0rGAJiU2WPWMRnAukdaYvmmF/ulm4xPhAno -9jYYAE1CB0w8HrL7h8VpYQla2UDOi4D80hSQsT2wrxeJ/138eCaA9H5BTl/DtHhkzgF/QuR9w0kE -30tCLlnzkmLqNfySNUpCEMQHqUERCDj3U5aHmnPlpdAhI7ieYLmIx7mMQdmGVGiD5i93lAQcoRh+ -mnzNfXgeTYkRsAbNqK6g0V0c7RSSaht3koCeMSBGmlzdzBshPIbaL1Mh3u8770qMjshWyAQPBZep -WcxyEGB/gzViI2e38Lyx+7vDgOHTCLNCLx6YiCNpoR8vJDtKFO2DAvJ8n24inyjiTmqIs2HgXh/u -upObfLJv4zaMMJGQQD7VjvBw5Io+fL+HmBaxW7cAjcgzZtG+1GV1oR+0MidHDUVpMEH1QWiQTCwE -EmbkSjBstZjBcJpss5+7PDWSaeMfBWbo3YXQRqjNex9eGSVjiQLNHwxKDzYuoxd4gSN/QgfwdqkV -i2Q8amuH81+3Pj7v/kHWJu2C4HirLsO1gVyLRe0w/LnOcDtLYkAgtkZvOY1V+UAK3Eo4DxpH9OZP -4YCyrH+Gh0DHNK+s60fKit/CueK4Myp6mKBgaXogxS3J42Z4M8msaQMMHUwgWB7ZKDd7kCTmFaNK -KLKhFy6mFMjQcUcSZa+qMIe2OkjVHvsdD1MxdHLenBG6nK+Mfg2n7rdzSW1+EMfUvPvL96SmB2q8 -/DJ7Pvrw4qygbiMhDmO310CL+LOmjMJtLNyb4jeInH2h9xFxaUCHdD7fgsLVnKyZ1DZEUNwgwIqZ -3y8qMIyu1jjPAfp6nDXC6Yo7eWUoPT/5Ap9X5kReVr6xhAO3XGqxrLRsBsBjFeVqtEi88HTly22I -K2+a+FzQmEyDywg4Jz0KnCFf9DeDrq6zQUbnhL+mbh7Paz044SjuwkHheNDF4lK43Jcko88C/RIb -ejEPhiGWXLoyIyOZij/SpANETNbZRsXywX8yUV5XxxPJhunrYF0EatoYxeEqD1TNMB0w9CT2A64Y -5t72/fSD0YS5VXOM0s1mucJJpqyQPjd7mgRzb6zOJpU9yVsoCPXtOezxsQRX+yEt2r/gHtPG6yHk -4IqSbI0YJfcEkHvYynRXHRfoTZpar7CUQRqy06QbCNILG/KLajtmDuPKLEPdsZDwHfYSRhcximHz -sWCLM+tX12V6zvs43GYBV3BeVsUSJBGM9dD79Ojy4INLry6nSmMirl5oiaOBdskyeIVW0W0/1b4M -CJytWjsalVlya/RfrpS8nTxAXs8hc/V6NBazVY7YJ2yMHb8XIMjYqKWPwBHkpWeeMH2MZxfc+VTd -8EEw8X1M3EY22oOpzFerZSQC5Fk8AYlPNRwaJYJsohxYgrHotYalkqX6b6t+52zBTwxuLghjE7qB -j3f/Af1/rID3r3vcVbpjQ2gcQsri9o6HrlioZFXogmO6Z0Dai3fkcx1bScAVUqCYYd/VE/7xMBv4 -Xyq2wsJD4LmU5MX/VKUR2o+e7nlL+NKqOkUuE1UN/fHeEuR5fvhN+Avxm3CZHcHR0N11VrAE13/m -vKLxdwWR38h9MMwZTjjRPwllCrgjThMoo4W9x/AU9f/NQNm+VzNTz8jdgF0oI/jzb/737FocwYFg -WZ8E23oU7EtQ3tITF2J+tGIwVXm7wyyjBRYpf7BrH8KWNRI2VU3YF8WFHoU1Ji48OXHh4VhhriQ4 -9t5yAw2Qab8zcaFQC2M3aMQXJgk7PIYB4luwoGF9JgRIoEOx5Vt2jWH6YpgRYtijuDgOEv4Pw6wy -w3AwNnGRHjkMo4YTF26KFkTR8w2QgrB0ktHHNhj2I12YWOClKNj2YAqKi/yJC1yzDEN/ZxQXrENm -GNhqmPOZYa5hGHkJzkmifDCd4iLhWJ1q7GFY1emrC6s9GEYYFvUuw76ihnVfnrZumISuNUzKwTUM -A9ka5pJ7EAz9r2FeJ6tjYaatuEi8W+poldFP41f4ihFp8RoWNVArSq67hgW1AxtmbDjserFhaQbD -YQsoFhdfzr7NMvXtXouLBEbamfbCbIyuhYnuxySE32CFsRQPNt33Li7S1Ha1sBPGxZiwx7feicm4 -kMkXBsU+9MLQ6P4o3z6NizwtjJ5xoeU/KfLCIHdCpGMrhm1MQMSw7TbDct0ZloqEAs8wyqG+jAsC -aNC4mOJ8AztDaNhxxgVzkQ0Dc2gYiAe6aVwg8KJh9qUm41I5ETRMLdowBzZuw+g+NewidGsu9Y23 -5LbMhkrY5Hr0cljo7jBDIxdd8we1H2YBBrGgDzE1MGIOD4lFrhIDPxMzeDyxp6IYsIc7xb5exbaM -NXC/iQ9crXIxsIIL8Ypp2xhromtcILGMlWxc3H3GoKLGQi021lU3VqMgw7HzmWOUApriPOIzdmse -q6Q8dqzPY+dC4ik2oxqTeePCjT8Wae9hIEMKQsayg5o60yGP6Tku/BrZLHesuo9kX4eSHTs8BJCs -2zXZVaaTZemTXTOU7TgubvNRBmWPWCggU4bauCCLyvbNKlNqXJj6vbZxYcsiNy5igbIex8UpaBnk -olXPMhxn2XWzrNusZV3fslajy+aq8rKm5ZdtCW7yLIdn2d0znFYzHBfI8sd1K5nbRWfmsj/MqDPN -LDku0lXNaoHBa0ZQUorjgp3NNBU3i5p6syyDsy3pkptO5QxNz5kC09l/42KDr7Mt3JnHgmdT2lee -Fen0jM3cs1W2levmPjPu+5mM48K0oOXclkDD1XFRj8tRUmcsOgUpr0bik4MW8Pu4XM5xQQq0jAPi -uCgDaGjjgjj+7PX+xoU5/PvMhflMQIYBxwV6+D4rX/qZz9BNVSJULokzPcYWJNPPsnuWcbhnIbZ8 -xr77rL/Lv7Hc942LJP6M3aARATSJjKcCzbfqNS70BE1CCGubgO6PpXExV9BYJE2IZQ== - - - XGTvDxQ0UJh/04yLgoEiI6F/gVajQEviBE3tHDQPJOMCxSdbJbRkImZcaFulERoREWLMYIRpXJjV -WBG7QUOEJgnvIbQ3EmIBiUEb0+bsvZE+Yo2LlEFrjmkMmpTGRf6H6UaSg9fF1b8MGjV1sBGhgeoK -zT5AQ3N1KCqfoV1laCsEVRbzeH+2iwwtBcRYFQytuvTkQvJ8hijohvb2C+22MLSXysILjW0XmoBu -GlOY0IA2LpYntFUTmq9BgwwDwNBkxO/8MTT4CbkpQ4s7hVbpKjRT4yIVuounYjVVBaNaXZBAL0PD -Mw+Nq0U0g32iYaqigW9cUOpF2zqjaTguvBktmhsXt4hGsxRtXPyvaTDaqmDeT42L/7A0GtRqNGfj -IieNBj0YDeWKZutEI7OIhgQlMxfeuCAeZS7SPyuB+hgX0b7nxgW7ifbOEdECzCVLmVuGIHPMxoV3 -2vOqp9DScUACmhTYMjQPuuAODW5cZCRebu2vhleGdreNiythMTS2Vvc3LlAyNDYZTY63cVErMbRX -jYsuxzK0Ldm4CLnGxY6hmdR+Ci5RlZF5d84Y2isKzUE1LoSd0Lo8aEgVNBpn44IoZqBVFA1CBU2V -PGhojQv92PqE9gUKTSeycWGyQ+7uWSk0u6JCY+AgKVZoNBWaIRenoJScZPsrNNVoaH/GRcd0txjg -c4ZWFHOFRqMyLvz5yO/epjypqSyLCg0Q4yKWrNBsYoaGlHHBeGg/CV09NNqGfWinI/ih2dWGdkbG -XIxxocyDcWEwBsmy3vxsMAmt3AgNKF1c4OfpborQ3i0ukq/QEhfkqA/x4mK50NozYC20cHGhb3Fh -jmShvbhCG2XAQju7uIj9tKQHgou3XlyYrjU01WxowP+hoYWLi0W069rQJquF5mZDi/qH9uVItPzF -RYmiWa+mYNSiJW0ymg7GRWujdWtHc7sfjWlGpCHLRNLE16RBeZQGvLjgstJaMC6irrW0Wgv8pTEx -Lm7INHAYF600zZVtWlfktK9rp3Xb06L8p/U2Qq07olYrjVr24qL1SI20LLUNxsWc+zQ1ufvUoDeq -cfqpBipWjV1YzXOcajWo5mrsbq8mhIKwtiWMtTtBZa2m4FiDxoU1YXesdbqsmTEuIj9rVk3UGpKM -C7JsLbbdmjzjwk3iWkbjoq655pW69uW7a1+Y15YCX4uF/NrsQwHb+RVskkzY0BoXDCA1jYv5r3V1 -sWl4Y3vPuFiAbLUm2QQsZUusLZs6MptCxoVhm43Kdjbm6oyLHoXMvSNpXAx/tioA7Wz/Z1zomNps -gJZxYZHZCAuN2a4YF7HNVhdKmlDUqbNF97NpZFxYhzaqIW3AZtowD7VxLVWbM2RtnGpAKYPYhuZm -m8LWtmO8eF0e44IYui3aeJsF9G2RB27AM9wMvuL2n3ExHreooNwcgepjdGXiG3NDN1HGhSnTDS+q -buK8bp5+dsNWcDc23m6exruBMy5YA2+tjItUvHUyyhuZOm/bTG+7vt6mA/eWJfi2Jfk2OtK3LLdv -6xgX9y7R7S5aFqHab+jO9jeu/f9GhAcxLmpkEgAnQvvDuMjM9zeh/Imv+83Ok/0GJwHGBTEUZL8U -OX57IX77cv2Wv7goh8/fwPZvoosLlxLgVv+LC44GXO4tcHD+gYPAuCCh4OoYF3E2d0GQMAEO/84B -6eBQFBdMQ7hOiouYCRcEVDhuXbhtmOGy8IbbxsN9QyBuQnFxoohTZRJ3I8WFDH51uSb4GYB3gVLc -V8WFe1dcwE1xl3biQDo8cQtBAb1L/BNnGj174gyLi2QnroISp6y46EYnzjr3LS6a7WWKk+bo4mIn -YR7ksxMH7aa4PnIvLh5zcYG/4mymuNN+xVWY4kJaXIxrcHGRuVuf4nTXZKY4/IuL0munOIkqx7hg -CDBXXCdZt7jCty0unf2cx1oceH1xFjnGFVqFH9A46K3NMa5boHG28IujcY8nnmiOZYLazKJKNA5q -br/0UKD9HpBxKh7jzIx4gqogIVtA3wU9yQC9uKAa4xAtOHgNSVlc0BvjbIsL/wRdXHwvbrXFhVvz -yOKC+imJlouALS5a6Lsv7llchFyYPnZbYC9ukLdwiRosLkon3OKC9C4uRvoSnu/CeXFBgNef1ixu -VWtxxuYlKeNiCBu9OCsJKEtJl6ExxgUY40rPMy4JNo5YOM4PBOa1WEGOHwdOA7iCtloa9/uSXCgu -Sni0m8JbByjnYUW5JU45t1c5AwKWu2FcDFoua1xOwqyXezaYs/niImld8Q4UXMtbvKNl/Jnj81tc -gbstLhpss7gw5XLwFRe1yfEAUglckeUcc+qcwO7OLWueM4s9b2d7PDdAJ2UAnfo/Bxrln9OlFypi -7/8c3AC6VEbkuYQQzgnHkxXzcOjISnQCOD05n/Seq+fuPncCdNEJkhJo9ZFt0Xl0xKLLgi06zV10 -U/eiu3CAsKlER3uKCqKbVFwwEt07R3RYEZ2d2eYjm+LC6TgN0amKixYvNUNxwZAt2dxkaUF09KUh -F8rYOdPERTBFx6TUSYryfE4uvNHlu4U2KI/iIjIBKS6mKtN6J/k5A2H6Ki7GqoGf+w4pLuxWcbFj -8p6jxT23naHzus+5Allxoa2tz0nAP/ewuBgc6IoaPIfQiafryNAp7Vu0J6JLqaywzqK7vUYn7qOT -qUc6qlA6e8VFytJtiZiObDXdkeKCp5vTScKn07JQR3YcdZJ+qcP2qTMfVQfTWJ0WXZ0HxUW+Yd2J -zDpt1bqo7K1b9bnuTlDJ4sqxurcUF2ASP53rJGIUFzrT0J4LRNcNeAsHUbtWE5BITXERjcnP57ri -BZzpCwdScbHbSrJtAYlCCUmQrlODrhOJE4sLQm9xEb51KRdIa13MlHv86FnaJxYXw7+Cbr51jaPr -wkx3K5pAdTKKTde9S2ZfeKAvI1JOxUXPhDN/5ed1SryFmXhQXHCFmbhgV3VhEheAC01I5UUS/DrG -3eJOriIumqQa4qKr3x1BXCS06HU4r9cZaSJ6ndLEFJChrTof4qL8W4LNX1kFceH+cHG3h4uJDhf1 -n3iKMHjfZ3JdZ0aJTeWSVSf4cFEnrZ1qYFchetbhAsCuyxwuGruuSyFUz3K4kEDV6wK7vS6h7joE -I1jyXafEzPdwIaqzw0VqHi7s5st9ua7z4eKWOOidknpkig5kYjHBhd73cJEv16FjKrj+hwsuxnUT -Dzd7uFjmhwtZ5rrpKY3rXsdcJoDdD+IiBsKuWgGLROyimVdjB+3gsOMhEqYXf7hg++xKCW5/tBPJ -a4faaTdrF3SxHdvaThIz5Yrkt1N+uFODuLCOO+SHC46Wu0LERcbnriQccXH7OERPd7QD4+uOaN/i -Vg+SxEUsmyxxIRvc9SYuoEnvMjGgyPYunXX58Ix6+84d2O8c/L8LDoFnoriIYgSPTXHhNHg5ios6 -yE57ZDYO2pY0QiKt8CAUF+UMT3s8vK5FvNAFbbmwPvBgnXgWcMWbeKxNvHziIgNEvG/igjw8E5gh -Xo0GcT5xcaSIh6G4KCeeXwmK1+rEW3NPXDBPvIYmLgKKtyQknjY2iddFirclLo6J4uHHc1q80bTF -U8FHgNpqtXG6Fo8IHk9cKDfG22Jvwo678STe8T4XkIcmIk8Fg4NsR5KLF72VN4ji4tqgLQ8+20d/ -eWV6yDzsth1bNE8y8fJZm0fgdkjJea8UF8naefWk4vfdnrewBb04Q9GzQDgVF3E5OcWFmHZetT49 -q4vUe1GpHmy5eqIoLmwemqixJy6CW48yceHc9fJLXBQT2NOi2Pt6sjf5ZuKCz9mbLtCdMM+3nuyJ -C89cexF+c9szVAXuwUZyT4SEdO/ZT3sWiotkykHfcT908NVLVmV7L0Z5TcW+B0pxwf+9qCL4RBQX -zpYRvoCroR7hwwUN35Li4hrxeWXx3b7GN4U+vtFHvrAR5bsKUhUhZT5luPkMuPMt0J2Avpck+tQk -fS+KC8VNX0Y9cdGP+r4Bq+/0Wl+UQUMTF7VQDSo4IfWCATa0r0hF+2yhfwvFrAf2/2tK+2BMN/1/ -i21/i/3wb/EBpn0IjpIUIvpbrGVvhIvJhFFzUrZ/Cz8pbt/bGP8tYjyNqCnt69D/0z5BEoraF5Xb -gqt9vXpGLPXAAETMB2uf7W8R8oZ/i/YZI0Kqfa7b2nfqta+NUdi+bEgfGnoBEqIY7tOX4KxEMn3y -v0Uf/xYXwl8R1fPt0/5bNEbGBBlvX02pSIrF0ucC4KI7iEeocd++q4koy+fSB4pLdX9T2X6Vf/us -vX2WyWBQCZh0aOdNKOBCtSfy8KX3fdl4LRAh+/ckDbiQT4N8H0F6Zv+uJl2ljfz2BWG9wwIXdytH -b18euAhvn+/2EZLg4ua2b2KRuX01276PgS+4aBnoFmravrKCiw9oUrSn2fZVgos2ep3aPjjDB+jz -ve2b1fZpwjEgzfYBjjNEqWqo/YJECAAEwNGzJTlDgDGyfUDcANBUtQfStH2RxgrJWmyf2umoBH4j -lFkA22dpXXhXeWLwyqeEr7aPm6Rn+14ZYMngQv+Wng22r3WKoqzP/toX0TtrXxDYA84QUY1mNcgV -LMzBRbL2pTE9uVBq9CGz9rkR396gdzME17WvrscYa1/Xat/LZTeEi57z7VOYtR8vJTy4OOY1uEDf -MLigtMHFanZwMeaDix1qn/1kqfb50tqHu2vfq8/aJzutVO2DMdGZtMLRZ8k1enAhvfalXRBa+z7X -CeFiZX6KE//g4lrVV7faB5IiYp2f2ofyHVxY2hjVPjTU6kKuo/bpyA8uJiBhMQQBTQN3DcgEvR9A -uNht5h9c9DS4sLnY0MFFYxn/PvRpH/Hgwt7zly1A0L9L6E/SPg2OHGQQCET7+k5IkIxizMHFxgfJ -ZpOlWpHI4OJIU/yQ9oFwScMXXIRoXxtQ4FBLcEGXjLCRYYCCC1BHBXKZvbTv0SexfoKLf2B/mvZ1 -CQEKLqpShWpfOl05u1WysODirbYKfZgIa59DjOsgK8/tite+9jxkfx0YXGhrX1K8ngUXgH4pVqoH -ka59qX0oI9Icu3eI7bu5175MJm1BsX0Yz/bhyplXP4W29Dj1/a0B1/YpDnZu22fd3L67QuUYpMGF -sNzXwgGESSTh6fFqmx2b+wwYXKSFvsHF9F+qXepz0tyHX0/3CQcXwg3oPsCDC/0OLkra/AYXLH8g -3ce5AvszuLhMRYMLDei+tiYUssFF31A1YrqPOfI+FXJwIfW5QMWFBhcXEHifhDq4WCmtOt9Rg4uj -I/k6BXfSzVs6PmeHtShAxE/PzTm4AC0kfv9NrTHedysNLjrG/Vpyzn5ged9/J8/7RDo0G1zoLAYX -ZJ3lfW6vwQV7DC7mCy74eACCkzTvgxAGF4BfHffZbHBhysPgwnKv71osA0F/gwuE3ocxuGjp0OBi -bq7/vE/2Mrhg9L6Wow7mfXIFF/6l90XWFt+Zjtq8L2dIggul9+W9zvtK5jUbfVe8Dw== - - - xZ9rCC4YVXhfRWCCC0BCeCfeRwu8r6dV8SC4eOS7L7ZcBw9cqOD7um1F9b2PqyWgxt53dO59K1SB -iyxuPsMjcMFipvN/jO9b3/uuo7vG95HK91mH7QNNSonR8n0tfJ9QrjkXuEj3wfahogYuLH2+Z7LA -BeedmGI76lH0Bi4Yij1wgfp8n3cj/HmfBi7+fOBi9H3uMuTyoVOSBsEFrQMXKU1fSgOn8zdwsZUe -uBj/+B6ir498H2/1fbJeS8Da5vuqXvV9Ufk+doGfzup8NRBpnj3weyC4KG6CizwEv5ZpeliEWmlI -VnBxohZcXBD8JDXG4IfBwB0SBD8ACsjgYnLBxVwo+Hmo4AJeEvyMeLtMcLGwZBwFFx/h/YsDv0y6 -4IIbPrtYwQWRe1mCCynwIwa9mQguxNpJcKFq7oGfdQl+v1Lwe+UyCil0iOBCH2HF204quIiByl3H -ZE5wge16mZrHJqOCC/0TXGgACvVi0uD3NBBc2Ceegx8m2mH51jb4bY1xwa9iBBc8JgmMkpADF9Rl -4CJN8HuPG5EUm2ZQWRc0+N3awW/V4BeOaIcD8eCnTQtcZFwj/HQGLvqAgx8UdeDibFoEF0v/WzwD -4EJH+EXzdjPhB505/29hMQ/gwiCXEtWGgSPCr5AFuMAf/EjAhT37zmzwg5ogBT/fmRuDX2HABUd8 -ARdzIW4SuMCybDRvgYv7huMkiwc/gGPBzwEMXEAvcAHUTAM/J0HgIsvFAhdbkeHX6sIv3PFGhl// -pkMI7gs/aUqK4CKNUIKLd8w2/M4RXAy5w++tD79rMMPhV+XARez0uV9b4GIafjWNUABCUhG1/x7b -e0/gYrf4VSkjkCl+jwEX8hVwAVPxm86T1OIX0knfgIt/XfwiaEWQn1YFLrgELq6xhwMu7HeRsLEY -fPycwEUT/Pf44Q24IC+ZSCovObst3BlwsSQvwrfoClwEBd0fv6+EdHDd33s0/Pit9657+ddJo9r/ -kgjyA2ayVxmi5D6Pmfr+6+M3FPLqGyM/Sv4smHd9b2IwiXRosJ4ZcEE86xUEXPg24OLvCFwIU5Kf -A1vyO9zkB4yTnyG5yW8t478lP48pFbjgEbiQYcDF5o0oaQfyBFyQSC53WxK6LXiSX52hmVy2yEt+ -RT7UzheY/GwLoTqCJ7+UgZ5b0Q736QAXJspPVqX8uKn87GTiixIIGg/ggkX+UflhA1zwlV+6yo9K -/29RONOW8nspTXnBGu77JoEOPnwuNLf8R5NuFeUWDu+/hcICcLFL9WZ/nvLLzl9cgAuBfmUGABfa -BrjYUan8kKBPeuUrv3jikIALZjDlARcTLb9yp2NZfkJNiK789h9wAffF8AIusqPMIZhUfjEBgAuL -gAZWfnuEkPIDqaVk+W8xp0utc6j89PIZD2gDuNDlyi9qlMqvuf8WekyfzRdM+c3bFq6i3n+LUoMI -4AIvfX4D3Rsf4OJtmFKGnAnxgElflR+IS+E94AJHBC7Syq+E4y4S+OtRlwdcqGlH81MxT76A4fI1 -84Orlc7lUrxNAlzQSojqV1Lmx3Jb3JL/b3G1v8WM/RZ130hDpZogpd/i4/MGAB78FtpZ8nDfQsnR -Y34Lcub0xfBbZDwY+bpkqSTzQpD5BWwLdpLYtxiXVN/iS9+Co2NXGPNrLRkHO8wvQbukSWffYvts -afM1tuhbqL786PMt3PItlodhfmC+ha6+53eXf/kRFkDf17fYUFiD7HD5efoW2atv4Wno/rVvUYCn -lZ8HqG8R0+gxiD+sb9HE8ntnS2Rcsm/hpzvR5Yf1Laxv3yJsyy/MRuHF5fe8b6F0pslptiWcjKL2 -LXjLJEzlJWNabf2SXn7wvsW4/DqOhYYV+Vp+KvsWJim/Re7ot2A24FdohwyXH6y3xY4o536L1LKC -kfO3wLi/xZgTk/CGx4cJhERT/y1IDsAFcvlJof8tVj6AC/nya/tv8bFDosRQU//B/Gzl3+Jw48ww -4svPsb9F3ngS2hjOJMz/LdZ6mN+d/TK/9m/R5/4WXy11zO/wtxDt8iuNHWv8LdwAXn5cs9/lF+tv -kQiJCzS88h38W1gajruJ4eXX+mF+xYW6NvN/CyIu9PITCYALrSacn1p02P++DOycXxWRJWB+UV3W -yQ90W+QHuFAfwAUdzr7EfwvC+7cIj1/tb2HC30KuTE07foD9LUJie/v9W+wBRRPQqOV4zr8q/lsg -FsAFPqP336KDHAAXM5a2Bi2rveNtwFp5Jj/836Jc8nPJ/FvwX9/0t3hXLsPF5GfE5Lhl4NynrJ4+ -tR404Q+dZfhh5Vc7v7sepx/v8JOPT3EI/sWZyS0Dimnk7QPtmFuGxdKoXUZFWdGxQL9NMoYKLO+2 -EJR/8L4IVUlNWpj+LXg1Ll5k7n0F4c1fdH91/xboPf2Qyr+F2pzKQOpNlLs+PejM6oT8Wwivk3aA -T4IBXSflv334t4AHAxTKGQdyymLH32JC+1VE2t+CPKEMZWLs50hR7YiGMfwtzt/q54u/xd8xcSYd -7bTjjeq5hnZSUJVXNH8IG2Qf6HS24szfInSC2ExPauRPDgqU4cpVIF5VYwFPGQ8X+egZ6XTR6VHb -QnrHu7wYoch+Qf8WudZJjvxbNC4yeKhUYxgnCvY23CbP1c6/hZq0ioMMDinFrtxYIMOavDKofVUE -qTRYdUxEwVFTFmv49SjdvwVTpijiFPpyQgtLgBovLiNYBg//Fj4OpgjtpzTXeiuTnMFR5LTwkHDB -JIq/hamMQTnY46Xkb7HKgieWAJkujYuUgqdEM4XK36KtGjm5II1IR7kxc2df+1uUrHzyYTkpfn+L -ux7zkXrOJKFhejL6f6jQBWBX+DJ8V/X14G5BGRaubjGYDjBGITBFuPi3GCTdbcdL9OYFiqOY+reI -0u2XFCYkIsm+Q/r9gUujBKAjCfSHqWCX6/QYsqaWL+bfQka53ftsV/hNqXcFo3+L5IuTN8llgWRs -lfZvwRwt5f0tApAze8SM/KEJJeeSXvP8WwDKplS+c0qQFfdv0V3JWjuNxC/VeSViEnaePWGGMInH -zL8FTC2popT2R/rf4nbDkJ9oIxa1ABOPGobdeogbA5fUxAxta3tx5uDNIh+43f5+F3rHTwIM98Ln -vwXFEsGtqKtOYfCrJDBChv8WxA23UAqUUKIPeiJpE2aCSfJWahvBIMBF0vL9Aw+0l6ekXBDgAgT5 -p7nGinnB5CEgZg59SYCitw8pXDFgJlGACyeup68XDO7gbJs34oyjfBKgJNdfdWaAi60Shy7YsNLA -Xlvq4sUGuOACMxVIReMhTq28GuCCc+r/UApwsVi4GDKpdySPDjB+4YOkmXyAC+NMLOc19QFhFTC0 -J/2PiszCJP3cepMBBgfWaGhzj489GGBovHF7Zs1sTX02qJ4sVt6kCnAxuGlpvBlMIsSwA1xESao7 -n0W9MW7JsTJl7fiSlDLV0Jqi+IALuAiaJtnCfJLy1W2xqgKTNrxe3xQ3YJRuE497aV37GZFB+LeO -WdsEXMjELxWkf1QrgoCLbTwoPywE4CGggIvE4GFMK/o83wUFvGHihG8XcKGprnq49IPyS3M6NmIy -BFxsDehhp5GKXZ+zARfOe2RDeaxY3gdcJM0KgAlkT7Vx+ynVl/mAiaZNaCZwwRvyPlvmcripBC60 -HEkYqdTovdAQbF2TdWzADj22SkpQQ3AXlpMefNlAVnTETQMfgcJWeE9c9sm3rnQs4EwE0V7gwofB -CjqRogWz0kBzSbBnIOt8vVAGJi74hHg00TsoUQMXJIe6098vhGXKXdrABQr6IrZnRyZy9RwLiQkD -F67WQjKCi+4t9qXZpV0Qn4/gYrnxaiz6eZHnwt9glnd/BBfwniuE6KUBRDwuCq4tCi70Ah9IdNJK -wUgruAjVSIWmNeBdC179VetNDZFUcIHtnJc6si2aggtbKMmaQCXIAr2LWRMPkd6eruf4QRJcUBmt -Xl7ukzVxtQs0kZ6mNTY9M1IfwUWxsBFma6rpDalYhl0o7gpZeqhTk1qFV0mI6yC4UJKGHp/STWYi -uChP7AO/AHjjBpmFIbjY5Oa5391kZg1ZUYrgIvHDzdg1+bUMrCMILgwP2h1oZNFS1dKFulln0u92 -j9F2f66nLoILWX4XJnON6cH8Ft3ShVyyN9RdKlKlPRNgBOIV20EHUybClQCg/HAxqMt7Kjud0dIF -8+otBQQXzMPmKoQdc3TszPIILh7caCxTYN0SOX4ILqbr5tbdt7p0oQlXPPrC75WswB4aog0FF0tp -E98P6UhOfU7+ds8JLib1pqEikyW4FqJXP05wQaGO1GURnJC8LGEquChuSbjX9OuEFqmtiq/tsfZ8 -0yq42C0wVeEBR8FFJssCHVLwKbhIXh1G6gwKZyKYSxfo2QNFw0ZRrnXBxc1w3bX3jOvBQgElXrrg -Kjo3pIHOCOG18QcjBpcuQFeNv1OLoHPl6sQVMoHd7iJSBy64mDb4HU4B6IoTPrVLF1p6ESvCPX27 -KigvuBCOl8UImoT5vfp7wQXZ9xpKSq+aAMTibhc46I/VAxYXpT2CbMCVklxsCttWF1YaVzotuDAJ -GpY17jCAE46pN9KT0oILdSoQsaWt3adVW3ef+4QFF/3jUNXT+3pfUXHfa0xM99KFjNfiAq1ZjxLM -A+aP/tIF6zNPxaMa8FcRPUXfLl1wQKLpclsGc/ejuZcuVFNOhwT/in3YYcEFISZzrYVCeZC/mF26 -EOsQpq+5g4R9sbngQnNFJg9Nl9wPruRYUT7cGh7v4rzIpQtdKQI4SGGbEQugX7rQPMJvCcUNNAqS -V/7tp8zShRq9WPcjCXzS0gUVNluvKgsuVERyu7XxYPfzFlwMOgzgu5Li5tpXIVONwQXYNF2RHFIV -G1wkcNdhYIsGFwNQaOpZwZRvuhUVLV1w5lFrhcUBLGRYDS5iXKN3qn7pv1xoCNU64JCWLjiIG6lN -LoaQYKY8PdhWANPa4AI2BcFx9TIv9QbZ4GJn5RNii3XylKmUBhdyGDhaQmLCOZYDmK68KFWw0gX3 -vgtVtQYX1OJ0ufa9sPii0oW+IFeAlsfpFfIY2ZetfV/nkJJPl/cPLg5Zz4byDgJrjZcukFirXXzS -WMK7yW3UUVUsBKcLgQ04zB+CF3sLHlzgskmNNCavKBkcXMTyEhSUCZLIK/7cu1ldutBkGYWFGxqo -UW9qZePgYkVuIK/p17h56YJbwKililZoF4+Di+a+eOAA2JOTNVfoVLRI7jk4TewvMbgI/SzLZXZe -PZ0p8HDpQsGfgIQ+NFv4Cy4GogTAdKFDLrNIztngIt64QR2j6QIz5VPlrlH8R2JUxz3DF6K1hKYL -IoBGiVMMewtp8SBncXDRBPDrh3gWUGI1P9B0YercQflMrHBwobHDEdFKo1pNnClbuw4upvZJN6h+ -k/X7QEaU58x0quI7HFw0Sjb5r6FlkIVhkWsjMYXSnwvQjC0yV98nCb+szyPinwu1zg== - - - GLPANX3AZN3m1J59cGF8gM6F3MvWMZ806MGF08ASj4yhzuk59WEFg5NMJ1Rl6zumc0Er5DPCxAAq -OJQ/BxfaQueRsWw7Ohes3YzPaJEsyrGODJ0LcuExwqz3shvuBhfLHg4tjeBPqhtcrOluQwYD1p4O -N7iIy1YE+LAOMOhc0H4iH5BokfQLghpcAMojUkA/U0HfwQVsGkeApyL45EsGUq8SvVjOBactbvgJ -FHl1dhxcWAaHVR1VLWfoOei+l3PBnqEJlTpNYAadMhfGhYMLVf4pDE9UweLgQomMtPFe4bVmLOdC -dWqG+ROiaUukC+W+2NqffyJFyI/KtEyFvXe+2GkhXMB6YCLnHoQLSBAeYXOKyoxoECBc4LzrP7NT -p8sWARs3PMhi2zlK85VsbbyR6eRMEx5czJ0yCl5BJiulpFWwckSnw4OLX3QFFa4NOgcXJYoIsS9F -DNeRVXMuOGtklMXhXlipO7igqiUpiZr28n6nJPaIb/NDDAsrSQTgBhf9psb6G7hkFNGiwcV4SaPh -Q5Cx6kPAnAts0Qnyar48N5ZhMKjKdRKgQucCkRMWGHNlp3Pe46k4uKDQgx65FsrIuNC50Ak6SrzB -R578AObgopJA2MUFDi7UdVdoAbA4uCgk7o70iIj8BMjVDS6iT2U0Ibe+jAv7uw9xfmhwkV02qBtQ -8GIriXplLSX59YfOBRH/4xzqSOQNLGtwEeP/37H9iDBJAt1MDWzoFWqAxz/L0oXW7Oe2WPTHxS1G -bIeucVOhEToX+uVZgMy6gv01bZy8JF4QanCRVH37OB1blMxXbXCh2Qqm3Ga8CyT8J7xz5A0ulmLh -jH+0RckGF+tLeLeyhoZ12uACk3slvZjFI5jBGlxgCC4Q+nyDC4XDBx7u5lxwXFBnth7/OmfwEypO -S16QchDSOLvY4GIphbrMwtLK46opPUAo0ExMbNTiIpFqlB2pXKaLWwAbU5uGpQ6CgzkXcp+1UzKy -4Pl074yic5xDQpbQZO5OU1M+54I7iCeuG2Ho5lxYuGNSpb9tcFaUgguljwGdsY3T1w9VcBGD1KqC -7wqXq3BL2IK8MfDLo5tzQUAjgeOggos1nAwFZvui/y84OBVcKJFnQrjP9LYF5YXgYjc2EvNhXZU/ -C3/Ohe4GdgAFmUBBSeZcaOJElODUQHkSXFCB2YVLbh1/ujwp//FPCtxVIY05nfaF8lZWJ7hY3ZMm -wkZksiFVnk62M5I5F/5J0nWM6869QWDiw2bJR3BBeT8jMmDeuI8ZPb4prU9bL6EFMt0Q9DN+I4kN -mmFRuRirL0C3nnwIrAioEVwsORe0CzoAaFSCC5URgTI8ZmGblNLt1hszwQUuXxQa+vg8KcQKRoQm -OCF3fcK6Hl9YqkmCC+26pn/7AWGKSSP4zvLzvUM5CS5i1TntBl3whx4MVblQqdg/1gMe1UlbFFwM -limQPkbGUjCSggsCSwWkl6LM/4iFTAUXxFSJD/lWmsPXLVg/MGp5ewUX8DUexMPaO6aCCw0e1YU4 -s3QKcGltC2hSwiKhGr+6Wkq1CjMWXd+B0FIx6EMq3m/x3dqCU8HAtaCOEWiK73ZrCzb3FCqFBFxw -cfcw71exWobbggtObKLoxoSLWA/7HzxkRRdcjNbzDQpKghU+XwEsuEieJsJNX0QjF7AFfjXCNrqf -sr4NpWPoM+oFF6EYvMo2U89kZMHFqIyaXAUZqyV1Roi1gXH+7P0FFyTc/Sy54MIk4gfYpRuG8QmE -eFQL4Y3Q1a+sMQswf6YV8CSltqXgon7SWL1qpzA2m5lHzT0gB4OL8L4aEbBSTjdaWGy6Yi3Ru9yT -aBoyGylY9gmDi+RNrCxPB6TkTUY1tqcYXBCW/SWX+LqcjQvE5vtcxErmCHsiprqCweAis1ODfMi7 -ZdWGM17TXebmZ/MKGfoi2DGDd73jMhZjE0aVV4wjVToMLtLIk5Ku2dxpKcAbGXXbBORYhpfDGFxM -UdlrAI8A0jbINnFv/NTxkcIr1L8tcMonG8Tp5i4eM7gAPso7I4bMm+q/ip0YXBiZG+mrFusQ7LXn -wsMDGrzADC7oLJAj7wfdQ+VxKBYKCdUKH3jBQWv6MP2MsrWc0hhcTDwTzVWSrIbjHMswQ+EYcFg0 -FUTr1b34GVyAw2FXOjgMLsJAaiX+dgsusMN+PEn5Qjp6BzOKwqO8q3SFcuCCM9T2r1BP3CHCHyVt -+hXKL9t98UcvDrKLl7bggsIWkKRX34CGJ76Ce67PKfBdCDYLLjASHBseaNgx9showYXvShtCTRqE -vWTD3jwRpwsu3q8FZ7TnK8q679euYKYFD4Hhv3FdgSveAV7hc9vI0RUpN8EKuPwFFxw+JGFwwTAy -UxptqfGqRzS4OJSB1nsq65K+0eZcgWItal9K17CJvp5coUjB6DBIygxfG1yY9Uj1Fkw3JJ7Wa24K -ETxCFTLNj9bgIrEyBlygP4HQYtWLo1JIl4MLvcK1mXlucCFizvYw/QMVOfUf/oTBBSTavML60RsH -IVFjYFW3WToDgcEF6/ZG8xAlxl+zuA5AAyvBh7FAD0gPIPTRFlysBv2XfVrwQ5aAZljAeWJacDFn -IkQvZan6BRd5pjw4ASmFNtUdl8HFxExhUa1Ioa6SyeBi4EdwgNIoOl4F4mia5BrIPAhPqeA5UXZ5 -3qm7jaD/tF2Di5UWvbBK1WhfATlwFfTOPLOlpKS82OBiU8QEbr6hqSkFXIWySZZEiaQIK2g6GlwQ -9+sR+ZbQ4CpYb2o5ssBV0L1or7BL7AtXwUqm3/01uBDNAkQSshx25lNrcBE/yfv+V+Qut9RtOKsD -5wy2h3AV2q2hPDOSz8M0g4sN7Y3dUD/JSQMzg4tBU765x4swz4HBhekVxOfpJu2GVtyHVdh+kqho -LxTasmohTwlXgXMrvi022iG8jXVsxSQlE+EqdMCHZ8KaGFX+cBVMkCJkNFpbNjAIGh2owQU2RYjk -rmyqsN7fBhcUWevSoGG/YsQaAPJ1gws8yukH1/d9O0ve0cMzHuAqfJnaLF200FLZ16vBRUGw8G9h -214VS/+3CizVEThU5tujQ2K2ouE6rTS42B13hZ3X8z8Zw75xpPdCwEsQ+jZQyMrYDyPRFakRDY6R -MQlncEFkadW7/EpmVvWqkXiobxWqT2GGBsz6HMYwuHBgIZcdKWLw4TO4UIHCINbxp9Vx95uNwQWJ -9JGV2RBq9TerUEymCCyG1sZdsX1MpxYbXDB53oH7JlwJeRL/P6s2fCeKVeg/Ykh/ljQaXFgPf9hi -U/LyHlivtnAZEF06yMUq8ATLpVhSrAL6HYOHY3CRRRxFinHuBRIYXCTWsjghi8GFvHlhEf3cN97r -qmA42AmX2Og09HKaZ9CEaIzDGVzEqSW833uxmVS54MJmkhASseBCkaf7f4tKoZZEpt9VIeLjKaUU -hZ3bVaF7KneByU9GKgK64KLbmhMgrX6IskELPpVVYQt7EU8Q+KD2gouQ0jhqppe3vp3jrbfegouo -yxqlSTNt3cJUgRBJKkwLTFzTowrzwBJiFMkQzIrNjWYjWtWXMoIAyymPKmwH36DgSYUDpBdcjMuP -xtuXkYHlt8F93fneowoar2c+NYiG0KQs4Gye8ng6IGSfwQU8jnZ9ROb6eAwuZk5TLuj3eIuI+cHF -5ZpIvZN6wcUxoClEQ16x2ShsKqzuVFjFBTs+ChtTYeJZQWqA0iPZReABHGS0VIDF0pZPcJQKwB97 -D7ix9D0H4jp5BheywZJB0d7CcEDxlz+vp96RCo3IWF5WeD6ekA0Dg4uQ5ZpFyq8Rehk4EUcqNMkw -SF1aWcTZbh6uStsZXEDMHo6do45UoBVIAg9ey5BdcCGsaX4KE7D9IhdcjHxOhAmZ4qKyIxU8krr2 -O90DlAjbLbiASV45bioTNgk46UaOc2KElQMV2SPBxa1iEP5/YUqitQQX4t9qCxWTM5mmIxXau1NR -kjBbbk9S0CrN1vFIhQXP1/5SWPNNoP9Eut2RCuMqEIf71dQjuJCZp+LImZKvHalgXwXUKUvAS3Yy -I7go8dLzoni9b0sbZ3fgYt1HBc5zawg/59nC+vLPalRooTZizh5pdT5wkVZixUrEn5EhYeDABYvj -gjWODQRcZnz5gYtTEAuD+Y91heReNcYDF6ZsmuXOpd5CMf/H7Eu51X7goocxLsKBHpvwNSpgYCdF -cLFRdETmXXJUo0J30R95QwG5VaNCGQJJCP/lD1MHLgie+pQpW93KV3vgYmEsBRqgkr9PU281KvRA -wTl8Q4hzHLhgo9GRW98boNLtgnTgIqWMNAoBgG/KPXCxNAgpjnGxBcLBuOEk7QX2Q4y0jOu3EB+4 -UOVnwbvJxGUD/qlRwWpOom/tQkgZuFAlWNUhEZICFxGOJDjkqEaFtMgXrPnF13TVS9uiRoWywpx4 -HiSzf0wtl8y/6emHXgKBC3PBKOaMuz/ggmyW2qUkdirualS4hrVvjMb5lHJHbcDFS209OOC7BwMu -1LdruyX1np6EAQzABz42EAc3USAeEfHNADwAD8AD8AA8AA/AA/CIOtAP8gf4AX6As5x0J91Jd9Kd -dB1Dt4gtYovYIoB/4B/4B/6BB6Ojo6Ojo6Ojo6Ojo0vYj6MoAAAAAAAABIczXznBOKiYEyiFSnTy -0Vv4HPv517/XIGHZCFnNlH4VT37S3yH4vKrjU/2mjDwm+/W4aAvVKAgXk5MPfwLiRzy5aWZJfDy2 -1zIukQqU1whIl0GighGCgjH5KU5+iud+1W+vmql9Hjl9Xj3u4yTFBI0YHiwhKr8tA1YK4sVLDJUR -E/0msaOFjhmYGCevIVqs+IApuXHyskHCevE6kYA8ITddATOxwAIO4LGCksQMmCBYqNhQie1As+KD -CpYdYE5eRh/XDT9ACB0EwEEDhoiqh0rsRkw144Va+ewsOp4/jvSiQ7xg8UlJGRFPgyWC8e+XPt+R -QhLbc7fTVkS8Dk7gAZiUSbSaKn/egkWaOX1QRH3s32kxpEVQxKJ22IXQsQWvJvrMctUUi7ZIhYaA -IUnBaZL9bgEGFEAAHTCCaMFSxAuWFS2TCG7XjhvF78vn55L0qKSNklZLyGexEtUwUcGQepV/N8Gt -RzVfey0jJYQAO2LAIGnlYInpYBFp0TKheHDSq5Zk9h5B0Hr6aDFZ0SrRIGHtsCJCos+pN1XFrMlV -Y1Ci1U3DfF0HzAoRNGiGmCHjwwqVFjETi35JLJoC4n+IoSKFarQjxQUjhoJRssKhEkvZc5OK0l53 -i2SfprhZrmjYhklrRKdTmD4mfR3LY9j9lt7ThcMsI5+kr0P02cS/YU5/yr+r5Jc3R9nbUq6qgvTb -CFHBaJ1cRB4Vjz6CzyI5/aJfVw2PWpWHSskMkVYLV6nFq/RC8qRs2X9XGyVVeC2C2dGr0oChXKxG -KJ48JK9bdVyCV18t69GL6bWrjmdUIRonLRmUSMWDp/R2in+/mDwpnSYZeW6ojLyE+g== - - - GiGlGiIlHCQnGyGnFVAfctcW7HCUnFGFRHbZxJdpTHxMCJ9ZhUb+3aXbIhctyWiMk5YRMFKkgPgY -I6sXsBPJbofwN8hdPewZatGUkF6EixYfLSUxqZDJJ0+xCsWoQq58JvnkP1rE/Ejx8gAeNZaAIYMj -ZKWC5FHpbdGKyh4XYs+XkmgEn228Ti1OP0t/u1wWZJJ5+OUheHLVFK/WyM+P6LSLFgmHScslxKN4 -bhVRj6Lj3TxvUVy1zuckXf5cR0krRvQxyemTfEa54x/0RPC6hxYyLabQDOonwgVLD5YQmRMIttcj -Pd6rZ8ppvVrG9psnQRScrliFaFSgFpEHds8elLzHT+Szy7hSJD2+gkWKEaJa+XdW3LZouEXDfjl6 -zFJFJCrB7SuvYXismllX/ZrcNaSeK0JSNVhGXqSIwPwdptMxKtANldaNlNaKFemEt1lAO8t+VbBE -RKhggeE6tYh8Ex8vwWuVu/ak+FFVvSTlj2vdMQ1L5CLyU5hAMTyG4XEJTkFqiZJZEryS+LcLyeNC -8sScfhpUqOXnbxG8x9Bzln5J4qBXatVcBG/QC53lqVVFqPmX4y16rRoOraZKZlU+ugwKZALiW7yt -wukcNV+wu8sw5JZLbmp6VdTLumb3NbspvN3i2VdxS3+aiD7vWCEx8fix2RWp3xI8TuFr06uaYlZV -xzGcVmH6V3DaitUU3y7Z7dY9/+qZl+LHbfWzHNFpGyzSDCiPIXlgeu3C6RO8ruQ1RKdXRp4dLSU9 -VEpgQr9Jf6/olwSvoTbtz9EUr6mZfeHwCWh35TJKSB/x2COeW+TPTXeMwmUaV0kGBTLpb5E7htUu -y35B6/mjZW+Oq5hFzS2Jf4fgs+gsPWNISk/Wy3rKkA49VD2XeHKWkafE10vvKmJRkquCVhQfR7nj -6q9LwWzMhmNI/4rUKWbXqFYlmaPOZaTUNMHqyUVXqEBAtGiZYdKiYYlgUh+WLfNmOYffy2W6GIbS -sic9lJuuWJFWqEywWv6c5E6GORl61DKknrFbHtHpFcyuYPY1v6PU9MsR5jaX23STTMlxiD0/KQlK -zf8k9xEk8eQwqZHJ6P/dlU9LEU/eQvJhN5zy5ysfPeXPXXbbQupfwFQjuo2CV50MV3EbYsOruCWx -qi568bYRtWYIT6N4dJeQP6LPMRtGwSwKZk/wipeh6FVjen2SXdKrsmb3JL9P7PpBz50cZ697tUwX -QZjT3i2bPa43yRv0dvEbrWjqXe+P20UvVsssIY8KqE+BEq2EPP+q2uVok+BHNW/x488xtJ4jt3yC -yy39vcLfpfXEQy6lt2nEWKgYJsHlFk++0tsrPB1Cuyp4HbUoyU1bc5uLnccMXTYc0+kQ3T65q06G -+UnmqGlqVVebtt6U5aOjfHaUD0+y2ylX9Utw1KYqXKeV0Of0sqm5Rcns645FchoFs6iX9ZzkanZf -hLBMtIyS3ZYNp1CBXlCg1B2DXtVEvyraNfHxEX1ezWzJj6/kdqSe/Bii2lTVOv6Kjly29bYj8DtC -w7D5LannyGV5NbVJ0VTLMPi1HkeLoR2CnnOkvc3NNjbYpeI2H71PWrpuXGXjo3YdoaVqRU3quYNe -H3ojOU0DO6Xw2bXXI7/OsunRuv5lmX+g3XX+KNKdhm5Q6KPokueSmvqkuJMh7W03yOGe5pPixyRD -aBk6y5KajtI0hKY0+OHiOIOh7Hk2+MHdtpPhByXxrzutqIuGUXHLm2JOgnxa9igZUk0Se8ZuuUW7 -pNUcqaVvjjXY0Z7GZh3PObroN8SOPaV4f9v9ZX0Jklg0lJ4md23VcuyuRyrKgtsTm+5kqI/hR03h -r5NDDxdBj1mSVnSkmiPV9JRi3XH41+UiGHdaX4q3+MneJnPZX4ofMszBzifFkFmSUDTVqiT3fKLX -rzo+xW2Pkj1K4uO3m+Fuhiq5HammaT1RLOoxw1SLvvh3ym7351ji4ym4/aDjCB1dsCpCuyExy2pR -0Tnq5GeC1xfSByW7p3cVoWVJRUlrKnLXMXoWnWRpNUNwGeXDv4g8JXutelcRWqLglaS3U7H7SU/X -LY/cVDW/qbj90TKEmn8pntpUZL9rcezNMeWqLT/uQhVa+XcWDX/WUwWrITl9eleRvm4xfVQwm2rT -TzniH+dmnHfb4s67P0/1siL5PYLbI7YMQs87/Gywc7dsBEFBbjYnp3NyNvkI9qQnOscSWp5aFQ+9 -mNPYrBNy3b0c6887vexIPfUQrLuu9roQvP7VdN22dNNKcMyb6C2OPVnGWafmuJrjUE6n5HDgzlOz -bM0ynhR9MfzHkAfBNsvYDmfuuLjr0E72m+jHPHlR9Izkq2koZ4N2OGmH83Laq2U1t53SdPW2oXO8 -O60HPbvj7g/kSRLNOrG33WGHe9qnDD9nmYvf3GlulrlaNnudzGn51/lkuIve7W0hkwSR4wg9QyxL -g6INfj0JjlLT1bb/KN7fF3fdu2n5GN5i+HLbyV1JqemLIO5xs9YRqScKZlNxW4efmnVODgi9ZSHv -+oJZ0Dm22SbWspjb3m6TQQ60li0efaSOPWSoh9znJEdsqo8hvGVw1qE57VOKLHhtxSzKVX0y9JQi -7W1stqHBbdSqoRT9lCMMdlOs6peiDXY6KdYimIrfmBDIBQqlet0Qan5M07SmpxV90fIphj9ruoJd -1cueWlWknqLURL3sJzX3Uow9Tv68mxT/tNRFzy/FEFqOUhMPPZ4M/REUmSHMR1/pb5KcXsHs6lVN -LCpaz5C9XtUxzJZLdnv1sj341R1He927ceZmc3Y69kh6zNMfxV4Mf5L0RzH3OljLShAQbwAnuAEM -IM04M6fhHod3XA56e/jlIDh7Hux1J2djbkBabis5m3fb4o2jPY8fx7WTjSAgJYdzjye44XQgILHX -kcqSD8P7+/RQLDecTYcTnAHoYHY0viz1EMw/D+a2c7NxO9ndeWgnWzsPhK65OMrcpn/fm2lsJytB -QEYQFCMKFCQKFCyHI2+c3W2eEQSR4d5xe9fdXXduOONmI3+dzG3o5oRKblHw+59mLn4up2OCgKQd -Dg5+OgjWXmd7XA52KrZNpSr/eXPXtdsWc9wegnUI9iL4jyEvhjb4rZzNu2n097Hb1nKb7HX315XM -0sWuMEykF6bRb44up6VZx+W2XQxF5PgZw5BJhs6SF0M164QbkHCDoj/HU6t+zPEvRR30PKUoUk9d -BFkOCMtBUXcayBxDaClaU5LLfkwS77ZY66AbFO3GscdQBkFQu8pgrXLQc7nOy3X+09zHUaSmIXe9 -smm7HEtuC0JPUXqGzBHlsiYZJsEwKE31UfygJqpdPSaZi58NdjPIzZ9Xh6EdhvXnwVoHBz+PSXpM -8gY9++vgLYO3TCWzLNoluao+gqZWRbUpyBz1MbRD8JOapncVqejtdXXH0V7XapoJAgKeQAF3nx6S -KIcDb5pHHPsw1L+O7jZzsyFBNqumzd32ah10c4LtbPpRPK1pil35UDw7HVXTVk0jOZxMhxOrprWa -5mrZ3HUrp6NyOieHk2ZcpsMJjg463KeJgu/zxqUdDv19J6fjoQDpUICYnUzVtHKzWbUM7jqVw1E3 -nJTDCUFA1q2Lve/sdFYtE6mqzHltJytRoDBBQNgsOzecEwTk3HDQzYbutvvr4qwDdzhth5NyNnXX -7SA4b5y5OZFCZRLh+94saW97s0zldNROR+Y4tdNBMw7cbbPX/aRZOk+PGP6nCVLV+/vyD1y3zfa4 -/eNobqM9z80y+/t+87TBkOxwQBAUrNYxoSdoFFnyC7NjUFrqpHiHoNx17MalnQ4OfiY1LaGovGVp -h2N2OGjGocNP1Tqs1ulJUeY0mMs8pvg5R58URScpOkl+BGuw409T9L78ONJaB++4WMtiLnO3zO24 -X0VPdp3NOLCnfdCSpL5PKbuLIS6CcfixXxdiV3wUY4/jxU/Enk343EXP9fepGUf2uP80465TMw7c -ZTkJ5mJYf6CraSpnw3Y68cbFHCd7ndxx9ufd32eD3n+aeinOYSd/XW+Wu/jhHkd73vx9+Rju5Sh/ -XQiCQuVw2ixjswzdbF7Oi7tPzbRMBx3Izcb+PHjLdtBbwS0rhkUo6iHJ/OvkrYNyUKQdkJTb6h/X -f13+fbdY2qN5drLvBIimw4k0004OJ+WA2J1ngoCUICCfDifEDcgHgsLMsn9lPWfqatoNgiJV3cMy -3jpX49BM23Q4EW4267atWQZznKtxrca9XdduXNnJPhAQM+P8qepu3fyBoBP1xdHuPJTT8XQ48elw -Iu1w2CxLOx2562aOg7OM5WzobZO1rO48NeOQ7DkKjuNugznNzbJysxk3mxEEhap18BH0y5HVslbL -/rMMrSmpdU1uq4egvGlzx92g12qdtLMJrSxPovpoekz0BsN7JGPPu0FQD0XZ42BOIhYt1Ahe76Ro -e16rZSGHY3Y4ewj6Yjhv2l+S+yjC3VZyQMTNCXID8nIbql1jTmu5jkk/04Q8LthVrakffnOnvd2W -m2cMimeHg3+d3XH0ltXddoMeiV1N7Wp/XdlBEXJTkfvWxZHuulbLbhHMSzL+QDkMyU6n7bSSev7l -yIvhPoaz18HdpmqcNOOIIChMDsgdencIphxOvGl018VdB2/byumUm42ZcWKOy0HQ9jpY67BZJ+1w -1Izznyb9eWln427ZLYq3SMLclmact9vsL3y1rdW0+gNlrjs7mogCZAQBOTsdmONgjlszzi6GLzgO -nWYOfrDWcTsgccahu00HPXnTdNBTqSn+ee/GuZzXbpzb0VpOFp44UYKAoBxOeOJEd+LEu3EgsSyh -aKg8P6JZd9+IAsXseaZV/cUQ5WzKzSbNMjTLWG1rte7saCAISGh9d3OlQXHNspDDGbOOynEsp81i -WGoav7IpeY9zW5xtaG6rPy8HQQ9JulkWokCBZpr9hW4nq7ftD8XSmY5QFeY42dveLUs7G8952mDI -blr9gXoI6iHYhyDeceYGhdnZeFS0T9H5616wq5LbsTkWoWaabcQOCpbL/BN9ue8eydec++WZj2XM -cWxno3I2tfj5eFnZocXlL0s99EhmCSpJD0mmWHVEinPGiTltZO/dbWO1Tg12/1mi2jYPwxv03i2L -Py0GSYxFCdZ/nikdUauph6DsbarWSbXO+3W4GMZa9otfC15Z8Fta1b8URWsZatH9JGMRLLXO6WVT -bDtCU54kXW2DvQ7+PDr88PCLOw6UniJ4rYvhqnHMDkiqdfLxC50l6CxdToO7DTa/pzR1te3cgLRZ -59U0uePqz1M5nLWzycEP/z48BN9NgzUt5WzaLIs5rt02VtPWTqf+OhI5frWNBEFhbjasppUgIHs4 -/uKYf6G8cWtHA1GgCFGcsD8w1ca6KJJU9UXTfxj64LeDoEcUSxQn1M5GB78368wcR3tevHHqhuMN -YADgiRMoh2NyOtkAdNB00EHtdPpPxDvPI5J457Udztrp3OD3l+XcdauW0V5nfx7oNA== - - - USWabjogChBxw+nNFP7Ct/NYr/unaU6SvEm6XEZyQMjOBidHUqqCTnMkhlXmmbWm9abRWwZnnFfL -WE0zOZzwBIpY0/Qw1MOx7jqY01qtE3NZzGXspoEbkLbr7lBcO5xYy/gw7MXQQ4o4+Nnh93Zb/XUj -cwyD3b8cZU6jP67kpqd3hTtu7Gxwkwylq5ttaKdDf50ffqnTFKmnfor7Sd7hF0JNE4r2IEhzmt1p -urfl3baD306SaIeDi2FpTT0mmYfgu2W4+LHg9jdJU9zuZolaVZV8HqHhvxzrjwOdYsoNw+i03HHw -pqlYVGR+a4/zy3Blt2GcQiE0bIfgymnut5Xk+6dM2awTc5sIPVtue2rbH0XbLWs5TcSqI/h9g97n -HGFyS+PvKnTcWtFe/FZtc5ehyK7/aLpmnX0MX3E8Ms/b62BOOzkbd9s8ZSlrm9vJVA4H5rZSmvri -SHfdmmVpp+NqWsxxtdeBJ3QQQU6knc4IAjKCoECZc1BIytrWZhrK4bDbNnte7YH2N66aFlrXVm3L -GxdnGZxlMreRICfWrDN7Hdvh4B/YZtrJ2ZQbEBEExcnhpJ0OCIKiM4ABcCdOrJkmb52aaaj2dcHx -CDV/UuxHURfDNcvODofuuhwE+xAkleercWq2wV1If6HJydyNc7mvhyRv0PuUYz+CtMfNHmd/Xatp -MfiR0HRUkvzH8V9HMsnPGN7e1mYdc7M5OR2Uwzk7HXbj4o77T5IXPxzk6o8rO5wOBMTMMnXjQhCQ -2es8I/mPYmpFQ2VJfx3scTXohdByH8M7/O7P+5Ti611RK2qHn/t1eCnaYlhyOK/X8eTYg+CHFHl0 -zE/xw556KbbbtmbZmnXiTvPH8ISaKNTsQVDtdMjN5hbDvhzbLbs/7jOGMdlV8fFD5ymLHvtt+giC -zvEnwxz0/DI8ud8Vfc1CuzoZ7qUoQssQSrIZxz/FElte0W0Uq4bW1aOmMciJVjYPxzXruFtHBz38 -4+6vu0MQ9jgZ7HJS9JwmT4otvt0i5Lvg9ogMPaHHj58NdvtJilzWFsUZ/EaqqnrfXQxlLqO9Lva8 -2OvwUVQ7mZtpM8fd3ycqzdz73ixTOxy101mzTrkBWTUO7XFyx5kbTjeAAZAgKEipy3a0d9tM6XqD -4Nxx8ralnI3J4YAgIHAoxmBIbkB6EQSVZNxx52ZzbjbmZmNuQEIq63qg2enIn/dyW5plZ6dzdjbr -lsWeR3vguel0KFDg4VhaV78cbY+jO07mulbTZjCsv4/mOHjTXjaOh+O7dW8Hpp2MBNmsmnaD4Ox1 -JTZ12e9TauIeZ3MbzW3tpqXb1nJcmnH+UlyhZZNp5l53d1s/ivgH0h44bjZmlqHaBn9f/XWkFWXR -76hVW44rOx2SwxE5nJHD2ctyzTow14kZ9Sj3XWJX0JrSYFeLoMppdAj242h/HSk1USract08DFct -AzmbMOP8KzuD4KplMU/v2vOTPiex550cRc7m24CInE3baXO31Zx2cxu9aa6WxZ9Xh5/rbWjGGann -E3oOkWCLRUUmGUrLD1q2XIflOnG31Z8ne9sHFUfuV0akw4g8rznmyfDdOjTY/WjJlyBLZkHpCVJT -3iRZLnM5TfY6mNtmj4M1TsxxQOu5qmlPevYnCVJRj1n6aEnC16963slwxKaiFUXBbUhFb/HDyfD1 -uvjzaBDERdA/R5bMnui7SF1vUbRHUc00ldNps87K2cSbloehLor6OLqblnY45AYF7HG9CLYdTqtp -dxjiH1hyOONmk2Zaq3Elh/NuGg56ILMMjWO7cR/IJhuADiSHk2phj4mGGxB2y+BNo72O9rq00xFB -QEjOxtWyVstEL/y7bx2CMqe5mqZmWatpqaalWcZuW6+iIjouUlNdHGkPZDfuQ4Fi3Gxgr2PVdz6S -q3kmse5/qp5Tnb2v3bJyg8L+PJ8c2Y3zr+hKnk+rW38gudmUnM64AZG5jQfBOvxyMgSlJy+C8Zap -nY3a6cggWGbZBwICojhBozL1IAPTuu2Y2+aO08MwD8Ha6/IQPDkgNvktccMFS67nr6O/jtU6txjG -IEiLIdxx9xiu6rk3x1frqJxNu2l6SbpwmxZHEAREHj8JGFEEyl/azbFHRx4lZfGLQe9PzRK7kpwN -DHKvWh6hKv11OiniIshumQx2KtbVPW90gi69DYNbE/lVnWardWSP48fxL0+Us4lhnSpQRBAyqBRp -PXsS3EnQY4okvO6nput1Ri9qg9/8baUWZfnssDlGrexflnkYwpvWumMiXMiQeEA3Keqk6JtkT44e -0xyt616WL7j9gEE5xfAtfnopzl9Xi+AcgnQYopzNr54yJ1EIbfMjSX9fLYJ4SeJhKGvbyuGcG5AQ -u/KmaYfgy20oh9Nq2qtl/SiWVtRDiie39c3S1TISBMT1wLk835AMOZ0ULZPsOS+C9qadHI4IAkJu -QFAtq0Gy5GSsp9kwERmpqatlbdZZO520k6WdjrnZqFnnb927PNUs88fx/r6Z43owdLeN5GxIDgh/ -lisg0B2CbdZZs067aS+32SAYStOcLGUQRL0xT5rw1rkdbe107DC0QU8PwbnbVq7D0m/SG9MfCHfd -2enAnvdynMrhlBuQU+vQoneLn+gsWau6g1+bdU4OR9yAgChQhChOeFDTBL/3KO7juFLXXxRnTUs3 -ICgHBOWA0CDHsuUX/PByBKnnHX40CKraVnY4HwiKWgxzk4Q9brSqL3kGnaYoRfmSDEFAOhAULri1 -CHmZ3DgFqzZCUjBcKdCK7qbYl2L9fRwIit09XbhU/WjaodeSYRb87mLIiyLufS2Hw4uezAjEiyIJ -LV9uC0LNXQzvz4M3TdycgPl2ECxUvOw8pa9nQH1sfkvrGULLGuRw0hvRZ5Ga/qa4guTxAVuV0DOo -LO+vk7ut1TonefUBc1Lif1CwG4LXoVXty3InSTwU2W1DuQ4PMiqpFzaxaczHH6knDXar1lGzjrlB -8WnRFCpTb6I5KYJSNB/FOgRt74szTeVw0g6n9MKyKKZaRoPf/Hm6OPLiuIsiiwikjyT9ebPX1Z93 -h+FNnjJ5jhrXbTYjIRDK51N7ncxl7tZptQzeNjTrnFkGgqDIybCJGzRUcAxvm5tla6czbjYhChTl -ZqNmmQx+6badWecvy9rz1g7nzbI146xblmodt9v0s5TBzv46mdv0UcTB7/a8HQxZTZu/kC9NksNx -t63eOLvzQijKj2LdcTG3xaG3wnOcNF2uw0kyzTJ229QsG1GgSDsc+ONq8ZNBDmSWqDS1vQ7dgKxZ -B+64d9vSzubtNrfb3I77z/MXR7jDeTsdWdNsz7O9Dg+/WgRNLpNDLx9D+/PcbTs7GcnZjJzNPY4q -x5kZx8SyJXbuKUldBGevUzXN9brcFGN4nY8hyjVtsEgsTKS+FGdwg7vM5Tppl5nsFuXjx94XWs8V -fheZ6fv7Zm6DtaztcGiPK72t3HGoVh2x6/8s5W5rNU68ZTS4reY1xc9B6qniuVNyO3SSN8jxo7d6 -U5WdlgHxH9TsyzBFqI/x8DwJ4iDnj9+JRUEoKWLNEg9ugl1YLYfgtV6Sb8e5nBZ3G+xxcdjF9Lon -RxbMyvj6PoKxp7lbBndbDXo8SpJi1/W60Gqe2rUGvXbLZK+rPy/uNrjTePSUxXDlNN4k4a6Lu07u -OHfTRLCscp8siqgXDqEpzHXfhtNtNh9nk3Jbn6Z1GLJaR8SqeznOX6d2OiCKE+QGJO1wPKTYimPe -LHNRdLPMBAEpNxtW23RxhDmO3TSRs+FQnIA3LeVwyg3IDYK6GIJQ8z9NdstIDoj8cSHxSzrRl+Na -LWszzsxtctf1pVmH4oYChctxfDjOG6duQF6tA2uZLoKl9+XT9exkr9fNIKhq2apl7ra1WvY5S58c -7/CLv44nx/r7VC1LOSBt1pk9bu44tsNBOZtWy+avqz+P1bJzAxJvm+51fhjyIChz25p1YI+jQe/l -trPDyUUxF8nZ+9JO5+x0PBAUJAeE9jheJO3P60nxP80U/JJWVZSifimmGUgNbi2ZRb2t7Gl+KX7O -caSWI/W7wtsmVkUzTk6Cq9flR5HVOp5y5EMQB7+Xy1itA3dazJZL8Jv2uDvsQihJErMrtLtiwyxX -lcGNN0O/HGuw+6SjSN3CMP0yPY5a0VsE7bAryWmRm9ZLcAWvKfi84sOzXLU3w90M6bDbTVEvw5XL -YE8rtWpJbpvctegk9xF8uc5OfqpXnUGOJbsnel1yWVDL7uhZl6Laab9Kql6W9jg79E5vq3JfFNt6 -ylH+OrbbXo+zRZDNtFbT6M/TRzHcdDo6nAg5m9jr1qzToTgRiyEIdlPwy4fjyeF8J3Q4OyA5SlRK -+N8Gv/nz4E17NW3tdNaMc3I266bR4NdmnbbT0b8P77yVwxlBUIwgKEjO5t22j2m+23ZyOPXn3V/X -i+ENfuymmZ1N/Xkst1217dttPCmCzrIfR/r7WE07O50OxYm380gqm38g/nk8CO7fx4Pg7XVnh/OB -oJhB8IOyuEh+TJOEovwo0txWc5pnFEer+jnPeNvarCNzW+xxa9ahve5jkrnX/R9Yc5sIcoLcgJic -jbkBOTkbV8t+kSyd52tVR1w2VJLvto2bzbtt9Qe22fZmmx1+oNQssSkeguVmU4ffq65HqUp3nJtx -2mxjfx4+grj43eM3g50ddip7DpPjEFp+TBGEij869uYISs2Su74e15skSQx7RLDuttnjbtDzT7LE -pvsIxlw2OsVUSqLSMeRVT2h45a526PnlqI9gDXaq2DWl5+tdRWa3xI5bcStKSdNa+uRHotM1XKiS -nPacYSgVUbBaclVV7ILUkz9J19NQcRuj6ZKa+iJ4d1kvfqKTXLUqC7/3o2iC2yGzXH/evqYhGe7X -c0fH0Wq2YPcGv9ctv4hCo9XNxZH2Ov8cUe+KatXSqn7Os/Y8nyxzUdx00CHkcGgR7M1x1Tgtt5FW -FXSatNeZIJtxA1JyNu7WIaWrHo43+IFQcwfDmeNaTVM7HXfbXm5jtQzlbFgOB/c+N8vYTiflcErO -xtxs2k4H/75X29Ysw8EvD7/V63rKkv66nRRFKKpyWxGK0l/3MUlSeuKgJ3cbP4p7KMbbNnOcvG2y -pu1hCG8b3XG31+WgJ3dcmnFebqM/sNU2fxR/cry9Lt40u9tQqoqC66i19ZQl6Dw9JTl/3tnhpBnH -3TI46/Qcl3dd/Xl+KdbexmaclANSf54vknXXicxxpZ4ic9zD0P6+eNvSLDM5nHvzTCkaArugcpS5 -Tc04vTnGbttjomuHM3fb/XUlFB2lKP1xLpfJH5ePoF+O8JbtZagS6mM2XJLPM1gnE7zuS3H+OhKr -hs6yH0HQSbJg1yW/pDUVqeh/ln4pkkzRA3IqvR0jVWLZcZKb/pymHnr31+kjaHJZXgxZ7grj5y89 -boLToZP0SXAPOROdZoEijdoUVa8xQlAzYikYqhLNxwMyyzr04o9TCXn+M6VBL5SWJg== - - - NUwSuyr0jFLPJvhdf17JZU2v+2od1eyufDyvuz7FrWhFRerJm2PMaTSjYvlq60FRmAzDKH1UePgW -q4ZQsydFXgz9kky17B7DX0X/k+zJUM02dRju49hmmcnZuNqmjyIINT8m+Zej7HG4CLriV4Sif1n6 -4zh33LtpaoeTdjhqh5NuNmqWjRsQNsvcTGOz7NW0muNiTWuzrNU0V9NkbgOdp0+SNeh9TPInx9BZ -fsqy/jp/FD2k+HLZ7HGnND2l6Q5+K4eTgoC4nU7teeNmg2aduNt6crS/r82yNuu4mgZvW7xpbYdj -f179fWyHk3/eSV1DJypCU9PK+iQpex7LbaiWkRwQNePonvcZRxJ6ks7SM4K86PWhx4egDoZqxim5 -awu/v1yWdJo5+MWapmqZqmWxtsHcJjLJDyn+ZumTI6pNS2tqg2GrZboI5qCngx8vhroIhtRT5aoi -tLTBbtU2J6F9iRozRPC6JbcyHz4lr1OtGkLND2rmJKiSXxdQiOS+Ve6KatWU25rYNWSS+cfl30bj -lYqxar3il6SWWS6LUlFY7L7kt7SmtdeJUBO1pqS0hM0uqlVRbeqKWZfMltxUP0UXJCwE6LihImVK -8fMYHX/KEYSaH7Rs0fHsebspnvA3zacPeduUeppQ8zfJGvRCrCpq29rjYEB9Ct+jYNhPy94UPycp -Us0SHoftfZ6uqTh+2XMYPoe564cMeRLcR/A3SV0U0S1bMSqFzpPtgKwZyLp1dJKEPS8EQUFyNjgY -+uM4Ok0Uq6bY1FOK/Rj+5Qhvm/199weqHQ7KAbFBcCdJeNtMEBQhCIqSw7nBENa4WNt6UKw5juVw -Vg7n5GxKzmb2upGa7iQJd91pVT8lWUpPl8t+TPIWv5broNnGBr/663YR/JSk7XnztrlZhnI2HooT -Zmejap3Z4+zPi7cN1rJYy1bOps0676bNXrdqWtrpyBxHc5wOhiDzDJ2nhyTfbkuzzOx0Uk1zN03u -Nhz0PGOYWtGQ2CWJ3RA27T3O7XDQDsjIZVWu24Nf3nGx1vnHURe/O/zWTQs5ID0Z+qOIf57ddbjH -4R63j+F/mroYwltmf50oTVNti2JVUCmGyHAfv7fruDx0AnL8gNW2q4ZpRL0KkZ8C1JPY8ucsZZCL -MY14oJyU4DjLTV0v23pbDxniHmd7G/5tLPn1oOo+iq13DXlZk9g9kV3XmoJG8f68XRTnjhuxqMvH -X+F1k5tuvWuJPe8SzM/QR4qUCPxQBEm+q2SXNcOjND2t6gg98/Bbtc1uiiU93oLfvxRF6WlSU5OK -glLzDj8a9HYRbGESpeD4HkXQmr7qWUSGVSz6OclaFNvv+1UV1bI9KXpGEFSGMJhFrakoPfWSZMMP -5XDkTgOZ4eplVfyfJ8tysxE3IGino2aZuQGpva4lwyb3HNKmoFKcO+7dNHnL3IxzdjYoeW7VNsg8 -8a4DkeOnHFFqunseiQLFmmVvpp0gIHko8uJIe98dhvXXzd3Wchscgv95wpvGi18qNT1kSH8b/XH6 -GIJOMxdBkorq4Edz28xp8qbV3lZSURz0WC0bQU7QXRdv25t12A5H3jafJHEQTDsdNtPgjYM37txw -ZK7Tw/Bjkrwo2iJYg19fjn9JvhnHzTgxl71ilsS2cfEzqWYMTrfSs0SKIRLkR88GuVz8fHLEwU8H -wZjbWq3zcprsbX054uHnl2SJXV2w26LjKv7e9brulqGdjV6OJheGu03+th8lXZxCPkReL78+gtEU -DZtgNYbTJXn9o2OI/abo80t2SyxqelcRq3pQ02OW/BiK0BK1pi+XPaGn7nEyp8FfR4Me/XFyt/Ej -+JMiqCRX7MqHoctlK9dJ0e8Jz3vKEYSWKXh10W4KXkWrubLfVl63blnGFILdN9x1ugiKUPM3RVFa -flJS1Ka5CLLoGPW+PEnCnPZy2V+GqlYVoShfjjTYfVbUxctlauF9DPPx20vQN0ka/GKvYzcN7rR+ -DHnx+5CgP36ruB3RbRK8cid0aOHxilIoNssiFP2UpIccR2m6i6LLcSVng4shPo66CJZK0Be/nRQ9 -5FhrnTfbqFrmUdf+PEsrWzJN3PNyrwONoYgkazBcty0EQSGiQGF7H911rZbpY7iL4m+WvlniYohm -nZGD4kfJFh2Hve2oFEkl2YcgP4Y3+H1M0/Y6mOuSwPBKRVsq+nLZvxRnjzs7HJTDMUFAVE4n5XDS -Dmekqif3pTsv5ra1k6WcDptpc+fZIUiDnx2CdPjFn4eH4Nxt6gaFq3XoboPFbUlNVy770xGlhk3l -OBrBX/TqL5M9bR9BfhRbLSs3IDDH5WL4kyKsZe6WsVonF0PSqvajKDJHVUqOTrEVsyZ77ZrhXBTr -sDv59xUpFIuHf2ESqeT0iS1bNcuqXRX9+qqJo6EK1khHiGoHy1Riz70Z3uPnq2dOjq/H6aQoKst/ -FElm6Qk/UDnypDiDXstpaMahQS8fw3wEP+bIg99pNU3umKSWfxTNSdFlzzFerRB7TrmqSTVHq/mz -JuuGU/7dBMMzGJ5cFmXHYzJsSkt/9HwS/M1RFcO3KLLbZpdkb5Ytuw3T656yXDeO/G0qGr5BQtKX -516WJ9hVzW8efnK3vVv2dpr9eTkIwtsmd5upRWFEfIsSiAW32wkdZKiMMIDHjhJ9L6kpSl2r3PZJ -TethmHY6aKcjf17LdToZrtrTQ4L159kdJ2cc3Otmr2u5bdUyPAxrrzs5m30kR+gpMk0bFEtOJwRB -YXI2dde9mlZuQHARVLHtynVJaXp/XwhyguSgyMkwNscnFfWI4C+CH3L8mKUuhjb4wZvGYtmWuoJE -cESKqfQMleIufu+mlRuQtMNpNe3ccFAOpyTXUXR/D8Xa6+Bto71v5rx322Kvq8VQL0v581Qtg7uN -/jra4/Dwsz/OpJohc5w/zoOOnzL0xc8fwZ78QCkJSs3fJPHwU7MO2uHMnleDH+1xaWfzctoMerkY -3uEnex0/gqi1TK0mzWefYQrFZFf2Nv4EZ8RWP05QRilqWk1Va7r4tguTR4WnUzA7jx+ejjVOYipK -ohhfd8Xuf447CX7U0zfLGfRij2uzDsxpu/jx4kdKTb8cbdCbv07+uhn0aNCrQ08XvxJavui1i5+H -wW4+hnkpupRAPri09OWYkx5JJWExO3LHLH/uomG9HN+u480SlKKhs0ypJSotXa4aIsM/irLcxnLb -KJb580y1KopN9TGUP+4ev9CKtmgaD8UUHLvmGYSiMrfZ3vYxRZNqfsgR/8B242KPO8Es7JZT7cqP -Yft5rz5/MZlKLYti1dJ5hshRZJY5CK6dzrtpctedWecOP1Bqzl4Xc5segv44fsjx9job9GSPW7ds -3ICcnQ4dii7HzZ7Xm+demrYosprGZh2UA4JyQGQu08GPJ0VU65bWtQY9+/P0EMzFz90y++v+ksTB -D3SaoxTlRZEXwxz85m6Dt47oJEkneVpPU3rm4HeD3/19tdehnM27aaI0zUcRH8GUvh+trB2C8LbV -XgdCTVTLklYV9rr4605vu5LhOvziToO5zAa5kCme3HXLvn9K8T9L0Zr+aElSzw9K5qJ3g539cR5y -1EWR5TSPevYpapejLIbspsHdhougBy1D6lmLnWgtYXIL48lP9lrFt2NE/Mhd22GHj96PiiT2uyK0 -u/Q2iU77qwmHXM+itynupliH3qhFWXNrkt+o19VFMe44Ovx6U8RDr9U4PyqG4DNpRUmq+Zvj7HV5 -CIJOUtWi/yie2BMlt0NmmfW2PCmOYhdVz/LH7WZIak3Wq8Lm9kW/pXflUdP1PlPT0E2zQ8/1riW1 -RLVoyk1Z9Mu6adLb+qpai6Fvlr056qVIh14ddjoZitjU1K6rGPbPcvY8fhxDZ4lqUxNa/iLoKckf -RT8q6klPewzp0OtNEgCrlAHUdn/rpC+TQ8ZE4ntN1uRN8jRJt0ghaVKna7KmbdKFxG2ZZhkALIUk -pUZUzLjYocI0DyCVQtJkyw7ghoocOGRG/LqGS8b13d5JHK8xImvbtved7/F912U9r/W8v225z/E+ -72k+72tdvnsa5/We5mOaj0k75/d9ADL8TtN4zdv3jlqXeZcKaes7Ldc5meM4L9s9zfPkrtN1z8e4 -9Xvfax7vaV4fgEmt47Ze1z0f73I/w/Nk39N0LROLoec3bfM8yFymBzBKIen8zm/ezm9+r2vbvm2Z -JmsS53l87/Nbt3nc5nOZJnPavnd7z2+ZZAAunOfxmidz++bjAbxInORBviBrkkXWAxilkDVe17qO -4zZe43R+4/p+8/iu9/lO6nx+9/QARmYMwHXjLp7ma5snc74mc8iEkDQzTjD8apT2AzAZwIoBlO47 -v+1a1+3d7l07vuM5z/e2vN/93dd9neu2Xtu6ze+7bt+ybuP2buM2Xde3667pu85xGfRd3zuNyz2f -07qMyz2P871ey31P9/ad2zLsuu9pW5f7vufpnq/7Xedz/t77Hadreb9xfqd5frfvHd9p3pb5Pqd3 -PJfz/rbpXZdzOrd1uc9zeud5msdl2rbx3KbtUt7ffH7jNr3vec3L/V33Ju4AVgygVO87X/eluqZl -u75vmb9rfOdzmedxmcfr++ZNZG3jeZ7reV7neq73vZ6X7Pzmcz7n8/zu+9ym5Vqn9Zqv9Zqv5VrP -dVrXe1u2a52Xa92+95uXbZ3P8XqXbV3Pa/nWb13v+Vy+9T3He3zf7VzOdTvX91y3+1zXdX3Xc13X -dVu3ed3GY9nmdVvXZbvndZnXXbzO63yPy/Wt17Td2z0v0/td23JN73Xf6zx98zXf67pO6329y/S+ -03d/83Jt2/Uu2/Z+77aM7zjd5zvd57su070u53uf67K+3/W+7/uu7/aO8zXN23V/13Xd36X+5vX8 -7m9el28al28a5217x3l7r++et3Fd1nn81mUd53me3vFe72+97++9v+2er3Gdj+Wd7mt713kb53G+ -7/F452/e3uldtnmb72le3vsdp/scl/vdxuN95/l9t/kdl/e9lncej3le32085vd633Fcvve83+19 -r2nZ3vG9lut6r+36xvd6t2293+k91/Wd5/GY12mblnPdzmVc73s+l29dx/ldvm08xmMdl2k932k9 -53Oez/le3vn85nUej/Wc5/N8z/Mdl/marne+znO+z3G6x3H93nEcx3Vc3nF7x3tex3eZz/GSjvM8 -jeO7jdM4v+v3beO0Lts7ffM2buMxX8s2zss1nuN0f+e1TOMyf/O8rvc3j9N4v8s6ft+9LfO3be88 -z9t3fcv7rt/3LvN5z8u8fdt3ffP1Xcv1zee5TN+8LdN5Xtu4zdO63NM339s9r+e13Nu8vfO7zdt7 -r/O9bfeyfve23fO7rOO0ves7r9u2rfP8vde4vNu1ndu2rdc1Xcu4Xdv7bfO2zcu2XeLl2tZzvr51 -Ouf7XN9veb/tW69tO891Ga91Xr7vvZZtXtZtHNdtm67rfqdrnq/5Oq/xe+dxfad1Ww== - - - pm265nu573se3/m93vc+52Wdpndb3vmelnk65+lb5vnelvsZHud7mu9zmqflnu/3nqZl+t7pnt5p -HadrHo/l277rnr/5G7/lnq9tPK7lu6ZrXe7tnsbl3q7tmrdrHI/r+u5lHq/72uZ3PtfxWKbrPq9r -na/pPs91usfxmu71Wq93Wqb5HY97vq77mubtXqZxua95Xu5rm6ftXu5rvbbxeMdvet9vO5dpm7bx -/MZjvt95G4/72uZzue5rHad7me5t2755+Zbv27bpXsbl+rZv3Lbz27bxWsdtObf1PddvPMbl267z -3K7l3M7tO7dtWbf1WtZ5e697O9/lus/l3bbx2sZ5m+b1Prd3/Mbr3M57mbd7m9b7n7lmOU+0qil+ -r4LlFSyT2Ba0rqqmxeDHu3CNriL3pUmVTHq+Nc8iVc3JEYkbMyhAgCJKQL8IhkV07YlpkVzfZalu -Wbpp7Pf1aqt64LlxqKb16cqj6hyOtDiSnGztPNWdf9ZW1bY+VV/7roKVCtFzkuvuZ1lqWfx9IJWd -QTD+vLwkc9PMyRLNMo+zYcMQN1HYCzsdTpRZ5n7ebpaqmWYBgVhEoJHbyuBHA3PtQCMjwus0KREP -LCI6TFivXfa4qIwSkSFgvCDVtMoo1EISoXz+kyyf2mZm2gcCYnY6qradmWaPZU6aJPcFmadPkvs4 -5qUpk+OJydRjxQpSnten+a/pDZUSHlzQiHj0k5AfkmGWJy+CBw0eLGZmQlhBzGixQ4uZkI8vk2PK -cXAYtp7nWdU6DOuvw0EO/7h9FFEt24ph1OvuZip3HElu4ygJmRFzvehZBbsnt83N8m/VEczaIwjD -aZLff+k4DUqEI4RFgwLFeBpXyRszKkz4wGOFiQhJp3E1zVNWDke442CPo0Vw5LZvx82haGbayOGs -3LaXZm+aI5clyXFphpvgQYMDSwxRASJ4YOIGjB0rJDJKWLEfv1lSJNS3mEap2JUZeVSgQLB7djtO -JhUyyW+qaSAIyAcCMo+irpq/m6aAPKd15cFP3jKSg6JDcQIOR5W+m2h6zbIQvF6iRYwBaGRS6HlU -lrXniZwNfp4sJ9VJttdOx+SuJ6GPymhUwvM0WKkaKhRMhk38XQkffICRTnmqruza5KOL9Leqln01 -vU107Gi+C4uAPrd5+mtrl6cMinyqflq3R1W462isqLQoMSnBcWuOVbQc0uMqpM/qrkdsy5tnLY4h -Pk+CYdw0ZxBst003T5Hr/qmKdrSSk7GkViilE2hlP2n6QdOPqspheJNjChfLhYlJv6ohO95iZVKR -Irl0uk/LT2rmpfiC3Q8VMjROTET2vUdVdetQbQs3HHLDabUt/kB8LM1ONm426IZjdx6KXUd03HXb -rhxX5fpJ13HAyNAwSWkRa+FQIXEpfVhMoBQ+60jBIoQasKAFH+DATAzGyusUPotily9J+vNYbls3 -bQ7Dtutcz4s/jwY91NvCYtj1ujtJphvHr+sKCmWi61DLruq6BLutWRaxbCyGaqf9KnrEChoeWMBo -7f6oTUdwOEXqMwM7xcBOQMiQmQl5xX5eBQrJqvfopnqHpC6Ssee53dZyG8nZ0KJIg2I+kp80Nbnw -X5Y5+M1fF9LnBZDhYgbJCEunSXo6puTLEEnBoEArp3+mdToBeVz3HILPJ3cFoWfsff+KxmG4clzK -caznmdvmht/Jnkd4Hf/AmtPmLpPDLgY9OQxjMGw57i5NF36r+PsJfuue92YZq2Wu1+2mqZpnH03R -DcjJXlugCB4ocAQQLFqpmE8Pg12741A+niP04AY7VrRACYEKMIOFDzAhNCoQLKftMazFsfU8Uz2/ -uFY5qoJguCZN1/t2NM3N8x7J2POAgMFiBQnJbpozJtESNV7weDHZoTIyYxKF1rXlOtfzXpyQuHje -o64pOV7N8aum+5KUvW4EAXE9T2bVinl+GfxOr0uS5y2gTyu3T/Fr8vFRNc3KawPs0IMmBoP1uguX -Sa5KctefVfP0POH3J35X9lx647fzbLKkxfE30RCK9qWJj+W44eDnmY+jCEVPcPsFuyK4nbLnuRxD -c/wDjBgurNbHTV3ASjvMtCjBgwYRNVwYgaMFDzFoZMi0zJTARHKco+WnVV+yHKNnUJrKH5huGtnp -sF4Hf5+6aayW5Z83OkuRmoLa1lTfpjtnwxBH01fv2dHUJ0mPac4iSJOiC7d3kJGZAUNjwnkR3K58 -cB9kSCpQxA4JBKHjRosIiYY/8JpDJqa1fzwn6ynRUbraYMhu2tnhfCAo0k1Tt23luNbrZg/UQXAP -wT89YfpdgyTEtes2Spb8uosViQcVkRYpkQsWCeXTi2A3VceoWdbHUR/Ht/twUkzdtcnHE+NzP0U/ -FCBkppWcTq+9Pzmbkv2+QdJiwRLBcDknxVTTQBCQGC0uMyEkb+edIChyrxPBaxqUKObvY0C+iH63 -HTd/XotT6AXkv+46N8f9FE0u2rrjGCewFiUioRhG0TINlJHWHbNqmMTPY3uN4uFPbruXI7+mLgj+ -rtt2HsnhuBv3cl4tjqXXpVEScqrpmhx7yLjcKBk50e6ukvgp4uU4h+GnbWOffy5NPkVN/D01x3L4 -kZ0N2dnAX8eaYxYss5nmbp0WIayT32Ny3d0sb5KUQ1AGPRVRP4SMFyo8j+23EjNS0HCpYkC/Sc/b -JNltUIAZR1dPH01VrvsiCpFYdydL2fPgjpvBz/U60yyzbPs3TVFZuvT4C1YJhvSP6DMM1wkF5Pm8 -rIsr9YOLFjGpFI1r1UMmZUZLCMoKhPLkKX/PVTZPUxifv5RGKznGQxDmNnsM61G0yXEWRVTLSPB7 -cuG+LHExLLVsCY7vsnTBb09Rn33lUORJcsXjCdHzEy2X5rl/Wx1u83d1ffoT0K+i4RQQP4OE9YIC -sZhAMf5GzbMLhjuqftI1D0caDNlNY7Vs1TRxsxE5HG+zGbPMFkcS27LmmVXTKDk+yfJ9mqD4jUmp -fnU1waqKUp9ixKN48JEeb+G1bpq7aY5g+QXFCRzh44cWMDF8Rr3sj5pw56kbZ59nynlohxNSyy4e -ffWuvDnSXyd/ndnh/C3LguG34ZwdTg0WasbqlJLbIpP0kGHsbWVnQ5rbBvTA4z/VEwRFKmZ7rMCM -WKHSxA4XD+ChxovIh0EvDkGSEEhPUVPszqhGNVBeKlSknRzRDifVsrwk/9ZtPa/lNJE5VmEazZxK -L6QQCZ/jpOhh2SV2+DHC864bJmKGiiaE6IGjxUQGJXoZfVSz/ILeh1VN/p5P1XXT8DFcwS1KfsPo -uCfHttM5+XMPQOAAKn2fQ1BVwz6wgPEh45LiVOoxEvKCtcpFUTW3PrRQgVmhTjMNWtWRy770m6TP -R/a7FkN8FEcsO3ueu3Uvx31Q06THUzz6aEXTjFNuUJRSdIgULz5SSFSYQrD6Da0mn5qne8bAAhLA -xI8hWjRdw+T1gSaQaMIHHQvw4UYRMWZcVCj7VHm2ZSES8uKEBEXHLfpF6XWTvAahZT2Gcfi13Tbi -7yL3fb0utJ5GyKz4EHHZSJVWcttPURgM+XR14XhOkj1aetr0E7uwP49x8vJhRYuPmBVSHMf43cVI -LPb5XTwO2+vU/P6pGX+cumkkZ1OLoAjPy2BIbkDGDciZdWhQrENRBkM7HOcPlD+QFkX+PD/qeXrX -kNxOzXUtiij6bbEKofC2DEhvgQKhZrj1OH9VU0omj+rStEq/it4i+KNoSE3vELxBkPY+7wSImmmm -Ne1H8O1s/tSM2THLj69ktg5DTQcU2QkQuzRnVin9NFEOx90yfRTjjpM/D6bXKx6d9joSiwbhUpLy -663ZZcnsSP2+iPwVkwiGigmNlhT8LD1rGsLf/4rmpdifpR1+q7d9+fC6SZKczdtxsFmG0TQpVUHo -OYfebo4f9UTNcA1yK1agDhTAhxJEwABL9JiR4hQKqWN9DNdO41HzNMezKPqnSWJXD3rG3rZmHBr0 -dHNEAe0lpI88gqAW/QFDkgElfkhADxs0Qlgmed2nqAx6rx0fAQYewEMNGikcfzGFcpS4eIAxeRn9 -KvlVN00vSxDL1qHYbhqMlkt0u0S/U3qcNcdq1mG3LAXqRNL/dAjaYQdCxZSQPoOFRIZJjEYJjOTv -YTvOI2aFhxUyKWKpGywhOFhGWpTERDM9it+Tv0fN72l2T0C7655LbaqS3ZGbmuJWpN89arpy2plx -VrcMo4UyueuVu37U0z5L/DxNciyy5yynjfT2DylSfIBRwTHSMkJFCxIvZF5OoRsdfaiIWQAQQaD0 -PgXspEMlJiNk9arlXATRLQM5G5UUaWblir+P/jxSeprQk8W2LLYloeknVetR9Nn2d2NPurbml+SO -TXK61KoleI31taqO81I06WuXT66i4z01ZdCbQ6/luBcqJrQY0iDIm6cdgmyWrZ2O2slAEE5fniE4 -zpNlKVVZnEQuUCAXJw9sblstywZw4ttwSHOtgkLJIzluQHZSTIEipV4XdJomvf45z9nrUqxOHyjA -ES/HrVqnN8UXUQ/EjEoSOVpMYIkfjsDxgk/P2yQ/bhuHIex1KTyuwt8tRr8Kb8+h96E4YaJpVX23 -XOd2OqP0LL0siW6r/PtHPdmMo+PFBANMBMEjBiWGNUr54Cs+vppdFP2mZteDommWzTApSRmZcNOU -Qc8GvRH+VrEq+UCJ8Wj5ht5KitQEDzdmXqnUHZ9ktRSvt3r+7hrjcyR64EhBEhLzcxWtUkvIF+Ht -UYv6aEmLoec84887Oxx7DFF8HbSmtgj25tijp6pl8dfNoEyl9nW7DdSiLH5tABgsKHDAEg/YAQeM -FmovQ5XTiAJMEEAmZIREuz24kFnAEDwQwAcOFSIvkT533bR+kiydlmmdTHQMalcXkc8iFaI5iWJM -JL0kzQ5I2dmEYtcUxx+0hNkwSohXCf0pIE+MaaSSY5XLUkI+jpOYC1fKRb8rIf7F9DHNbd+eK0JY -L0xMRHAcxAqVHmRQWrxSJZilR7A+STs1X57eFNP1KKro+ETPPeMoc1ztdXgI2mOIn6XJrnFUdTuO -JbsuIV/HichM6ZfxMtUYWanq2OOmK0JWLKP/NMN+m9pkWItf23H5uq6ex6fqTZay5/3mSXLd0Mrm -pdmfappxIshmL03RiopSk5SWvejpYiiDH16WpFjuU5UWxVsUU5RCPrSQuGQ4F8OW21Itmz/PxOdr -nJiYICCpGP7BQqIAHCoMQEPGB0usxogK5bPrJglyW35lXVDUS/NEv0ds+SW/eOi53ZZqHZHrfmIa -5HRuMdwhZaQBPWbsMHGp/Dw+ji23AUFDxgtE0IEWv/+puCLlCSIFiQ8yITJiJBOd3seRRHHiiBkw -VoyYvJ4Xd9xJbuMQQfUoWcV8epXbdBZNgBFAzIAEIfjAsOqOYUyfGCSsGSwiO7BYyfFiIvLp7XSM -cZ1uuJzg5ViLnsqOY/sN020a/MYNiOt1L0ZgM60VPYZ4KcLuOcSuUS778ulnsEy5GA== - - - pnZcRgsKTYpEgssyqtELShRqUbfLQjw4ETZmuEAl1B3zgDGJwBE8XCABR/TgAobkw/crinaa76Yw -K5LJxz8BeQjgIkWMFUkEn/30ZDtNBjvdFP92db3PT8seLiNJyEiRggRq0fJnVduOc71uxNOnbFtH -TZeRB0YsBSNENbMqvYipVKRGKnu2S5EDCUBCRsoKC8dTfp1mJVIJ9SN+bprnt+s+rfqiMpnsu920 -OgRLb7uaaR9VQ20rcttU02zSc+Ey8VA5yXFCMqLXMqVPDBjKNL8kIH8DTCihY4VlJjVKoSKxarkE -t7IYopnGdh49kq4HglY2Bb8l10XFsB2Gr/eZHe3MNlTjMh10eD2PpOdTMFxiVZ0UbTGsRbHlOlDb -hlq3ddeptwWl6SdFWfRcYlVW/ILQs+Rw6M97kSrlGGmh7LcKZllyCzPyqHz4Uat6WPUNxZPz8HRd -u07dtLwk77J8Pe4mxbfr5nBMNy4/0RGPTtMyhfS3yp5NsWuC25Utt3RcV88Se6oo8TBaoJE8JrHn -JzX3UeTJUSfJVMvcjns/rw4/PPRQripq1dskP6+awmnfbe9RxPFKNYCGCiJmVnKcsGqYrGheJ9Is -s12X48XFBwsW/4rOEGFFAAgfPsi4sIR69+vMbYNB8LXjJlkOuazMCGRDdaIRiVZpykrREDpuu00l -ZcIAE0m8KEGxQ0/klkVuOcSGe6C4hlDB0mIkBFdVldNHhUmsxPQJ+eQpOg7xcRiPm+i4JLulmH3p -tYzqpKLl3hRDaqmKW5nT76NFZIeUEJiPR9WymwRhUB+UT+9Z0T41fdRs0fKLKBTC8zNagmiYCR0z -fMCw0CgRoVmZUD47TKdRdnyq3xcnr5OO+y8rkxLRqEgqIg9JfmdyZDWtDsGPqrqf6H7diI6P8HnL -pvOyxE9zHseyw9GRIiUDBlCAipdKaF1J9vrF9Jv8N4lvx/ZZZeSf/LuOEpcLyEe97Sc9aRH0UbMm -R7TrOg7HtOsjnt9PUVdus+46Jcsktp09cNxwNB10qEdxZd9t1/0panpb0qqS2BbtZLD35aZpjyTp -fVtIpVZ9h9LU9jwdBD0k6TlN0Xn6JEl/H+l1R/gdBb+s+UXx6Ke5PSH9JiSR374o162eN4rlkzyP -HA6qZThJktoWNdP1SJaZdqepi5QVWO+38huW16I1zcnx9Tp/RV82PJLPLfolrSgrdlcyzJLjVNvO -npdmGfx5Z9YZORtPir6IQi0gz8uWRfo8N8vV89ZNK9Ht1x276rZGiEkGBXLldp+mLNepHBeLoa+e -KlalFzGWyG6/bBklv61c/9f25bgZBFN1jRIa3SMJfx7dgbtIpuTYT8/+JE9xe5PiPoYyH7/Fz010 -2QWkt4h6lU3PItjDTEsEkkAihctl4ucnuIXlNcue/zV9wY4OPR81YTyPo2ifkjEjvwcT2IxT6MXH -Seq4lKaupnlQ8wWMBcNxlwzLUJ1UjEKwmlbNs46mdCkaQAgePIjBDGhIUEBwm5LbFi3SixBUDpaQ -HCqxFySrEw6j7vcAPvhYOZ1SRv8Kl0pV1yA0HbUtb54kh5Oy5xYvWMh1V65DjyCenrqqelr2ROSj -jEajOJZRhXZYGdlxMuIi+k98m0XE8+k4ilWVDdck+GnTUuzy59mfZAx+6teVXhfS89Fch1xXJeRx -2XNfjnTXvRu3k6bsebDXrRz3el9MaYTi76h11cWx3HBKToftunTjTPBr8v8+qsbc1osiyUzHYpmk -qj1ZvhuHdjJPmobw+4dVVTTMMuJHfJqmRWIphUjw62FZEQyT4DgGwTPT/HUNte6IZXGSPLPsQ4Gi -ZNcLMOKI/51lMHThM0qGPSmaj+OvpifZBbGoCW5btPyq55H8hs2zimV1cXS5zeRsRBQn0k3r0XTU -uqS2vcewJkW363T01MsSH0WVy0ow6oMFNtLnJPgVta66cWWmsV33ft1+ligaLsHsh0330wSxa3+a -sffp5ulh29s8b9RM8brolUfte+LpU/Gbj+HsdW7HtRyXj6FehqP2hOGySX+zaLlHzRIP7+r9E03P -qFCrmj69b0hNQ2ran+QHHUdrmpvomGX0GJr4+smuq1rWpJ6mNSWxK2+Wb8fpZjmDYKyeY0D/Kn77 -s7xLsi5LXj1xpFD5AAUqEPtFIFct2WkcJKkZIioXsBMLV6nlBDLNrcp+keihAwYCwYixfnhRMeF3 -UaruZdlynAgCwrLrGygtH/ZlN85Jb8OIRCyen8Xjx3TbX1FPe0LgiB9CuHjx0vGQm6rotkW0m2I1 -1J76ObKe5vLkJ6MRTZKwO9ZJMSfHmyTVzutANi8Ixh9YbkB4URylaildR2wcH8U0y7oTJ042DoQK -mr0cX25rt03+Qpw0+ROlQ/H+vrbrRE7n3IDoYlh/YMt5cCi+IFiC3Zc9q1zWBj/WTftwKakRQ8Hw -OB89++tC6hlD+sSQQh92HTkdU9v4ta1H0t24NctcbuNN8wWM5aJkpDbNkPwCoYIlBmzFmuXRqtZj -CIOeumU2Kapq2jTLJZ5/RNf/sjQ3IOYGpNyAlBsQEezqKGt2NhoMU0CfmJ6DVNWTojUYgidOhCAn -YLy9wwoYUvzyqRmy36JWrUmR9bpTy8iM42nXFl6H3tcWx5Ucs2ZZN09aLNGNEzkck9LICB07dvZ9 -v2/Uqiv4Vb2viWV980S3zcw6Izn+AYaM196TWla0qn+K3uSIclw8ii+Pp0/V1123avpFx6+XJaXl -ToYpx63eB3+f63kqt33aNjXXpPcNtSz8eSNnE3I2p6Z51vUmRz0teTZV4fbKvkXvy6umSIb/NX3Z -swrSB6W/UXIbctWWTqtoN+SipHj9zK7eqqp6BqnnBzVFqkpyX5Lr3uGoZhk+lnQY4mEX0+chcjxK -z485zmEXi93vngkIogeLkZQUHa+E9heuUovUx8W3X3Irg9zadXho8fIDjBn5iaYckHODItY685bF -m9an6n2qIifLBqDDXpp7WaKczocChZllMwi+3/d+nUmO7RD00bOl67M4ptpGbjhnRyM5nW/DUbmO -N8v5A391Zc00i7ZbOw/Tcxc9h0qT9jo/RUtzLIuhToY1QlgIcJGCRSkEOslcBGOvg0FQHkuRk6GZ -po/jaGVHayta25P7jt6WV8+ZkZeOlxaPaYZQU5SiOTnGoEePoAx+9liimRaC415d2WyjvY8fSZcs -n+C4Xpodig2nA4oR66rgeNUy2PNCbvuv6k6KPTne4EeD32mGXU4kEz4nqSb8dabW2cnxc6Khda3F -0OW4UtvuJPl2HKptdmm2YMh64L6yNlmGG5DbJFH+XhfDfgx9cnS1Dc20tuNGbxuzcvGpq5cliV1V -suyjKY+ishiqHmduGazfV0YkUKqq6PhLyIfZcshl8fNUOU7kcGKSZO38541DLDti065ZPrUtynVF -61qXZkyONGZefMyw8Y5mHIa6aYZalk/RPUVtcmw7rYXPO1bQtD6i2iRp0UPJa0l/f9q0NslT08wO -B5bbqZnmT/OTpp90PTecVtPuUVQ1bc06+/h5TDEFsyb8PcLjqPhN1XEodltQIxomsZSPH9tr1uyW -WBT2OnPLQPX7qenbLMvNZiXHJ/odQscwOg6x7TyWYyczMw03T3brWo17zTOLE6kEv0vt+qdmiF3b -Tfus642WGLULvRMgqrbt5rm6dRM8k9oWxKogChDeRHOcoJho3MwyG/xIrDpSUxnS58aIa8UKxavq -XpIjeZ3C4yZ3tUMQD799DFex62FdsqP9LrxC9dpN1exkI0in3T47DEXvCut1z/vio/jy8yr9DlJT -fATzcmw7TtxwVI5DNQ3VtH4sVXZPPpLttqkdDrnZfCg2qdb1aFtmW5llenqilEIknv5PUbnTWo2D -ckB2k9RN8+283ixHLNuTo0cUfZK8RVHNshHFiRoE5zDMzRPEsny6pt1XalypdR8KkA4FCvb7chRd -N80GvZS7+uY4allYjofcNz6OpJaBYDa26yB1pcPQHsf9PPs01VHUBT/W81iOa820qp73s3xDL+24 -9vPu0hT5Q7FInprmOU8aKVNIPf8muYsi7HlvCMbkiPJ5l0gUel9YXq989hSkkF2WJseRmlZmGUl+ -Y2Ih/jvfpWmS4dhNl+Q2CW7fEBQ7nbLDeQFryaBW/7qa4pjkxj66ulzHctu32XAoUOSl6EHNvBxL -LvunaH+eJvg1zTHLyXTyEYVYdqUEMslwiFV1sxy1Tdy0UMvErGNyOCe8PpLfpHYFpehOlrZItp03 -h6NdquEmcztw5QOCKZFc9r2bKPx9LLeNGxAeTVNIKbKzjSAbErviIAnpsaISguv2OKrcxp1AYZen -SUk1p23KcSke3UeKCIuVycVJtOLnI/lNh6LLcbg52mT4r6nrtl8z7IrXE4uemfaBbPoWdlGy4oYl -LJb42apyH6brMadSS89NbcvPs8TTg154Hke8HO1RfD3v9TweVclOlulwwsw0z6memRZuNq7n4Wnb -s7OHpW91/jRPFSr1mFHDBJXqWXY/TTv8+FKkv272OvgDU62jRdJH09n7Vg7n3IC4Hed2nR2Ge8rS -KcvD8+ne3fEUt2/cvpILx85maptMlvM4qppWYlcWX0e9rY+ioNa9xVLcdLoOp6dnkJ3nKFqK4ZDr -ougaRdt6uq4gyIZh2nU0Sbrf94Zg77b6qvJpmpflTZJjh9OBoEg1DbSqb+jhqVmyab1tZzSt15Yl -S5YkT/etyutT/Ybc1QXBdyRtdK1LdCbFVgxNbtvRdNTCO0l6zHJHy/Tr2M9jue3jtqJXTtH0K9c/ -rGuXaKptZNbxNhtvs7FLEjfRdONucvzX9VdT1SyjYngEv7IY2qZIgB01VlIrkyyDWDYezdX7yCzj -QDaeDihcNz3y+/aJwmEY0vsrvUfZ+mjOY3Vez9iO8xTI9PFFI0/px/97jXG0jUPRk6q4SGYC0KHl -OJM932ESsrLpeSRVUHRPdZ91kV+6a38U0U9972hZCWKFzIuQWEmmT3b98vyet4bJMy5N/31V972q -a3wM2a2zbh33A2m0/Wle5JNmGWcZYWkRSWGNUiGbV/UiHK7P8cxjGhUamT6kku4x1bivujdpvt6X -bly44XwgnHTrRE62bTgreapEKRdJjEgJjAoVc8FUQKSXDBs+ikCCCVSItfpLKqcWar5F7ruTJNx1 -ZaaJ2UZq3Ll1K+fp5jlq2x6OcThWgUSxkZS/1ELFUGhmYOy6SN9JpBCLdQoB1X0ptld2LofgB4Ji -BLclnx70vnua2uYJk6kd86YTLBY7+T0jn/dhWFRcK5UoRPqETLv+53bv0X8dlm1V9WFYxfMimnbB -7/28OQzpUWRBD/W49PNiVQ2FQitY0OzIceMkhaWEWv0fk9vS6NnidI7HsU/HI9yezfQdTfpUUQ/8 -so4aerqK9mn6gqHqcbgpmm75fl/ahdXyPEkzJc/R3p/8T+3CM+reqHuj7UyeebraJA== - - - em4eB7JpQXBf19o8X1GEyRFGT/Y0a9ltEQPzMkIiMhqddF1O2bdE27E0O9D1QHsUbzTF3fjFcrFQ -AeMIJBAgAhGcoAhEMEIHTMACBVQgAxPggAdaQIMZoAAGMSAiiQO4YFFjBTq9JKp64TySHjRtNy7V -tBG/p4FCUmIynYig0LSYscMHIRIwAQ8s4YAPAJEACdDgB0AAAhGMQIELeCAJAhxAAhfgwAdEYAID -FOAAMlrQGPWh+FxN+n5SKv3wq6fqXJZwOeZu6yKdZtTYIQkETEAELJDBBEBwgg2YgAUlcEEMaOCD -H3hABTAwogBNDIHEEj8MUYQOHz5iUqhgSXEp6aGU/rnN9cy2spN9IBvX+/6VzU8URlPVK7bDiCMc -4IER4GAJTgCDGcqABTB44QhRiIIJaJCDCYSgBAmgQAZw7IDEDIyLEVaIiP/MLIyzLZ6ieIryrcu3 -bvqBsaq+ViuREBOZGDpuBEGADahgBV0gAxlygIQldAAGM2jBDWhgAhfUoIgCRCDFChuf0AqH8TYc -Wc9Lt23tttsk+XWNRbHl4VlGRmLMyEHEAijQBAdG8IEWyAAFNLhBDYYQhCpwQQtRqAIVagCEIDwA -BCaI0eMHFhkYJSYuIa3WikgMCR984MGGDl+ubRStz7NnW9Suh3qe5WWlhxA/dEAFJnhCFq7gBCpA -YQpSeEIMdvADJixgASOaWEAOIIqAcXGDhBoZiU42YsTw4QYP+63htJXRFR5NWCRXd43y8U92TfL4 -Ly4qPwSxAwGWIIAQSCRRRAMiwEMCFODiBw8nMTMsZMxwEYMGSUkKiauEFWKF7g99suoXqt23dt9s -oq5pvqxL5/toxdIBxBA/lFjiCAhA4McSTLy8kIHi8pJiBc0Jy8qptIqxYCUtkVDNu2ixRDx+jRYv -hCCCiBGwAAVNoMIUkMAEJyShCUnoAhi2oAY2qGEISUDCCmTwghbQ4AUvkEELFtAABvjAQw8vJSd2 -2qZeKJtpHI52OKpZprrnIWywSAKIHxfIQAaM4AQmAEEJSOCBEYrwhTGIgQxnMAMVrCAFLGjhCmIo -gxiuwAUt/KAIQlBCE5JwgxvYoAELaMCLFCtaHlCK71F6vn7fOoofeg4pkQiQxBEU0EAGiNAEJjTB -ClY4whOasAUweOELYxBDFK5AhSQ4AQlmOIMYxmAGMSzBCUlwQQxSUIIVlKACGLBAjRk2SlIrmNar -JM95ac6g6Hbf6337aaogEblABSxQgxvMQAtdyEIXxDAGHBBhCE2QQhPCIAYurIENaEACE5TAAhm8 -IAUuWMEIUHACCmRAAzt08IhpgYlJUXl9/pCPz8rvVE3/q9rydSB84ECBC1hAAhe4QAlRcMIWwiCG -JVQhCmlQwxnGQAYxJKEJSmiBDFgQhCEAQQY1wMECHmCBFS9owFSxkv73bgxiWxYR6KXvfbr26goj -8mKCAEjAYAYxcAIVqPAELGQhCli4whW6wIUlUAEKOwgCD5rQBCNYAQtUWEIUotCCGcwAiSUOYOPG -Dh47ePjg44eKl5iYyuXTt8imTXcdE/0yWswgIAIK2MEQeKCFL2jBDGpAgxW0oAUoSKEJVJhCE85g -hjBM4QpV0EEQfjADHejgBTXIARBHIGAFDBsuWMBQ0RLDGo1iJ9PJKvXygEz3TVMisoPFzAEIUMQL -ZPCCFsDABU6AghLKUIYx+AAIQKABDmpghCMUwQhIOIIHREACB0QAAgxwQAMOwMQBaMi4wULB+LvP -3XlnX5ssfRQlAfkhKRMLFiyCSCIJEsTgBUZ4whOkcIUqhIEMYsiCF77wAhzwIAETuEARBkjAD0UQ -oIeOHmLQvGgZUclXuBXHIX2fgAIoMYEKROAFMFDBGc4whje8oQ1ToMITevADHHShC1iAQhSaoAIW -qMABD2jixw4bLycmMSYlLi4Xq/f88OxpY1Xb1k7nDkORHadppViglEwgAgyAwhSYkAY2pCEKV6jC -FbRwhTWs4QxgCMMWfBAEHRQBCUF4AhSUMIMbyIACFIDAAg5gAB5w6Gix0tKyaoHiuTbN9ftSUdzf -d8RESmIIIFjgAhRgQQtZgIMc4hCGMYShCVFgAha2cIUraKEKOOABDYJAhB1MgQpOeEIUkmCCFYjA -ARNoogEOaOJGDBglJ9Qqx0Mti5dk/H1yGK7cBoNey+qkgxe0QApLOMIYvKCFN7ihDWIowxiugIUp -UIEKTaiCFaDwBCcggQY0cAEKTAACDGSAAk0wQAE+dOSIQUMDIzIS+/uTkJ+S4xJ9X8nyC8pExA0a -O7DBDLawhSxkwQpTUAMaykCGM5ChCU5IQhOYcAQe4GAGGbiAAzaQAQhUgAIQYKIAS9ygUQPlNULC -+7pEe/RcsUKh+B7T+qriOiWFKgARQZAgBB7QQhaq8AY4vGELXwADFKYgBSU0AQkwmAELToCCDpxg -BSJQAQxY0IEPbEAJJZCoQWNGCxYsWrBgQdKCkfpPvbIkuxb5+C5WSDJQgQUkIQlC6EIXspAGNJBh -DnOQAxnGMAYmKGEIQACCDZbQBCFoQQtV6IEQelCCFaBAAyAAgQEW4AAfQAgBE5OiZTqdep3llXKh -UvKySp2URAT4gYcKQqABIOhgBmlIQxqA8AMh3IAGMLDCFJrgAx/ogAQm8AAMYoCCH/TgBjrAQQ0q -UIEKJIGEEUL04IMPGjZOYCUlz0hk7y7930nTN8kXIqwebsAYQQg6oIMc2IALXchCGtKwBipQgQpP -kIITsrAFLEghClCAwQxoIIELaGAIIpDYYccOM1S4YImZ9K4sDkAHtdM51bQMk9iOFxQheOTowAYq -4IAmlkACiB4FOCKIHzVqiJRKH/j1uC1umrxZlty2NNMzaa5cN3feitOJxeMJpWmbZWnWSVmtRuCB -DFzhClQYgxjCQAYxeIEMYeiCDGLgggIoYcQRQ/TQww8eLi8tO9iIISMSIhIKqfbdZCRi1XbK53/p -uO+6cCjO42iqYwIEwUMBCTCACUzwASH8wAYYoMACmjAAEg1AwBIXkIACFsCAAnwABBUgAQk0UMQP -PUZQIhOUqAXJS0UE8qTpDII3SZrkOAS/cgja5KiXpImWXVytGylgmEgiCB/0wAZVoAIUhiCEHmQg -AxboAAYmgAQPO2zMwMCUhIy4VrHTyAXy9OyaqmnYba9mugTP8BfeJImXouvXLRABJiSwACUqEIEE -zGAGLaAABJpgABNGDKFDBksMdbIasbxQMyghLFRMQPLcep7PsjOt1klI5KcrLpL1J86iKDISuWBJ -QYASRPCABzPAQhaswIQmLIEDGbAADztm1HABw2KGxWVlRMaKFxwvaGRWUFSkkI/bMFGo1XvudH1H -EVdRUl7zkKEiBSLQQBB6YIMiCEEHONgBDU6QAhBYwAFMJIAAPjRAAUSIYAQXkAAFGLCEAYz4wQOP -GC5Y0MC4mLhaozz/zK+rz1f7za8pqZZZXqsfMmDkkNGiBjVogQ1gIAMIHMAAEmCAEkwQAIgjiuCh -gCaIiEADCiABCCggiB5+0HjBQmZFRaZERKUFGzmxRkKnX2VhjoO5TXXLMFJEJoAAJZZgBCCMwQta -UAMazICFKlTBB0HgQQpcQIIOdGACEoBAE0gEwcOOGDBk0MyIpFIiu27pOP2Bp/adEYVioEis2D21 -zphtxg6IyY7zFEUzrd021OvOnEwrWiwWXdMeSHI6HsjGBcUQvhe5rQgCwulwgtW4FdBPkyrBmEQm -pdAr1M+QqFKIqFb8vcJt1k2rbvmU0yejPxS/c0muXyfS60C8qPQoCUG1qm6SPWqiZjdVwzEuky+7 -NCqicvj137dasiHnideUl2lHDBVB6KCRsmkUD/9C+pTo92uOa/CrRbH1Oo+a7ujJdpyZZWWnE2rV -lA9P0t9z+aHh5hrxP2bQAJFjxr6meBmaYlUlpLfwWkfLWfzoUdRR9NO+PgvP4zlysrfrSO3qQmRF -st9aHWM0DOmzq/T3b+qv5QhOYXis8slnVqIU0ic3S1LsqoxALSaSHIojpyNyODQIhtIUxbOL9Lje -mq7STuPFC40Lykvkj3BY9eMine7nlvXJ/Tqe2RWEyzVOYi6mkK+irwiCWWcmwxCsxvTah1VPrbqY -mGRkREyk3VO3eUuGcJcl0l8i/aRFAt3050VdRDqOEtaMykST4P+yHvhFvc71+ycnlM6y8ymisPwU -KK/XyDOy3Q/NnrhIPWLEKMAIIEpWpJR/o3gbBupd/k6ya51l5ZJswS7ktiW+D8vzEpBPut9V6J6x -AsWHDhY5ZKSIUYmlhJhWRE4rXERUoLxGQr7/tnE5sqBnkl+T676QSjpZvhz3q6mobVVxnJJfkh7/ -19bsaK+fZISOHijadrtOzbT4A32VhcVy9cKyk6FbNpLlv31TMR1DGrmMQiI5fqLjEf2SaHdXTZbT -UPPrAvJ9qIgM0aJFReSH3nYuSVcMRbBLetmeDFUvS5Mi5UgZ2eHlxIdKCIoH51GyX08+NeUQrMew -BK8i+wxjhDXy8yL5TTdNJmX6V5XlNN4kVT4eF65Vywg0ot8n2GU5buU2kMvCCHG19Dw3yxj0RnO7 -MuJnWKKW1EgWvxZOj+x4q55zUuxRc2XLITsugt37RE3uIztbPpal9jW9rwl+cXO8S1FExyeiz0nH -39AbuekNWGoGq3SizyQ3LLLL+TniZ9mvKq+mN0nqZZmC45WPP3LTIbY8YlPX05T4gcOIHz9gn0/I -z8MwgfmIQfmhRYwOl5IWI6yRXbOiSMLlFSlSSDV1EiS9bOuuUXjcJJdZL5tqnFJOG+GjRoxJSa2W -LR9/aZ1mqIj0iEl54TLB9Lo2R5WQR8UppOLJVbL7fluelqz9hmmpZmCsk43X57nSaxmX6ZTbfat+ -4PRUtzAPLgNLBTEjxgd2UTXMsmdRu/oqepcir5o+i+roOOLrJ//HHkvcLElyq8pl2I+HgHY/XuVU -ZAkx9WCxgrXrqFseyS6flrhJxiGobppIVUs8nnXbVi1bgSK1OJFkPn4M6XPy6W3zPLdNBkwMEXJA -g1E8u1zHm+ZIz79wfEfX1QO/zeZOyyZ+2IGGJKUWy9P7klp2xK6rWk4hfU5AO+ll201j6XnKvlFE -ohjUCOWjk14WP8t3DONRZD3uJkMXLpQQKVaGoHHBcRI76fHUq55e1XXPIZfdyTL1vip+ruLBVT58 -aoZxs6RJUcTv/TS9yVElwz5WTmDEWC2gPgWzpFYtwSyqhlFGHhDM0uYIgl1UPceYQC5YpRH+/riq -n5o8VkpihLj+FQWxKQsJ9CK2YsE6nXhy/SzDTsfUOBVN66cJf15ujqcZLslvCglUI8RVil1eNVU1 -/MLnkR5HweqpNVtCOYknX+n2/7axCMYhiHJfkxvvUTIvw/0cS3KrsmMdKyU9rGCBIhL5AKOiABwx -fLSY4FghCWIFywsRlUiGXRDM0bL0urkIltRzBSnkAvKgXtZzjj4Z5mX40jIdoaNGCQ== - - - alW6ZQLMWFGAGi96tJgYseIlxqq0muH8HGFQJtVtf9gzls8pf96CZfrxkpJjxWTFJPJb1SO3O2hc -gIghY+QDIvn7GSWtF1IvwtMjHvyEJOpfd0TLP8vaYgha0ZJ6uvR5DOkn2ecTP/+oq7pxnpYd0W+T -/fbN8V/PnjXtVFxRfYBg4cIU0yj5dd0yCWbpEVQ5zcw6J/ntl6SI4gTMaSO3/IpdfwT3UtzP0S5J -vAxTpEQ8zMjU4tif6G+euijuJMmrKW2WtTmubJiHFS4mJRMthkDMuPhYIZEZfV723LJnE8zu5Qjb -9wwwQAGjOn+9jzXDQKhouYEygvLhVUSeT8uyX0eqZRhVySS7K9kl2fORHH8J/T60lCgBg8bk93hS -FEfKCQoIpIrbFSfRzEk0gwTGQ4oWGZWpP80TEokAOnioblvUoi2Zbfn3IWJUfGARmfEywZT8WOxg -IlASOnSwcn43RZeRZwbKSMwKRXMSFbHCBcZLhZdiTL9feX2SXRGLwuqVVbt8eoJYVcXvdZPEUTHG -CYzFyMvToqW5HdHpVJuueHYXrVQrt2+UPAHtMSaeh5RXDZFVDZMYic+3Hod2Gx2Cb8fRI/jHLYvH -aWAqHCshO1BgLiWQSXZnUCIeLSYiuf3dU4XUk3xwkxBP8ulH8Pt+IJpldwiaXFY3SR8t/dQM0esb -JKsF9IiRgB41RkajWy1XTKEXj3vY8pW/NExYMEhYMUhaMqoTz6qmuYXhIsmIepTdPuHzFz6r6DdV -vy2pzw8wUrywXKfbNvl5mJNohK9VsEQpViKSEB8i6lW9bqfo+3UwfI7J78tdT3QaRruq+aVJkf26 -l8c3ybGPmnboheizjBCUCpWoZJ9R9IubZWqOX3d9l2Fdgn2LmuYXxrP/ZjmHII2YlgUYEYSIVWNQ -JB9YuBTgRoocJ64W0R4DVnrZscd1mwBiB5aTKXbPOFBEbJzAbqDAcpzERvZaJbu7KYb0txA0LiG1 -HEJL3xxTrgq7YxO/jiGSqoFSQopjkv+zIgqxjD4zqRGJTreA9pI+18/yX1NPeo5kV8UILIWL1bpv -PjVHcMu651ifx6xIPWJaSv4/xuvU8tlJ9NoFxMecRK86DrEpCwr1A40Zn9hVAe00YqcXkP7i4yy5 -DbGoyD1rEmxhEpLEDhwn255BiWK8Uka0oFECxoofYk52tIjQsEqoek7BQn3clQ67FCSPECmsFSM+ -hIZLK9qX4vx1p9q1AAF8WAFjifg1DpSWDywoNCC+h5QYAWLIzLRSdSnSxFgjoR/UpqL1PLlqCmZN -rqqa4R890c7mJLQrsYPHbpY3Cf5u6sJj1x2rbHjkx1NIH9LsrnCVZJCwTEJ7DBIVjZMXTNf18yTB -cYnPu246L0WT0C8C+oDY9ISnaZCkcKC4WoScWlIi2KfP2fTlsWe0jOSAMbGhEgJDBNVS+v9WBblp -SW/fZKijI8mvwxhprXChYISkinDx0oQOFyl9Vu31DExVkt+UEc/EDhc+0LDMQHHBaJFSmEIvHt9b -VWdR9+NibzPBKouY6YgaK2qslKCYQL/8sqF3o+WI36NgtwSXV3p75ZOTYvZnUZOPB7b3PWqyWJle -sEoqnt0Vu6P1HMXrS6s0E+JK0XMQL1YkYSNGixbqVb+pmBXRZVS84qSY4qUaAflE1FBRAggUQMcK -CY1qJCOGSsmtDXo02NG4Tj9kWkwue8LbSNCkFBFT0uOktaNklaOkVYLbFFUKBiUQAQOOQCLEriwg -HcZKNGM1mil9VLErYtN8/ISgwSIJQtjBBRrggFjfszARsQGDouPFxAeMiY8UKS9IXig61pEipobL -S2y/Y1QmkX8v8fMTXw/p8RM+66qpAvJXrEqoWC29aSunWfjcItpxoMB4oFlpWZVW/Z0BJo5QsVqZ -1rQVrzKpz46YkxkqIrE+Pwl99LPMy5CFKRSjX5/k9DBbzSust0VyG8LXP1hipJgd+XEdKyIuoh+G -yyH6nALaXXrtaVMZmIukRJJRlUpuufWmrniF0W8ITotYVNU4Jpn9AdPC8uGDiCExgA0VM0RYMKT/ -ZeTDEEHNtEokue3BYgYJHjtiO30DxeXjheRFiGrFqvTilWKhIpHw+MhVI1CEEEr06EHkppFowZIA -HzSOkCGDRIwWB/Rgw4cVKVR3bYOlxAc0iEGOGJgZlwnHSkjL6Sfx4CogfgSn4S5z/TkElhhiCR8/ -Rvh7BaTDiJF8sMRSpD4vYqYVMJS/nkTcUHEAHnqkeK1gff1i8rBQkWa8UjBcqlRuuyB3umMaLik0 -JLAXJyEwRFoxqVGoht9TXPW5jRITkaqqKPk6RlA/WkRexFQqH/6F27ZZ4uboWdPcHE8xK0QKFBku -EgsWSEVrpJphEX7vgAIQUIAePV70jGJTFP9+4RrRiJ1MbApa0fwchcABwwIGMAImRRLZbZgRD8Nj -WF7H8JlGBSLx6D5ayoz8JVq4zJQ+MKBchadjOs2zqQv0KeKHjx0tWpT4+w4psB9SXjhWpZE6Dqmm -iD1N8MojBYoGHICAHDQrYFImDSxAiQT8oONHDMoLGGrGZTIZfU61zAOMFjuwaHFDZSQCRPzogcZl -xvRRkRLF9JpfUZoETUB9SsiD8tlToEIyp5DIXpPwdA8VkRspIiYkEImGP4AAJWSIiKBeNma/PWBI -ipgx40OLlxeUqOTj4VNT1KYtv6fksiy+neK3fZyogFCh0qJV2lGy8mElRoLVGy4oHWiCCRkkISM+ -PtLbLCPPyykU63FQ3O5sikMlJMXoQ0LHUkqiXLVlx6x7HsFsC59NPLzMCdTEjhVM2FDhcgqN8LfI -XquEeJJfN9GuDZmXHVqw4JECkwAPMhBwg+ZHi4iKlCjFk5/4OOueUzTcQ+YFxkmKitFvgR1mTGCI -H0jIoIERglrxOsEYcbXumYVIKgUe0ECNFhYaKC8lbrDwIXPi4mVyAfWxOoY9baTUl+ACDDgADz6k -eHIhVKgEQZOyA6X1Q0zJES9cdryYiF41BiGAwAYcEAEa2Ovl5AlixUoQMShHxKgYEaNC8ul1lGxB -wqpBCTzg4kSFJNS3nP6Y1cjFZYqJehWS56TfP6l5YwSFg2TlAmZKcQKl+HrrpnlW9Vc0Bj169FZI -HhWtEYxIV3HyUXb6Y44sJRALkdfJrmF4/DL6VT56yn+X7PKpTfERrEtRJtaCYaVQQH0KFAhGK/RC -FfKhZYQIGROZ0P5u2cppKtld4XMSvT7CRcsOMCQ+VqzwSJGiIqSl0m8aLV9SpAPciOGitRKhZYyG -XUqfFjBTj5YYES5ceLycrGwZBiXigAKWWCGyOgn1NK1SDZUQlZMo5uczrpKpjl9WpBYkLZMfZ8Ep -C6lfATu9nEKsGk6hErmYQCO7rQMlRuLJQS67ym0YlIhFTLVSAqlsOeXXY7ccw2cXMZXKyGPy0V1O -H5IfZzmFSDBLatXeNFmzvIOJC4aIj/HcMCI/pbddPnqKf3/SsQZKyASQCEIImhcfZFJoVCEXr1ON -kVUK1SgEs/pJ8pBiZUdKisg9u1iJYsBSNEpePWBOaJjAVLRIKRpu3bMPLGCOwAHjRQlsxSsqMAKk -YDmCxqX0rv16nmjYdc8l2CW5agtIZ+JGix1aSnhIsULEixmYUWgXQxevFBEsYFhGP8o9Uzz2jZJV -Dy0hPkhYNGKqFk7HYDeEDBUtQkRUcpx615dP7qJFqqECOyKHigT8mFES6k2021L6zKBCJHwNw+cX -PofwduuGW04h1b6H9HaNkBKNV4mlx1mtCipFT/n96uhjZgYFdPKg6Ig1g4ApaWLGzA8U2EuIP+lt -kGryprgS8rjuWsWer9YkqSJKbkcranLV2E7fJSjiyWOUvFpKoZCcTvFvkZxW2TLoRVVE/cqOQ/Ba -8u8sXKkYLRWJLZfoeEg9P6n5o+WPlio5XtE0DYZx97noWMWzl+S26BTZDsiHAkWHYpNmWT+G9ue5 -XAd/X2x+aU6ikNzOS/Lltpjj9jA86fP/ND+neXLZFM9OYtOrlhWhJ06KMdilKIFOdvtzjiQ4zPLn -I7gME+JTsArL6VKrmlg0xZP3J5mT4auGUXbahK9bNfxZ0XXTUHAbI/o/JylzHX70PugIQksSe0bJ -bZG7tj9vxjRScRLNkD4n+/2j526WLFoe4XOXvtNkqaMnq4ZV9jpkdltyW3LT+ON0Uizx+RooJ/k4 -hlSzJcS/YJVUfLvkhk/t6WFPz6u6jH6Vvweh5cllP6q6lyUOejS42WZpl2QJdkPs+UFJUlqOyK6O -VWlHiGqm9OlPceU6r7xm4sYLHSwssZwu4WeSnUbB7IuOQ3Q7VcegNmXBIvUwcflAgcVgkWA++euO -Q27Kp2MQMmhORKUYju84gdEQSRXRwiUJGTJFrFi5MYJq2e5Ln4+o8cKFNIIhgVqwTjFeKharEsrP -t2wZL8lePUVwOvWuoPQsuSvJLasI9TJMoBLd1klxN8eTX4cphVA8fEhem9rTFa8vf97iyV+2rKMl -im5rhKB6UHn1KHnB5pcnQVnkblQ8Gf0rJpGpjkV2W+XfW0R+SsgHtajoTXeVXFHyYoKHDpVRyFXD -Ijasbjipd03p6xT/Xvn1Ew/vr+2Zcarm+eqKkyRvmvooglK0FsfXC1eNE1GgQDPNLs+XvpfcM4x+ -dRF8O85zmikeX+X3TS/rbhtPkqNVPbktiBxD5ChCT94kVTadiuGY49oOJ0WonyH5LZ57hclzas++ -BPOwM7WpR0VB7eq66ZIeX8Usa2ZVc2uTYiyCKVoOyfM101YtI7XqKnZH6qly15J6/mZZf55Jr7do -OQW7JFZdybEqfl+0/EnPmyRVjpPJEeS2btbRQ071qiv6FbUqDoJ7OZ7kWTfN0tumZrg/yZBqwmY3 -NrsuWCUVK1JIXntQk2XLLfuew3EGxZXbouC1yrZt03TD7wU9vRw/6OmPocpNw2B25aYhNxzjbxEe -l2FS4tp9HzVTcktyVc9ZquT3HsO200KuOkQMFThQRlB+HgWvqDd93bGJJ0fNb0q387OE3fQOLSao -ejb595jS72IVmvEqkex0an5fep6qaRWslMnvCbEqTLdXSB8TP1fFbp+avUnmY4ii6Rd+h+B0y7+f -5DVpRf/0FLEqq579VZVFUDdL1Muq6DSM0g/T338ZulxHRSwlASF83BiJlei1SDVBaVmCVZIQX5Jf -2xxtVLyxQkLi9y79VuE06V1T9Rt6UxkrJD9YuBDRsklmYUQ9N4ATHnP8pOUtgvTn1WKoqyuOsrXJ -nl1Ial1Ivle2zqer64UkJ+NOgISbTm6mvxu7HthqGQ56PSmq9DuLESiFz0ntmmaZeOLE3H11SJIg -HBwMVfy9xar0YiUawW000zYdTryct4+jmnHYbJODHE3pwwJVkhmFUPx+R9FSLMcgEfG0ri2CIhZl -GfkwRFgzK9ELybOaYXLDCdE4CL7jTpy5TbSiIriN4u8vWKlU28IbR38ga55dM82XZQ== - - - LoYf1AzZ8ZRd/25Lg6K7dSsiEMrn10/zHkd/FFt0vEJ1Wtn2jqIst42czU2OP3r+KWp6Y8+q3ui5 -t+6ISaXH+kqub7l+WPhX1bbrWs+ryZFEv09rSoffyNmUnY77eSU3XTHySe57P1EVFEeOG9H3597r -l57TV6XzIZ//JBRi4fiork847r9vjqa1KP5pClpTviT509zNMbSiqdsO0TXM30c8fCu/W3bNomXQ -qvppmqptkkyH4jkGCqlyPebxXbsOWtUa/GrQmz8PR9OSTOsk2Z+mb5on123N9CdlYy8EOZ3UC3X1 -5U9VJ0cRq45Y1cSmuNi9eHuGCopprklvu5rllF5f+feYLcdfN2YdFOxeSk4+tV6ra/+6MajRihUK -tuset6XV1BXyzEAhOen5FNBfI0RFsucs56lbOJI9u/y/b5+6vany5lnj9Idu87Vs39MN4b/H9u+T -PTNO0wGFJgAdXM4bsa5/oiIIJ90+PHXt831L2J99ll/61KDxS1unEdvFY9P11TZm4y2971d4P9n3 -Cz0UKGxRPPH0MfwOsS+Prp9XlsUyBktXTMdOnE/2Z2HP+uZmOo+lG45p96Fbt44oKq6nV47k2nOi -OBjuYegpSVfjyk0HzbpbRFvvxNvb1JteJBfrkyLdn1uVSS2c0ZeIHz+kWJnh33sldMIRe+kogZn4 -Oh1+PXr6KPrHMIuyK1vXN4n1mnFpsUMOIxgg44cFkEhmnHVKtVVw/1Ln/3VvkpEqhcoFQyqd3Lbl -tpCzSbntd902FDkOxwzP3nf5IxS9tEKKsQhJ8cP0wsM3kYFK4QMkkoIvheg9qr9/0O356Z1O3y/r -vM62s3Dr1l11/YrfUGq64Nd1OOxYonD/M+/zm3vykErLRIbE5eWV0se7W66xyYJqXkbf3Y1NNz6K -4RQoUoqSKJSiLMexnQeLJDyarmii4im39tzevf2TRC0fFHvlEEm6rJHq9DH5Ne956ZosXdD7Ybdk -17hpotumfl69pvUL4/Yu2/17g2aPivao+FALhQrBab6G8Zzec/iWVfhmY1Gdg1r4h4rISwl0wnv3 -pGGYxELJUYLjADBFYCAlCAr4Lj7MqhXwiOWsVbUfMtun1/XLcAU73XYCZORkvImq3hgnT1ILs4yU -8xdvislPKXDWi3vlgqSS4wTTQ+2KkaIZIk/R2H2IiojMipSZ1Id1u3g7pqw3uuDIq2xJyVSfqVym -87n+cE2CCqllkal6TPdD+y/5TrlzCb5R/h8DgV4/iJXnJfS0STJm0Tk052q2oZuOq3HxF8KnK7e6 -TZPq3AX7JqiWHicykBC57ACPYHKRim9imXeYe69kT6zVV7BtcplIdviWzbR33791R3yfZOO4/v8k -MysYQLQE8QAeGZiBECsIAgaWkAUONKELLSIAAz/FEDzLDjeJDdODIsKlX1QS8rRckoU/0Vfbz+re -pJnDtUiy5QzaYXyIAcGBlwKgYIYBMGghgRn48MAOdgjBDmQUgIIZG6iBSgFC8GFxxMfFR8rkBcmU -8rp+ScLhd5JfiaPtiH1lEHxFkS1PlZXnnOSHTkKllpDKxcRyg0XTQwiLIFIvPjwxFbLnRfere1e1 -rp+itgf/wECkkjybZnrUsr5p7mXpszB+/7FOyk8ovwqNFYwiUip+OLFhRA8QKIEIDwXkKz9WkspL -DSBQUuzgQSItq+8wXvKLVLhgJaDRPJIj930geb7z3mppyTCiBYkK2JBAClQkwASsGgUw0fhAgvGh -v1bQpBXYj8U5anX7kXxHUY3NNDfLfM4/qRWWDA85GoCCJWigBAYcAQso+EIaCsADKJgsMYIRjgbw -LgrgluyQWS1UPUa2n7GU25JlvfBf2xK+J9F3asLi6tesFiYYTeQpmPBlNKBkiROwHOAEPkjwgwQQ -IQs5WIAEmAewINbDBPwUH6UVHr9rRZyv7p41Erk+9G6qdRFMh2R7DU2ZpeMWr+eQZyXTm+jIS3js -JjtehpjAyxAVOPlhAq0cCEDN/DA6qXFiweGLvFg9J2ELEs/6PWGSs7memKfuzNZo/KlVMiEXHkx6 -oMBKAUjA4gEtEAIFQAiiBUcwKcIDphdJxHYkoKSHCIhcKOGK4CBFMWhI5Rdx0dYjWeZFTi9ebX03 -3nE/dEIDYwAOrIiACoRgARA6EAUvMMAIVyDADpwwgSVs4QJO+IJMEydg+TABkw8HyC5DhL+MmZOw -fMj6+r68l4BOq9xHwVE8YXoVM8KRAFQTL4BRgiMsoAheMIAQtlCDBEPgIQVCqIARsoAAHUABiRoo -wQcYIGHGB3gg04AVqGYsQatkVpzl5qncX9Gt/dp/FFy/Y/nW/VwKwUtajFoc0cLxAJIdIqDCACKA -QYEX7OhADZKAwRFueGAHsCA04MsA4bPw8FNysJ+UtUb9HhepP+VsTJ8rr7Yl2i7l/AoloorJ0dqx -xIsJqIBHCYCQggI0MGFiBCoUQIIL9AAKScyACSwsYIOQDQSgYiBBavExo2ROOwXLH5D9k+6edO80 -yrKq/OYjFMyMGSY+YOMDPThAD6bggzGwAQNJ+AIPEPgAhwZqwOIBLFjlWICd8mNN0aS/STmb2Hlk -16G4VF9VblFEEzw0AAMXFHhBDLpghhNkgQw+VDAEHmBgBCNw0IQUE2CBiQcK8DQSgLdIAlfZoYJO -2D/Gm0TwWf/f+CTT8Hjqo9hKRwJAPGDAxAEt+MEGTiiAEbbQgw2kAGMERfDBBUVoQghSMAAQoMAD -DIhAQwQ50DGCHcTIgAxEkuiAq8IDSop5TS0jkxUhL5QUD+JZeI/tE4VVe8SGTm6XHlBCbKDFAjmo -MYIh+EDBEAzQgygwsYMoHAAIVYAAErJghAuE0KIEB1Q9muhphIhLeJChlhAWeV2qneCEWSe7dtyz -5hMdJSJAwGKCBTuoIAkPOIIWeKAgCC4yQIMgXlCECyyhCz6kAAgtLPACFxmYwQ8vUIKPFBQhBAkQ -uCk9qC0ZbQjF9rw+vglH05IUCkXlhTWjowgW/EAEUvCCAnoAhQTkYAkloMIXflgBEFJMgAUxOlAD -lyZCkNqBAX4MAvgxmHBTfPD0krE3mU8uMey7JXuCo5Zt3/n6KTJ0hIAGE4gCGIKYgRMigAQs7KAM -bPjAFMrgAgM2qLEBGRCABkZYgA+ckCICK4CBQAtsiKAHKAcowU4jhA1b8SlxsTpZsZavO6IoWH5M -IaYYQsTowA1wsMAILkIABBgf6IERO5jCEkLAwo8XJOGGCHKggCFMQQJQEAMPFijhBQIwQAnRgRAP -F8hjLMAdpbj1ll6D0lEtP3EdzRi+6d/lEsQDgohBEnygwRKIqEESKqCELnCgCWNAAA+soEMEPGgx -gRXs8EANiFABEGgg8ILQjQbgMUS0KD1O1IzKi5xuz7I1SP/r16Z7k6llxg8MqGADS+BCEjd4gg4S -9MACQ3CCDr6whgj4wApEnAAINy4AAxwXmIGIER/AZ45oYTLUUcubs1j1rss1Ls/PfwICARPoIQIh -oNGAECRhAhmQ8JAAX+bHvnLDpKIH0YwPLQpmW3uQ3Tvy/URWFFO8lV9wJDvayYV3b3pxgAwUwAZF -iFGBFrh8NPGBI0ThCW14QwWkMAYjZmCEDBDBCS+wAhci0IMk9PhADE49mljxUMDKEBMArSACXq04 -PyYmPYpdu5T3opsPgVL5jzK91DjhUIKlhAeA2IEUFJCELdAIQQ9+oOAHTfwACjpIsIMWB6igRAkN -9OiAC5iowRBwdGAGIRhJrKiYMBaBJ62abX26JReOIEq+nj8FDx5W8IMEGGELOkjgAw9AgQsloIIX -ErCDJagwIQKZAnRgATYYwgFoQITWDgugU3SobigB43EAPCWH6pOgs+h8/S9UV3uORAwVNGJgUFpi -/FUMCAVAIAM28MEOFzABDCQWgKOJCrxgogI8yw2+ZKaPxdQnFFAGeTHoxFMmXSplENeZHRSbMMtq -81RB0utAls5TXtxwgUQTBPjACFRwBCO4YAlQgNEEB1oygPhRXIBQWPgkNCzJZGXFoKcXfgVHHkIj -k0RsH7XXfzymssn+odRLRg8ySUwAiRXoYAhlWIMChHCFHy4wgg8tIIIGlIAFImBABJYmQCByRAVQ -CIABmQSEoJSjiZnlx0uCw+xNRPRGy7Zm45uFy+77vDHlVSMaSOTowAs0kAQqLEAHT2g5AAhQkpCA -ShEPCOmxROzGECYXP0wvfKBmAKHH7GCyaEJSCypiMeeTR8ZbR4ZdGKvv54MymaGhgwEZUEIFOchA -ErBQBA2cYMLEB1g0wAM/cGAFOiQQgpIfS7xuFPHSYYB8JUfph3isZ1RzcWTVjxw5WQeygU2WxJM+ -+4hkcoFKMBbm5xtUapncPYp19fE70c8MM65DwfFQcFatIzecVOtekAw72zimL617PqYWy8TGDR98 -WMIBOAwwAZoglnDR4YOLHo4YiZFRGoEZnajgWy1xz9JDIrWuOtP7HFm/nX8XfkWyHVG2XGt5T71M -VFzkkFGACpRgCEo4QRGiMOMBJpARARK8HGEBFA0lPDE8+pEYfYWSr1JikEt98xWN6zU2zTaPuuxH -quF5kmzvKblUZF74gASNAkSABwQ8EEMJB6gQwgAjFRk2aUQUa1GJ0QMVQyPVVbOfynURitT6+Ce4 -teHWNs02f9+Yx/OJ409dsyTZounIZIJp0cLv/RKTEx0+fDitRuy4PkXzHNPRVD0k1QkV6/sSisIb -FByyk5VcdyTH4c4TN50x21AwTNHTZAT2gAcsIEZFCxcKioklQtP+GJokONJw7f+n+AaNYCohERae -RcJ/ULxb+yX6OVGQ68b0/f4kVIoXRoAABCEwAhEk0AMl/NgADFogsQAWRyxgxDKjTqGc/MlmpYRQ -VugrlXP+oPLfzj4t65+7d8t0zDZQ20YrlwoiChADxBI1CrCAF0YsgC+huVOw2R+9ss33/qzz8N77 -rVjIZMWJm8A1Z+WPDPOnmIKap6HgzKnqufWPR/SrRHrWyEgLGTI7IAFj8cN3mdym1P+KrVxmPCIu -cSl23h9xnb/PVMV0LluU+7oNB/VAEEx/1LflvlZEPzTvlix8sicQCRXP0xtdT2S3j9xwRBQoShQg -bdaZnOzMtpGjdSg22QmQj5PBY4nC+/+16TWO3RpVXfed5/g+w3MlVXve79rH7c+rzu3ImlsYh6Xb -hSAIJxvAiTPj+DSmx1QuT5t1d37kAqMGEAp4QEoNH0huBJFiofFxxfilEXrmQdD8whMEy5hMd9St -SVQGSVo085Oty/UNT5lEWxKdY5okZkYUgnK6NdrO6Trbdk/L957/+gfVurgN355XLsGynrazmfKu -nMc3vbp22sKjyX5gaJ5PeX7a9xQWq3fbzyynPL8I33FURbtvHdG71l9cXkxaIX+to57ogXTQTAut -qz2KHgoUIydrQ3I+VxlVeRgOKZ1CeX4S8mKZVDQrl9rXgqGHfVF13rfxv/s1rt+7nw== - - - 0/nY0VRNU7NOy202u+K5Xvd/CMZCafGiIoeOlxk9+pOr/pRMdv5Ck/vGNbZ70Im+PSaZ0rN+558Y -vmk2/jIt1LZx21xGRpBQggkUGRf+CPWTTv0fymc6Z1+aLFOvU8fwRALF0NCETiEw3b+uDcI/IHqH -w3LsaOBm8xqFRlYuj/6b5mqWph3DpA8opmKJeH9Fz1mGYyUlvYjFzjjrzrErnx0ofyIelunWjRyt -/UQZLFHOFnfijr6nu+/Z9/XAU+tCTsav7mi+PZBOuOnMn/g5VQ/Kwt+Yct7Y2crtq00V5M6rN5JZ -94F0OBQbU+votLVNdR5PtQNPuI7yRSYepLNyHJojeD7F9NuFmw4g2wmQcJPJIGmT6ZlxZEcLO9m4 -cZ+7LnGx9JsPnV7/qIXffwmSX2f7tK4EyzU0efKsP9H9xP6dPW3semIIknkoOGXWiZxNTlkfPnqU -QCPyE1OxpNPXTtsabfOXXtN2Hc0Q0Sn2Ialc50nZFX2D2ldX17k8308sM67sZCYhEE0I7H/hOBRB -bSvTSsV+30ZR1PvOT6zd+uOTSqBRfKKp99Xk+VnfOiTdzhM7HfXzUDo/ovEcXe3ylEWSJs09PWVY -JlOeu6SJq26IxnN05c9TL8v8PH8YFs2zbZ4cyKbUMloUc5EcqXHTfLOkiY4iS4axioI8/wvb4Deu -pMm/sMvzuVWXFc+VPGMTFdE53crtueqxHJPmvrKe1kXJdEsKhfKEdvrWY1lnW/cD3w98wbDUtvks -e8howYOOHrt8lzx/CNf/2H5F89twOgPQwTZFGpDgAkDY8OGp+bP7RC2rkuHR6+5qOotj+3kqj7/D -jh1//uNuTMJ1XGXBDWdDgaIDARmzzou2P20ch+V+siGXtsu1zDiyk6lbx3qh+4WgeM5Xl0OxqUv0 -Lk936zwdUKAZN4tkr7I4iZ54PiH9f2pdTaJ8+s6iSYslv7rxN67c53HhH3DoSIVMtxuPaNxnY5s8 -180TQbQPRUfcbCn3qdrHnQB5QTEWSdYD65EcwXFJnusSpVcYLdevC1ETrdWWXmEZdWVTdUGxNlH/ -jWtUHTtbC4p0idZmCoptOTzbb0y7j19bInDggNEic3IguOGoXAeK5VOui943P1NYJMNsYz/x/URZ -DHf0DMHxmc8Pi+EVLYfoOahta5LUUdQ00y4c96Bo/H3xWMIkOp9s2YXj1rHiSJ/rTKLrxtGel4ui -v66eOPbf9wXD/TRLPH7ManUCArluW8TDg942lds1YF5CNy+bqIvfTfx+JM9ZcvybJQ16H6dzcl09 -mmm2jSAg9XjWZgqHYx2KvvuS9v5uXxQWK4UFQ+kevUxdzqPHsS5PVyxZUFy/8E7V1K2T5nseSzgc -123jVRQkzyq+j4VI85l+5nqklGp5kXxiOh7F0D2fPr8Oy6Pdt9sZRltR60SNIzdO5TIYJzASkelO -1z5dTWv7gmLpeexI4qmq2neSUimF5eJheTZLO1XTsNxANqa2ueLIel8rx0tGoJjvv3LcFMcgCMjJ -dbW68jLdz/XqfWvXpRtHcjriZtOdQBGCgPCmWprx1O6r+p8/V1wsz2wrsy1H25QDw85GZpyurn/r -9ur6p+rHfWGxNN05jBSTmkTfT6THFEdfWjThT8RLFNU4EGQjh6O6dWUnc70vP8+P63pWFk9ZUzzF -b2SRTHobpyDJjuettv8re144RNN8+6rf9wp9UFSpmCz1E/WsrV6iNonqZ3oSKqnwvtw6O135lCXB -8EdNVy0zMw3durlE37AsO1t+niK/D2rbPz13kvSk6Y+euSia5BhFBOrPcyfJkJqqWre0rrD3jRvO -BwLymWufxlFwLLXODkXUicbYlUWJlBIC9ak6h2HM43n1Hv1EUbJ84vMqIU9LKRTDQrmwVPjK+q8b -+z0iWLZJcg5Dexx1s7TH8v1CGRzTzVs/EE9bPW11M71JU0/TuRx19bRAE0vsIINHye7xMjW9csyu -R67br21donR55qhKj+fqhSxIxiXqr2uKEUjHSIgLSRSCYdOuG/HDx40VMUQ2f59nr6KnOw4hfXT3 -teF5TVtbvl1zhcm0Ple1+3R13Vd1JMsf9qXFcW9fEb6D6hwExyEfT+zzl2y6d90bTW00pdGVRlN+ -dfNzpUVyh5kVIlq88FgpWfl91NuaHM7K85e4XvML367rq6qoXVUwGzJNNtNKDsd3XRcUq+WL8JeO -1TftwJKTjRsOr7I6ypIdbf3CPG1NuD6K5w/r9mgqet2Q67r0+0WJ6y5N3ER9V/blmybR1wP7VN3R -NCfLD8vKYPh+n46iJrpO4XjPrri6sqTpmqdIqQSS6xYcP7N92j0mGxfNMiq/e9edTRMFJVJJmWBR -FLHqipZFLtyz8QuO7xeyHnhyH662rge23IaTY46mffvqKpurbM6+LRjqaAp635ocaVH8WzfE95h4 -+pLbpmg5xuvy9+1lOWJZniRvEKzB0BbJt/Naex+6+fML33CE0XUKRf8QBKFnfppzGNLiCONy0YiQ -6Ci6IgLdMBk58feYUqhFjBUC8tQqSrrrENAnV9dPDIviGNS6+4m2G6dmW5ptsPeloFD9S7ef+Hrg -PZK9mvZruqOkjxQxMa8R04yn6Fy0uiD0VMlxie+XXvmjtn66xiH5hmNotvX1pcfxxKYpRh8W0qe1 -3ymmkBA1aLRIcenfWDW/J/vN8tlpjKxCcqySZ0madWyn40luHuqFcHmGYLgUvy673kvzJkeYl8uG -zMxHvkGwOxPikqFS4mKkVRL6Qa+bn+iurrGQyAPP7ifSYWgEC5QartOLnmfvI0E2bvdVoAFNnGAE -HzDlfQoUqcWqxJLZn/xmbjs3IDY5XuABDKDAARKgwv2V+9ruU9U3qHVDLTvC73UYouz6hxkudLBo -MaOtCH5ZSp8XVUkHCsyHCoyFKsSCFfqwawsVFJTW6691EBzHcjxGBFrx+KRVvUVx1bQPu6bsOi9N -XlVVvI7KbZGfXymFWkojkMqypFA/3LARYmL1LNuCpOUDjBQ5XlZIfH5GRYIphfAQHNHpExEoFNPx -aNKluatqCIZTtU2CZZfjaBEk2ThI94B0HmTbpfwmKYlglLx6vKTIqEym+U0RApMRKYF9Rij8BsHw -J357duXV1RTLora1xbFfXU8bj2SbDkX9RHN1xc2z5MI5SaqbBoNg3747G+Po+nljE46D5Nln15LQ -PzIaify+jxUxQ9h4YeMFheXnJDr2XRcFwT5+S0ik2B/SUfYey1ALp2r8peswKRNNmq4HpmicP9Ob -JHWTnD9uN8faJO3zPAmJPCiKkl8ZlekUy7dIyl1Hf96fpvxptnSdNlE4/FqkQj/IlBxBY4aJHjFw -sISwoEYrXZ9JcdSqpZbtTbL0qqE2bUEwBcXbjdFPhMlzVOMeN55FEe64GvxwUtxPUkX0u6BQuaqm -kPwhZqiooVKiYlUy+fXQy+KoaZ/nqu/3lcVRtATD/fiN1BO0pilaju33yp5fpJjgSAHDn6jM33/I -0USBwhuADt0JFB0KFHZZHmCIIoCwoaPVNrfTCZnlUKre49h2m7plbbeZkEIUQEASE1iCAL2J4hhx -bQCJHw/wQSOFqGfx5DCgHTa7qJrGgQtQsIQQRJxo2wcVMTIpFAqGQygad53J6ZScjQxL5QAiglj5 -9EDIsHjgAEUggEcMHCQwl27bJmmP4wqRVwoyAIEUsRCZ04cDTPCQAQL4gESMFa563s0RH0Ea7C5g -ACIwoAAFiHxGMSrTBYTwsQNLyYyXicWTu5t2k+IRO2p4AAMVOHk8MSKvJHTQEEECjDgADJYdJaoX -rtKKdovQIeMJSRCCAphAAGi+V0gfIWDILMFDhhI2WNAQccWIPC8Z9rDrjho18jpfS9Nf0ZD8Pvk9 -LqGRCd/vJSkTWwFBY0brY3rL1EZTjwurdF3FJPrhxUsElAACBgvLDEx1Y4VLDMmrhUUSGfEtj26S -MrWchNCwnLTEQkg5H6rrkRJK9Zs8tK6vLb+mbgjKJOlx37XrZDH0qCkLt1FGn1i/k2C4N0u301A0 -LOLh8xP1pCmKr79YlVagSq0Z/luWFcWPDNMYcYl49lQ+l4B0FiOrkI9fsusfZluMhJTcmLS2Jtal -Q3DduLGTjVn2hqKr/1e5r3KeC4K5Wabm2AbJa0ZMdYPEVfL7dEm6PHoIaUS6bddet1iRXLBMMCaR -qZb3VnXDzwO7o3vXxVBkv0d8HSXEt5A8Jb/en2Pa2axa5kFRc7MxOZ1241yOWzVNzTqslrncFnve -Z1VRMFyCgLCbNovhZ01ZN61iEpGAPKK2zUWRRMdhdu3Ca895puC2BbTzOIGN7PZJaUSybRQ9uxCB -4eb5fmAdijQovt6nm+bJp2fheI4XlBNEQAkeZlZE/n0Et7uK+nBrqufQDKt6Xi5H1R2/KGnFfHxl -y6AVbe20ixIXjhQSIFqkkKGyAtv1HVKw6DAZUcFtKD1v0HO3bQa9FiYiCTDCiH5NdajEJuBDjh1Y -TkJotzWzI3tdglcZKiQfmAAEiOjxg1TTRrRoiQAPNpiw0UKGyKrF9HvUMh9FV99nAAIOENE2iY59 -rIzQcJVEdrskw23HqVrnRwuYEEAgAbE/BHrbFTDVj5kXJGSwOILFCxErWiBARA87YFwOAMQPBDCx -hAwVMkkAoSMCDEACAw9YYgMRMMAEFIDEApL4ocZLi6rnY6h4aeIAB1ARUWGBSC5OSHjEtKCA/BXS -P+NK1aU4MvqsqFAs34Pa8/9dPWyaol+VfqsQcbmsTqDXHfk9MF1/5bmnZUt0fHIiobBUKCiSDxUw -sNAvumeaElcSPnAccWMGjBIRVB2XaJlP05Q88yZKcjoih0N2MjkM7bLMz1QOx7bzUkQiFc8HBcMm -2CXpbxdRT+LvnrdN+brnvn1aZjmNXkylE0+P0uspn34k9I/sucREWn1IHxWlia1CPr0obk3z+6vo -ToYvp6la1nKd23kf1qXBUAa/luPczuPR9BbFHkU96ip7n7nh6CVZgl2V/LJoOdbvofdtta0GQ5ee -g9o2JNOhmDbF8Ehe14CpVD46aX7xk9xP0qXjbNfhpfmqa50s4Q/UzdN10+q2xbxYQMxgYbrneBRP -tezq8xROp+x5VMv868Zmia+oH7d0eqpyWoS3Sf7cxoqIEDQuqNnNTTJVzy1eLBP8xh23j+INfrs4 -5mH4r2oJz+dRJOFvlX9HtSsqRVWMPELEpOxIGXnhcuzjpzw96Z4ZwEMOHCgjsbz+sGiIB08heUZ4 -PWXbNCknv8u2kD5AvKC8gPYQm37c1R7FnBRZSiAcLSqmuW7RcBM0VmBgiB9FqICB4UK5hHiYEwgG -BRqBBRwAAxOgwAA+8DADFGiACDhYAQ5YAAIJGIAIHDMrNFxIZl6pEpHfgAMYoQMazMBFysuMS7WA -HjEa0GPGjCmE0uMtIN+zngsgQBAPWIIAJiYUy4ObkP4ZWMoHzAkRMlbwkGLFpRQyCQ== - - - 9Ur08APG9Qr5PS0PPxPiSgKHjAf8wKMANFYk4EeNGCgiOFbIFMAIIW6wYLFDxuWFyMvlBFLltadl -fZZ1P7DMtLXzZFD8rCw9ku73rRuXatrqtl83zpumPYYjnhzGC0WTIqXwGtXnOR177rmFZYr9H5Rt -o4B8GSIrGiojMzHWSurUyzRNavRyEvkty7fsaJ5bD4Q9z+22ssMBQUBYroO/8DsB8mlbkRznKauj -qst1IchGRLExQTi4WLpcx3IbqF1rchS5b0zfT60bUtXTPHtUleT/qG5dBr/Su7qM/hssJTywiHEx -0tpPkh7L1/vmD7zDUPbAORR79Czx7CUY9lOVFsm18+iR/Fd1T03fZWG8/sOKGBwtKCOg35Tfdru+ -p8mz60yOa7fxZxmy56vcDsEv6HVBroubZn+iIraNPW/NsjoMQauamyYolmcQVLUMN1FS66Zc9zW/ -Lf8eszq5hMRCSqNWn+eAYUnluF2SIFV12fUIf4fgtSdF0/C70ZNFzz0pvuwYJcMi/f6qadKqes7S -R88X9HQyJMHr1hyv6ril9PkBc3IAHm6A4AEGuMASRLQYgcmwTBZIgBEJ+KHHDipgdMikxLhIOWBK -dlixogOGZAgcLwxwhBE0MdiMSZTi36QWxcfPBjs89H61rEEJOCAEGbQABgnJEC1aHsDDDAn4mLED -CsxGCQvG9PuniPLJOdAAJmCYhATxQkYCRfCARAwaGTHVCtXoBgmrheSTgHQIGCAJIfDABzJkaG68 -oBDghgsKENEDiBUwJR//d9v2A9nvE8Wy3751aa5cN5em374kOD7JMahdXTo+QwUl5ntKcDvC2ywl -EIyq9IKlZAcaKoq4wWJFCOzV7yyo0YuTkBosJTVSRGZiLXtlUfYZFru7SZpu20XLCu/KJp/QC+hD -ouN/isJdN4JwUo2LQQg+oKIkpf1CEgSkN89/bU0v/JLlD6qmWfZhWxokIzJJvl0HQtEUkAdlFJph -nXqkiAgBwzJi2dM8R6AABIBAEwiAeX6V/Jbs9ohux/KbxLb2B346nGjteszLxatrTZJ1CNbg5zHL -0/u+3HaL3w2ZGAtIwAGgWO7LUvWyMShRj5kVJnzE+MEFzEvXSU0z9bwKy7WzrsdlS7Pst2y/qvx5 -wp4nbjbu96GIRDIsFs2LFXpd+PtUTWu7zjTTN6rGJOni95aTyYcXMxFQ4ggJLGEEjcjrHUc1BPE0 -FfH8sQfuJDnS6y1cKhIt2+SIdjojChQqOQ7x+9915zD0zzOE309xfOLrNKkSHIL4mvpgscKlxXrx -98kHnyFyIsAMmRZUSOX0H6HjhUgI1NJtFS1TDZNXDzEoStCYUULGjArWiX/X/21B7luP4l2OJthV -xa6rllsxG6LHLV02xSyM6RPT5ZObekjQJaMyXCOU3ja5J0lee7ZUIfUrXqcQv1bZb2ynX0i9i5ip -RchJR8zJDxgqYJ/9h4oVIFrA1EBptYCdWDi9p6csiqR5jnGCAvOIcDOFP3AuTVA8r2haJ0U59EpI -fwFy1IA5rUb43AgXMiuIwAKOYJFiATtgjKAJJBwQhA8Ukv9CRYQDEEgAEj567EjBoqOlxAbKiCrH -XbOLwyQGQ6QV0uOjGOZR1eTCeQjan/c5zZjr1GyTu29lVKpJM0QBwodhqmX1soS5bgTZcCdOjBwO -LYYht21yXdcM/3BBscASQggxo4WKVmol5HHd9X6aJZ/PBhhwgAYkUUSJplVAvYvob93zaYZ99MxJ -suW2FjAVDJMSuzTRLFvBr4rRh6XX7xBMORxb/HiQIUMFIxCBrq69SbJIgS5QBI8MEOCHIli4uGid -9pJcvS4JIX5IwBFJgF6YxghrB0psRYpkwuOlVs1HkdWyFiQjCAiCCP1U146bw8/l479wrXqgiPA4 -GfGw7Mrj0cADGpBDhQzPitK0Sj64iJkJYa30u6XbMN3+rOsIsiHJcQoXS0UE6kvSL8k8DO8wtEMx -L82Q/19Jrf7VHcUwqGVVs7vCZb1NTzzugybFL8v6u8J+XWYlQkAPGREY4ocQLmBgUCHPy6qoSjJW -TE52vZpfGLFUDzMsPVZIUkZ/KH7bMMRR9MXvIHbFR7D0tiRWPbGo5xRRMRtyWRj0dJMkrevILceA -9hXeZvnsJH2Oml0XTusququmixZqCBgVHiWwFq3SDJIWDhcSmZAUSgr0AAIAUQQOGiqnEIvps7rn -VB3/rPqCoDyKvKp61LXkdMLNZt020oq2eHAVrJOLkNXKp4fp9Y+ZlggM8QMRLVq4iDwtWCAfLbAf -NCkurtEOLmAgkIQQOWBcJnAEEEjQcOFCxAVyWSBmUipAxI4mfMCoceIKtaqvqq98500TlJ6s2O1H -Uu7AduNMTmfTQQf381I8/dvJzg0H7Wio1r0iaYtjCoZRdp3UrjysSKECDUjAADzsCPH4IPft1VSF -0zCrUg0UWAOA0LEDJuWE2zCtFUvX9fQ01fAodkevu7LnGCKsVm6/npePI0rPl+g36mVfjks7HXfT -WjqugkLZJYkyCtUoee2QgiVGhXrhM8uORS2bm6WMFhYaEZKQmuIwcc2kRLB7BqUn7HEut6kdTguY -i4kefsDNEz9LlJ/fQaRFABoXIVxOVqhOvZqO6vkIHzxiYCOmVl0ihgwKIGAACyQRxA8XkxUrkcuo -L8Guum0xWFQUYAQRLCeTX46k0ySZJogk6a6jP+9ltSpCxw7bTNeOu0XwVcckfp5iAqV4oVhGoF1F -dbyYEWJHjtgn9OLzFK3TDMvkUgq9MAmhgSJCA1t53hfW6y0oUsxr1YIixXg8FL8u+MUh+LtsHH4y -2LnyWkVJJOPvInV8glk5BN3Pw03zHs05BFPzG2MS/WBBuVES4prlvSTfMMzPMzXLqDkGsenrhl+I -qH6IMYMAIXwcoSOGETlgwIS0VlQil9Tob9UPi+4mCYOeummv18nfZ3Y6Lcd5SDKFll/2ugWr9AKW -Ys0win4JkIMGAnzsoAISofw4DZFTES1WkJARQ0SMmB8yJyxiqRZ/y0AZYUmRUDhdjyHLRzfp7RB9 -HuHtFA2z8jsmhYLhtcl+i86y9jwShNPpgCLccEhOpy7H1V2jICD7WL5sXYT3RS2sj2Tsvld2vqcq -CCTQgCPwwAYxrtaK2IqIGzKKsPFiCRozPMCMAJGCxAA8WgQRI4WPFjQpCAEIcKhwIbNCFaCGChoi -q1Yde1CTZc/zGKrd9rPsSZ7pELzF8JOiLllmxfAKhmevmzEZ2UENXnCAIpAY2XdMt3egeSFiRgsd -KSMuYipXTtthyJ9mSsrEs2z8ffcomh2OXpagVD25q0dF4Y+L7TYPFRL+LPWzFLFqyWU/bZqq3RgW -qVdTVKzyIGnhIAlxMQJ75XSIPXMzlMGOX9cJHCCJJo4QgoUkQrWqZwxtbmM5IOwGRPa6U02HhEQo -t+HliOLvN1orHK1VEixS1CCB/Sm6myIJJMDEC0bAAZGPCIX043hB2ZGCRYkbMRTAgwYSMGRUuFB4 -erJYMckBAwYJaqXacZYTiIXXnvTMx5D1ujLrkOh3xTT6tCroLP2S9KAmy6ZDeN2zriDIRuTvDSAE -EClGSEw2PZJhUMuC2DUlyyl5zstTJsfUjrcQcdE4CVkBU7kIUf2wgmUlFfLIq+uDs/hbHr+7DPnU -1NFz7biRsyE3m5bz6JCcv/Ddttjb/BYl8eA0JxFM6SNTCpn0PYhVYYysWkwf1z6j8DMPLiNEwHiJ -UcJq9fYHbnH1xFFTFkMSBYr/LFU8PAlun9yWzbJvAAO4xZAIGi9OMGx/Xi6K8Se6nyiLY9nJOB1Q -uHDdpaS6y/TtwNkDY86LO8+jpiJ2JbnrSsd/t7WhMrICxirNcW6KJiCeAD1kKCCIHAsIIocRNljE -WFEhEYVgvFgtnv0/SRv02Kwje50cgvMo9qsrjyWobUMs+6cpT5KektxFERdDGScjEiCAETZiYEQ+ -fAFqrHDBMpHkNkktRXRahMf3UVTJcASWSAJGykrJvofQtNxs4g+Uv5AGwVbTVjGcw4SkZd81Seqn -qZpjE4+uMupVTB+Yr9di2MQPPEYggQigjE5/esoIUcmIpVSkQCo/36upK4KixrFLstWyN+vwoggy -URGKnvT+yHXNDqc2SRmVSQZVYtnzX4q+OYbY1EfNVMy6gKFkViZV/VLgiB0K4AMHTUgrtdewnycR -eVA6naslD5qXHS1auLBYKiTQK69JrgpST/8k224jOyAkIZ8IGTDwkkzx9RoisZTP/5+lTYprx3k6 -nLCRIjKCDWggpRXSuukWEagHmpkeLy0toD/1uj6K5mb5gwwXSPjYoVTXrBuOIVK60RJjOYFGPHnM -6bOjo+h+f8ghI4ZqxaQZhyL8gfUX6mLZcuB2AoWNki9YVFa9hxTHJ9gdsarpZUvw+tLnHzErppr2 -3fSHFitL6JBxhA4ZPVKssJxAp3rmWfV3W11NY/9nRdMjOk5a1dr76E80QTZqlu2ui5Oki8dzal1U -41xw1M81N1W3C/tzvUmU7UAX76dQpUZ6/7OqnhQdras+kvRI4iYaat29NHn2lUFRIYAOGkvkoJFE -jRdI1GDxA4uXEpEHhd+o2uZRVUfRT+veI+luHU6Wvqq6H/iCod+67wfWI+mn6ouuVX5fJlVK+XhG -7epZUxjIs0Ikxp/lr5olHh1GDMUDTAnJbr+cxn4eCr9fur52MrjzdjOdP3IXSX4ccRCkP0/uvBRd -u3b9w6p3KabueUZLyguUklL8zrBUMlJUSHX92u8cJyEpTCGYLf+oeY8iy3Fl1mE7ruU0VgybWPb+ -vvv79FDEQfAGwZVNxxCBrfC7V1GT/D6x65VeRwl5Wva8ouM+LUv+HAcsEMGNmJcV08eHipUD8LCj -CBg0P15MapC0WEh/i8ddoJj84AKGSZ5R8lvC4x6UpEHP5IDQ3zZi0x81Q+z65Lry19mh16/ofpb6 -GMb0OnYKjXabJuY68T2tmobtOYqGVT49iqeP4TWMmCql9AnJbYqRlYsVEZXUaCTkn+44Vbs9WrZ6 -nAA9+GiBnXxeOS9N2PNWbRM5HW7D6Zw44eprEzSAASz9j8PwHkEY/ar8uwvps2OFZAZJTEXLMFRM -SnCBCcyAmWlRmWhYpJaSH8LXJvr1tOsbghQ4wBIlHxBoZXfypD1RL9G488jNRtPhRKptpjfOSZNv -25Kt32Vak6frhWrWmR1t9b6Q36Oj5SR1423X2aMYq+eRun7N9ch93c57Ow+llPKBDWSww4oVIdRc -wWzMqD/AjxpH9KjxYsXE48ouKIaIRqzes3beqnW1SPap2qNrPZIp16meB+N6raRa/8qW4Pa146D3 -Tdm1i9dbPk+S5RM912hhkZGCImpVVv226he0orEY3igqj+S42cQoMZlhwT5pq4Oj/YG7KN4gWIPh -i+9F9ezDLMurBcNq2WBR8UGFTIhuf9ASNcOg2CXVcIhnR82xn555OaJcVmSaOgiWnA== - - - DctxpzfOxzLuPM95wmg6RddLars3S5scVa+zy3HkxlGvW3pdf1VL8AvTcREP3zLyleiBh4qRGA2U -FweW8CEBO2oQQeOywwTmomU6CfUq3X6RcjJEjRunmW759DGhHx/DltPUbGN/m/1tvDmCVnUGPb4c -SW7aRMdR7EpCTU9qxqgo2msicNgo+YhK/L2HSwoQKVqYkEFzQ+Q1MwqtMIlQchsS6huwRBEISIIA -Li3WDBYTFiWwEtCumuNfTUv1PKppFZ63nZdqWut96QeC2vZxOn569kCj4uPGdTmWYpbF11X+nWX0 -v6RGr9xGzbARO2gUQQc3aKGSIgYJzIeKCA0KxALqQ3b6NMN3OZpsfPVAklAIxvXqWdg03/dIoprm -gWw0HU5oJ1BwJ1CA4NhnX7OjpRuneqCOrr7K1mM5h+NtnmWmnZk2et3YPftmKXcf3Hk0CNYgWHLd -H1jIlOT4JPSJIfKSOYF80Lz0cJFiZZXq1RYGQ1Acz+YJdjKbNOuRlENR1Tg6FN3vcz/QVNN+G6cb -B4Ld1r7rpwpyXZDLkt6WP02RfgfiBQsYVqsWx9CqvuxZ5d9D64pqW4cCJAQBCQKGCxosLyf51scT -3jyPefrnOX+fHIppt/FuqoAgdlgZoWwxLOHrHSasHzAlSuRwAUSLFhSSxxO3IyTRDhYqXB4PaVVZ -sGuy66rafr8Q1bYQZJOXJShVe9PUx7H+PnbT4M+ryZHktp50VT0wVNcmJlOs72dcLBsqJiYePl/P -FW8PEYPmCBktVnSsEtpTuEhL+LBDBBiYABE6cJyURvZ5/m+bIlUyvXAdgnUIplz1BI9fMbtqnBAE -RbhBEVJTlDz3kCLudR/UjOk2yb+3gKFihMRGctwy6o2QMflB4noJeV72TGpXk8uKWhVF5GfgAEg0 -wAgjaqSQQIAIHkvwkCHDKo1gdx5JU9P81IQRe51mGabrJTjm0TXdOnHDib8PP1E4DFU7rnIylWQ4 -BhXyIYPSQwuYGiomLGCuHljEEKGDRqrXV7hQLVYm1fyCWjXkpqbYxcmxT9G7NG1yVLuO7GQ0KdJj -yHZcum1pptFgqI+jXo7dCR1cMGTxnnUe23Dt8l7r+c2nUIHnNI1u23vM9zQf8zQ2HuP7riK++d20 -MjGRySFj4iEzItOiRoyRChYyMlYkbq9GKmhozLiYYTKTbd7T3DM4LVPjKvI4t2s+vml2PKZlVsjE -K2p7Rd33NCwZQwamShmATA4ZE82MU5oKgIQVIaYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiam -JqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYm -piamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiam -JqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYm -piamJqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqamJqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqamBt86K3uNA5YyQAuYmZHH9jiQiqaAelKb8qNXd9uJ -AoXa4ZhcdKSi8baJOpzwSdEHFJEZKZNqTUdl2GYbl8tadEyy4zDctsGvJ8eRm1bZbZEZlrdOCaLD -y2kgV+0Bo/LC8xIE5O00mOzqUJlWePKTuEWlZQiCAh7HEdEINdv6OJ7SFOa2Kny9A4rL1bIrh+N2 -XCzHazFUt2wGPdgcv2SZJ8eU0zk5nfgLYRBsOW7uOjbLWA4H/7wWj75i5JvccslNe7Q8wW+JZfNx -fLnt3bI7/PaSRL3vLoLvlsFc9klR0FmKTtInQb4Me5QEregpdnsS5MNONIIvnp3F30fp6SnFGuzu -UYzVtYld5S6Du4w3xdgMx3j2FlBPctNd9Gy4TgZoAYOC038p6iP4chq72ciaFjrRlrPRQa7khnmI -pIhYGUkR4lmwmoOeytngIYiLYNrZyB/HitkZEM+i3/o4oh3OmXFo0PtRFOY0GtRCKhnj4ytGnpS7 -zh33Zh2TGX7h8VVkOTSG97bRwW1lyzAcN71wPpIxt/XlyNLjPFYmG6UQaj11Mmw5TcSmL9ktnWSI -DPmRA7GlSDU/p+iDxQSm5zK4rWgWxuoU8sKgcLy5Te62FvRAcPu6a88otlhUlZqlc/SUIC96/Ojp -Y8eKWRf9psAOGDFEPkw1R6Vod9vcbSJ3je33TooiFX3V8w4rIUi8xEJmOZ7QQQuAAOSui/n8qJZt -OR0446ze9IfJKgI4WKTcVd6y2uNec9yPotvZsJ2NPoIvIU8SLGB2oIiQ8LgtircYnvw9ixJIhZr3 -xsm7zmf0dBIsuWvK77PmOaSmU6x6d9ubgfiiZ3MZywG5w3Dl48nF0A4/Vfy6ZPgGP5SzWTscGvRE -Klpi1xn8TM6mBj+RmrpkF4dq5OKzm9AuT354+JVYNfY87sSJdctCbHmlz1d4neS2/ZLky1Hl91ex -XH+fu2Wwt5189B4xKS9IXrH9fj1NFj1Sq5bWlO40ONvYnqaK29PLxnR9BMt2OZbm2HXTK77Ost8j -eE2HnbtxSmkJ49FN64mHno+Wv1neHWd7nYcc22xjck8TnS6xJ096fAnuI8iLYT+SMselnE25QeFJ -z1XcjtgyLn4rp+UkSGpRUGrao/iGHo6KITo9wySi8eyn9aQ9Tu62jznuoQdzGi6CLZmFEfE9pIio -6HhITT2qipPjiE1jcasyvyUw+yHD/yz3ssxHUB+/mdP8EYQJ6T9UYi1Oo9W7ml51P0XQaqL498hN -e8Qw57i4s7m7bbSqJJcFqekdgin4vVJRlGr6JJiHXE528Zf9KHnS+7Xn8SU5YlcV/KZYVua4k7Ox -Q9BPz9Zdl9jVB73d69xOFmvaKEX7koQ3bvY8HBTzMPyUYkntltRwDn4kNWXB78ck0c6m1TRRmr7o -+OSmVe7ql6JPfiQ2PcVub5InCAi6AVG164vSp0WJT4H6jFBS3rK520rs6nLbCILi/r5YDLvWlKWm -nlH0S/Fjlqm2FaXqu2m/aYpStOSue4i4RuSXxaIsd8VJ0YXfn1Vdtyzmsj3sVC4Ki9mTevKiKHde -7HUjvt5iVXrJbv5xPOh5xvDEnixUI5Yc7+XpYduXjuM4ifFoMSHxb70McRL8rKdKduPP+5xmyT3H -+LkPkRbrXT1pGZLh0U2XZPguyVoEbxFcwW3KbsfqN5SW+Qjm4pd611Yd118XbxkOeqLU7MkwttMy -TF6f+PXZ06TvebKUO67uOpnb4E2TvW4Ew67HwV/nWVf9NEvq2GW/R2gJYs+RDbesSCpWpxr08PBD -vazKz49WNBdB2eNkr/vR0+SyK9k1ueeY3KZcleSuukn2Jml/HS96J7VUueMZJ9IJfu9jyGod+/NK -Kwoj5SlC5UUj6k3tqZugBx1Jq/lJy3Xr2B+3f11IFFvo6WLXHz3vs7xLcqSuu/jpoidz2S52KRf1 -lOEdemunQ4MhzYsV0u+7aYJQtLSuITreQiWSEfUwGg6paT6WuWjq4jg6yxE62l73alkegjxJutrm -atkrhkXkuYSeMPiNxW8OgnYYpl7XJMfljjNBQOzvQ7nryi2/fHQYTs8hyA1gAKuZjimRXHYdgx0+ -giX6HVMKpXh0nhRZLaM/kLS+dyi2HQ7c4fhhWGLPGA2P3HVvnnHXhdR1rKb7ccS9Tv+8kEmW3HPJ -nov4vF2SZpbhotiTYmlNVWyKfxzudfjnseJ25oUSwWx/jq85NsHtVKuK0PHEliN6TcLnLbvOS5Lt -tHv0RGs5ktMtfz8yvyf19KhoS5ZLq7qH3sgUY0R8DzEnPsSkyKRCJD0egt2/XUHs2pJfEdlFqWYI -JWP2rHLXlav+J3mDX6plQ+bY5J5BaJmT4ehl9/SsQ1Any1TT0CyDzbKKfqPkteckYa+jQ/Bf1xAs -sx2ndjjxlpHg8RIvWHaohMygQqrZpcfvZ1XS65pgF4SaL/llxa7HLHdSzMXQg56ot23x5Cz+jeLj -JHfNSRH2OHfreMbwhJYu2DWpqIcM7c/LRfD+ul70UuyZetMSno4R9So5HUpJOuxUjdOT4u1xucfZ -WwaL2xhSKCUUIvF93zRdTps/ri/FklsOgVvPCMqdlnJZEh6HEVOpaNk/T9X7yoA8PrCQ6IidQmb2 -g5KfNf3Z9g5Lc7N5syz3OpKKhsrwU4Y2+JUbkNnrRmo6BsM3x3lC0NWuMBkmsWmROTat6aplZqdj -g58INUvmiIdcb5L4OI4oTpTw+4vfYTFUvS4VwypQpZfR76LffQR1MQylaGh1vRMozA3I/XkpdmXJ -b6lV//TMyXH2PF4cZ89LOxx5204rm2pZmAyL1DLsnlO2zKfp/H2rlrVato9hDXqks1ylZ4kNh3jy -H2ZDL3tqWY9Z7qOIgx7KLiMxkyKDVXrNsE6Oa8fdpehJTVK7ntp1VIosFl1hCqn4/Y+aeOjB4lbH -yMrGyEoFCvSy3xiU6MXrpjn+V/UexxBahszvi9RoxqrUettPGfLjJ2JVlxyLznKUmiaXfdlyimdf -wW7MbXDHyWFok2VrllmwG5tf2OyiWjUlx1VvTItiqmmrpt2gNxPih2gRcfnkKThFwSiJj4vediZF -X01f9BwD8pjYdC+CLfpF8XlXXX/UNJSaJNU0tWloRevwk8HO5bS44+Ju48/S1LImswwyS/vrXq0T -b9nnLFVwi8LfKrtdMr8ktfScYl+Gegi6WcfNOLa3zUiFgFAJ0SHiggmFPOfZbtnLZTfYidASlZql -k/yUIg8Yq8UpFKPfviQ/aSpy17wY5iLoIUPTWrKkQjxmVlZAHtvzRhQoYO77T3XtNlTrtJtmi2HI -Pc+AfJiPB4SeKmfTit0VXx+hZR9+dbfloCdSUZPLfs4TB0E36/hm+aNmHoYoCApXy9yOe72OHsU6 -/NYtUzNOPnozqBALfudNWzudEQSEN0v/NNlMOzkdt+N0k0zNsP59sbahnQ6adeBti7uO1bLPOcpw -oWa8UDFYJhc9x2IYj6JNjiO3vUcx5jQQKb7cdAYFajHiiu25f54tx5HeOLSuqPWEwexPgv4Isl62 -L8e9JNmOKzscXQRL6lgFiIfx85GK6mN4g10rdlHzS4/eTX6quQVChkWHiQhrjvmzrA== - - - SbJ11y4gT2uOPeaohx4JJVmYPjElEX+WrNYZve/I3rPeVoSS/giGzK/Mx6cZhUKrWmYct9tAaNmy -3y21bBK/JNMEoeZ/mjcIyl1Xg90HHUWrCbNfGVAOQxVKza6HRT+s6p9mToo9KY5Qs4dJiokVLC9Q -ps9p1qC3j+F/kiAV/dMTF0G9HOdyjEMQL0nPeaZY1S9H2uNoj9PHsC/Fngz3EQShJOtdYXJbUr8t -d8W/z9U6r9a5Pe6kliZ6LBPiXf5+Jcc26MFcBnNZ7W0mNTWl50+CLtfxKHuaZ5H8VtHvkorCm+Yx -yZL8dsmvanZB6wlrHFfL/LMsve9enqamtfbcpecm2C2ZpNzZrB2QWwRFrQqzZdb84qFHMs8lNN3F -8AbB2utuEIS57uRwZo5bs4zVsh89U+3agl3Tqv4pqpOiuQE5OSAz6K1a9m5ZvHV88Uu5bSqGb1H8 -ToDMH+hJ1dfz0KwDa9seiiEVddnxiW7noziH38nHT80yf44etfy8LKqOTfjbhcdViP5R7OYnmbLn -Utx6TrLEpiU25Uty5Tr4A1NtE0FAbjEMqWkILUPkFmSO8+fBn5ebpOc03W0zOxzPSdZYlWqsSCJ2 -7JsjHXq9evorao8gb4oglFS9qguWCIbrJJLPKPldO64ewRXchtBwS2ZLb/phUdwk+1TVy9PkdNiN -C6VpjBLIxddbMFtaUd0c99P0U/XUtLOzyUPQFcMhMlw6TV4Ec1KsRbAew1kM77LEx9GDlixWoxap -0Wk9/9TczZH0sj+K9uRISk3Wy65YVaWmo9O0Q08Gu9Ca4qFXalWaFAqG5/15+maJkyGITUer6pfk -j5p5+PGk+J8kT4Z/Wtphp49gaEVLbPqTIu5tNJfVHidi0ZXsuub4VdP7KPaluIJdEXqKUrQvyVv0 -hqARwwFH/NCAH3DwQHG17LCHBOuOI9FzHSglugh+zpKkoiG3vcJEKtFx0+vaYGiCbPayxMexPHHC -5jiUHYfhMvEwYSGhQoWm9IvWc806ofKsPVDcbD6Qzdt1dxj6ZYlS05K6nrvuP8+WnzetqD6CuAjq -pSh3G7xla8ZBOx0QBYpcDEPpKUJNnhxp8Hu3rdU01iyb4LflODkEQ6o6QlFSeqreVQSf+3Jc0bON -khHUHKuEfCFWtPh4MZExgVYwS0LLlMvmaEmSYRQSSFfRWwRPen2mFErBL+x9qLalG+d6XgmGaVAc -QU7UXtai3RCLnt51xejTkuPW8+AwXMlwLH5VrapiURSbrnh0mJFnRcP2+PloGZLXJPw9otMpVw2l -5chVbTIUue1NirHH+Wip4t8xIB5Wyx4Uhb3v/UAQC/8qC29bHX4ld3WxMsVqeQ7B9fu+LHNDENS6 -pReuRXEnR5R+dxH9rfntT9Ljtr4L6ynboygqblFu2sLfOkxgsb0mye5tmvU47ijap6k+jjv4fUrS -Rb8uoz/EpjoZ8qV4gtlRy3pQM0bLKJfFSfEGPXnLcI87oWUUOlataP5xJVdFwe6IXU+xe3rbXgT5 -sBuZ45brekzyR819FPEw9EvSBbsvvY5a0Z8U/3LER5AECUiix8uKCI9/0HEHtbrT9jCE1bSMGAze -NBTsrlCVZkqj0qrGHNdmmcxxK6dDeyDtgSgKFDQjEAeC2FEAGDIyIT5G5Kfg9RY/cgOCf+GaaWan -E2pbmAyTzvKEorB2fcHvu225OJpcN806breB2vSEv1lsWkrLffzSLDs72SdN85FUswzmMr0cPSaJ -YtWXPeOjCHcdK7dB6+pmnXjLbrC7Q28nw1gttziRQisasttApECZQfI6+Xv56+Bu+7DpXY6qOVb5 -/ZsUPWhZI6Q1I8YKqeiaZSyn4aN4etuTXa/B0NNBhxrkXrf8UU1PKYrIL+tl8xC0we+jojgI7iHI -atURGl7585mRJ1bHOgny5wjD69Lb9uWYetvTy4rotmhNRW5biyAugqH19JRi6BxHqnmC3V9VTXAM -w/MP27Ybd5Pkr6aqOf5PMz9Nvm311t3VNeTGfbrWZfmr64qeQys6Ws2Yka+ipUIZiT6tC2JXHjVD -K5pi9LNYmUR42zS7O4raJFmfZ/p5bNflouiXo2t+XUD9n5q8KeKi15fiZ009KpqKX9Ga9ieJi+D9 -dTSnhcjRA3q/CIrM0cWzszCNYPQ8ctcePfdRJKVnCm6v3PaDliw6NrXsLYb01+Vih2JPFYuqWPQF -s30pqtxWzrJ2s8nBsNS2rJpexbFfkvG2iSdO6CWpouW420YdBpCH4sl9Q+b5H8u68+rOg7dNhSmU -4us8Gdqf16eqJ01N7wtC0V4c2U5n5riV3Q6RYssBcbUs5rq442Kv00lTL1Nxw2HZtA6TWApRz4fd -7W032MWel5Pli5dIaIXVTkfGo7fkNEo1d7Crwc/dNHjTTD69v654GJLsuaueQWmZclMWrJZW00dL -Gi0qTfSwgyrfb3IsuWsLqLcBS618cpgMt1zW7TIa9PpylMGv5TSVy670uUpev/D3CA3THYd2NqFW -Ffn9GPzWrENz26cke9DjP28vSfn7QChqWtN8BNONg48gSD1LbsrS4y2e3YOWMuiRfD4hV/akaWlN -TfZ8pJZfetyFCZSDHg16o5YN0fURu5raltSyv4r2Zxla11sUX47bzTJk109+z2me/1TVy7I/T5Uc -m95XBsF200pu2vLxR3h8Rcce1DS1aslur/x7yWVFrPqyZxN/V8FvyW139HTBryZJ3zzjjmO1zj16 -Jrg1vSyJTVHv+qtnfpr2Wc5jCFLPD2rmIbhmHJMDMnucaE1NLYtq1RQ/36IEKvHwu6q23+d+njyC -PHquavnEw6fcd/48Vuuw20YnPY8p6uLXkyGKVUXgds4yvyxVwGAhP+gWRfz7PGVZctmRmr7bxm7b -2eHwptmi65X77iD4Zpq64cCZdovhPo4lihPjCR1G65qy8R5daQ98s06bZSxn4zlLmlYL3Wxy8FPB -rsl9SypKSktY09CONnY6sefBXZdqWctpo3UNuXOSWzepKm+eq6bpZHlyX3WzIUFQtNqGi6WqbV0v -W6Lb8xjGnxdSUVz8Zk/zSxDlpiPUTLVpDzMuSeSg8a8qC8hXUQKh2DTeshjsQKhZWlH/JD+nSXse -q2WtOUbR81KK1twWa52eFEkqSlJR1Mvyaup+np6i8zimmjaDnkg9PenZn2WKz6tmed20uxxRMxzj -8RYtv2A1FrO/SZZi9wUKio6yNRim7LoKr6dYtGSKMHgNnaTHJEPwPPTCPhmu6HcKj7Ne9uWyLTk+ -UtM1+J1kug7Jk9OpxY8VtyO0PELLMDye4vf788TJEcSq/XmC2HQFszL9zeKztwjxNFalT2reIvin -52dFSe4as2cWzJ5UlLSudQjGXkeH36dVfzZd2bHLCTSzKsmYQDHc9qipTor+Sf5rqp/nLIY0KfKo -uZulPY67SZLg9Mrfw/YcxK6oOVbdtSh+fTX1qCqPovPnyZ7no+lelj5q3uQIh2BekqMVhUFATBQo -Sv7fAgU4YgQUcjudDzmi2PVTknCH03Y6M/j16UnDUpVat+10cjHUyxIXR9n76g+8vY/uOl0EVa/L -p+uHAqTcbHZRFK2qKEVB6AlK1bSTkex5C8ivx/FDgcLNsvvzRm4alJ7z962apnKdiopFAiqR6FwG -xVfbWG2Dve8exbf72O7r1/bkIxqt8Mxxtbel9HkIXotYNYSeL6exGsfUpi0evuSmU65aWk/POc4f -96unR0Xl70s7HVsMT/Y7Zb9X7+qKXU9JuppGg18dhq2m9WJ4Yss9TERc/l7Vqr85ttzGetwqx0Pv -rJ9lS+j3oSUFBuRZQfpRdrw3S7jjTvD7p+c9gjLIjdZSxH5T+rskn2E6jp8pXpok14W/Ds1A0g4K -ffRE6BcWsyM13JNiyBRhMyxKz/zr8G4jneWqZWvQK8UwqnHjhkNyV5K7/pDjzG335/Wk6DlLVeyi -XHYXQxE7ZunrGdDuitlRSppadC/BEt0m4XfXXaeEfJReb8HtCB09pcifJW+SIDYtyS9eijAhfoiY -kx1aRlQ8umuGQygaOk2SfF7RcUmG/3b9vKyKjltzXGLZt+Pkr8PRkmTLKFqG5TbKxyfZc1ZN7ydq -k+Qchvh58qr6YVsTT3+S479ldbOUP88PQdbboug3id/HnheC5yb3hTWtPKFDvWUoOS1D+lP6WqXP -ZW4rQU6MXhcEy2z3rRvHahoqNWOz+5Ld06rGH8h2Xo+mI5bdxXHuOpnjcjGUPc8Ux7A9X7+vBUOd -LEGnWULDvPjRXid7nWimN/AACLC4RuKTNbdON1HdRHXzvMVw/kC7NE1EJBklKTDnoR3OPYYvJFCN -lckEr00r6nabPYIquP2cpdxxPCm24rc1w5/01E0SDsW180Rw7EnT/ixxEbS7bUW3XXC7j2H8dSzX -pVkmQs+Tmw7J71wMYy7TQ++TmqaXXRGBeDR13XMMCdTCpVLNcStuYXUcWtEfLU0uK3/e2dnMIAcz -6k3yOUa7MJkFsWldlqLXFeH3c8vksPPN8dSmKXrtitlUi9rf9p/kiF3vzzuxaKyWRebY5LZ3UsRL -se06tut8Fe3Ncua0PPxEakpKUdbLntwzbIZnbyO16AlW+TK0wy6kkqt4fdHtDRiq5fOz6rnEw4PU -VPa2O9xgN7wy+lHwy6JjlA/Pn2Vrfl8+fEhO+2rJm6LHLF1vq5LPJ/ic0ueuWga5acuOTy8LQk8b -/HqTHMUtCahv4fWnXV95/UIClfA8f571KOoqCqJl012vcpyF16F27dNTL8m9JFd+XdWqb5aBJ3Qw -QTY6UFBQdD1uNrMHwvh8Sy6v2BP/tlfrjDoMoM06LGKtlw9qvxCm4zZGUjhSnpK63cEOBUGhZh2f -ZV1SqNELkyhQuFr2n2aJfofctkhNebNct61PV/xUV65jORvTesbqOIVJtDIKtZRMIjimzzNU16OZ -xs3UHsnfLFtAPY1JxPL5lN747HRMdDwC8vwsq4MdyBRLbOqfZm+SKxnmS5I3TZPbumCY9cL6GPao -aZslLIYjWZ7HceU43SxRLyujBGLZ7ZJq+uW4Zlm7bS7bPsVvmnVs8Eu16ouSpwXJb+lvlo+vn+iL -6gSjOq32nP061uwSMcOyRAuYFiNPzJbxkrTJUYTfPy4Le9y7dVrwWoQLGBkjLxaPLpLfrMeBWlYV -wyeXvcPPN8eTq5paNRXD/4mCTPIHmBMYEug/S74ccdE7qaXJPa9iuCbHluNU7nrDdZrBSqnaVoSW -u/jtJMibIgnoh3G59tNsxe2OEZYMFSnloiz/3aLfv1VFMiyH4etxrNldQA0WRKRwgeW2JzVLruqr -6N+mKlvm11QewRN/vxF74WCpVvS4yx3TfPYRnOZVEyS3/Jr2Zvny6zZgpx1QYkTAoLhgnUgxXIpf -lz2PVrXkriojX0bJy8VIq0VIC+Y0GsVvyGV3k8xHMJSa77bhJYmTY0hVSahqogD5UA== - - - oEC3DQUkQrFwm2kx1+Hi+KMnyV6vUH1cfvzUuvnntVx2lJr1t+HhN1LTVOzCWJVYqEgnP7+bJZtl -vUmSWPU3SZTDMUFA5I7bR3HGdGLdOppt9PfBgPoRSoJM0cSib7bhx4+kx2+4qJhqnFddHlVfcjyC -z6f13MWP1Ta+WrKUQCF87nKcb5Ikur3y4Vc8O+ttT63amyONE5IfWtCEWDbmNpFa9mHFhEcKiYuO -8VGEO84mxxStlSvXWS1TORu541IwW0pP+/NuMWS5jYXfLSWTyL57TtI/wxcu07hUK0ZeNkxcM6kS -aEVDrwtTCp1eFnSOIDMUsaeJflOwTj/MyLCfF4deiUVV8HkGy6SC9IvYMQpmczJMya9ekp81del6 -jN9TcxyS3ya3xUHw9jrYHOMmCXI2KLeJ2vWkjluMPDMhv+Sy9yii3BVlv0duG4NeDX7+WZLkdIyI -L/n5Fs/rqdma3xKbeszR5KIlvKxD5bUCpjLNs02SnjUN2e0Qvd5XFP04eARjTKEeKCMkeW2C2b5d -77NkGYFcsFwkOG9z2T9qIvTaIvJb+53S8bos7fD7wQRmQzVa2emTHB65YxUtr+x69LI06LX8OhIx -Jw6oweIAM1isOI1IcLoEu7EYrttWbk7kIteTpEh++2Zpg1+bae7Ggc6TF0fQeeKgiIviCL/TqFAo -2PVN0S9Du+NgLetH0fa68MQAfFJk+XhSQH8IdkfuWmLTngzx8NPJ0DfLueNAp+m6b70sQSmqclnX -PP8oCnMcX5K6GKYdzh2CKfjtyzK0oiT87WIi+a7reWNP+6ratm5aToY+WpZa9ESfYbBMKNn9V3TF -i2V637jj5q8rsWmIHZPktIwYa4VKpZMkKD1Tdhy1pi3Y3cXwBr+Tu7ZoeMYIDNb3aud5UvbkwiH5 -HUrPGvTq8LNJESZ12oFGJub54GQZY/r8MKOihI0XQrCQqeFCiczwPoIwLFRLasWj54qOb5C0eqC8 -imDhwkMlZrLTNwm+djsF61Sq690sT3a6xqtkI6YKsWeW/O7lKHpZmFZKFMOiVkX59xXQXmJXfxxb -MmyXJNpxHxhW2Tgdij4pmtzzitKvotspO+7y8f301M+SBL+fle1HcSakF8Ei5gcVMiwm0Ep2c9P0 -2zWEx034GsUzr4TwFCjRSynkwukWTv9vS6dqvbK826bkd8SOU/yaJbTHdlsku7/b5isrn2vqdTFc -9iEFdoAaKlq0VH+7xmJ4jyGKVXGQ28uvRZT7kBJyIwSm8vusGZ7D7vSuKDrtitdX/bpiluWqJVa1 -SVLlOLPTCbGpHor0B4ogIKumzV8IQtWSus5d12YZCoIClKY3Vk5WUCZUy+KOu8FwF0d422wQbLPs -G4AA8PBTEYFYPE9uXOt5oPRUwSzrZUnrGUJNWNNW8PvC71XTXC3rSdFzmqjXfdGyCa/r4ziHoAvX -S7PNdp38daZ3XQn9LB0fAX1MM31mGsh9/zTFRxEXPx7sVK4KUs+WLdMwiX1Y9f060svCYJlYoEAt -Hlz1rh6znD3PVdMsoF8PP9ccj9w263VZfp6knqPU3M3SBcFWfZNW1t20G/RKLGrC4y2kzwxqJFMK -kV435LY0TkhkVKhXbrNmFyWfW3icBJ9hiKxCfD/ksipaKRwqI7A7jtUtCi+76pb0ojtWQoRoIWO6 -7w+rqjB9ZrBKKPs9Us/eHD0ouTLyrIitUDTcAupthKxC8BgXv5nTQqmJomMUHYfoeAvHY3H8pCfM -x6fBOpXU8Igth9w0qVVH9Fqk5+2xrD0viJSYBHjUiIAPHDZEWi4azk/TVM8u3BatZix3c7C4FuAj -Rg6T2CunVbecym1Tno/u/F5Vt9tKa/mjRWSIFSs3RlYspE/Kpu80TcFRDcXfXV/43DLymPB4CV5H -cAtSUZ4k1w4HHz8Tz+0iJZoZgUTsuSW7P0qWXJUlvzwp/ucYQr8wHp7Epn8UnUUR/j7R27rZhnI0 -lOt6tvXXts20T1nCbBpWz34o5uD3YVX282AxNMlySGVhrvtOnBBRoGg57ga/O/xKtPyh6XptQzP9 -YdmcHGWPSzmbmdt08Du97iiGW277pOnphXNytMWwDsE6/HaTJPn7FbGXPJ5oJzv5dyNatHjgiB47 -UGIuJRCoZc9O5yTPqpaZm83cba63PcnvF5HnBaskst93Ka6kSjNaVO6ypD/Oc4old2XR83+efVn2 -Zmma3xWuFYlt0c3m7TRW3K70+WuGXzJskuOiFIW5jQSnXZA+MiHPCV5ZcZty1frbTC+rhA8dJSNS -r6KmlyXR7RPdhtEvSS6b2lTlw98wCRH5e3sEUawpYxXqgfKyYcLSYdJq+fS2GObmyJ+lDX4h1IQh -hUh0++XXeVCJ0ShxpWRXBbcr2IW7rUdLkR2/QQL7wWIiI/pHbrpHU/s8S7IcclsfLUvr+ZpdE72u -EUvZaJFS/l3+PP8sc6SMlPweVl7DdBqlz0NuesUIhHJb+NNcSLwPGRMYJC0V3cKkQkDAmPGBRUwL -mOrFJDLNcS1+sPrtkRKzUfJ6EfkqID5m06f3NdHzas/3FW1DD0dHlP5+UfK4+HgrfkfreofiR0VL -squbJMpVQ2R2BYdZeNuEt0Xy2mOavlmCUtPksqE19Zwkan5beZ2qZ7nzfBM1wW/rtuMP5MtyxcO3 -fPzQia4czrtt9Pe93LYi1mIpkV6uUzONpK6vWX4R/a/5/ZzjyZZ59x0hkWi4rIBgWBZF/URVtAwj -+kVq+dSuuCjm6Onq+11l2W2zQzD1tisenUVrpAAfMHawlOjkyCICrYhAn9TcQc5zjqI2Lb1rqVU/ -bHpqWut1Jr8nJcdyx+Eh+J+lXo67ScqsVDFKTGAQRMFrS2ZR9FoFr/oY2iIog56Ih18Bc31Ulc06 -KlIlG7DWC1SppI5R65mH36tlpdcV8fu32+aPO7Vpi5+nCHlQbMqToI6WtEmamEQyrxcdgvXnfVRT -huSRAekr/T2Cz/HHrfCbxAPyVfYWQ9FantxzlJb2571fF3Y6Y6cT23UaVcqTnvbofVKShK9F9vpV -x6e3ZbeM9LYmvI6i46357c2RxKallxX5/ZcWKwTHplYFoiWExgu14tFfNBxKy94cdzJEvWyOFhMT -UC9DpcSIGS9W/h7VpiFztEEvtJorViEW0Z+XI8sH/yHFSQN8yKHEDReuXPawpr+aHvakUQJT8WqZ -anllxykfXuSmWTz6jpPXjREWLK931PzZdf48jxmG1vJ1xzQlkIoRaMVJ5FIK0ePImuOW7I5QEcWe -LbmF4bGoVUnxK5rhPD1L85tCxL8Y9TleqBVfj+V5CJ7fI4l2snIDYtLrMaUQKEXhbdNJsqTXa5C4 -ZEwg1vzOHKeCbE5ufGLf2uvarIODXouYKodLSYpXymQEMt31D8czIyU5YmbscMRDsMSqIhU1samN -E9eMk9gpnv3zHMntGE2L0HMPO5H7LdnpU5uycKFcUKbcLH1zRPF1ltA/ktumNu3RUl/RH3ZRSiJU -TY/sNswIFILnJjj2pKgdgrcYyl/Xkt0b7OBs89LfQLSY+NCCMrLjn9S8w/DkcH4VHWLGCxIM16CX -clMV/l69rh6CoDTN0RMOvRMQ34Kl+snRB72TWpL0d0noD/HsKaUQ6rbpEGTNsQhuu2xZJa+s2j3N -7p6WNlxYVpiw8GxMel2YUY/C2yO0dLXs/TgW9NrwC/H0Ir7vaVWPq/qqaXrVEt8WyekPesrg17rt -VD335sjCdYIhhUz4XASnYbhQM0piJjnuz/HHi8mJn6vkVsSiJLsdktulVg2d5EpmQWsJkxqpgLk8 -6ulBR9J6wub3ZLdJbtklw7gIqoB2Fz6HWtTkx11WIRVSvyLiX0oeGiQuVm6XZNfF6/RiEqHilzdH -0puG8LKoPUVtqppjt9ti+rxDJWQHlhEeIy0V/hbBZROP7qtnKYZxksTJMMWT34ilfJzATvzcRJ9j -sEwkO54y+k3uemrTluy65vdvY1ssV42Du48nRxmpkcl+z10HYtsR0ejF6yH7LWLRO/x2krS/T5Su -I5XNxbAvSROrBkHDsoMMCspn/7DoXZK/+64gMckBI+OnacsIdKMk5iL6xOZ3xcdHcjrltiJ3nZFC -MuJ7as/7lOGL1QgImRQZsBSMiIftNo+aMqqUDJIRE+z6JylaTZjSf+Mk9uKVGuHz32VpqIwkcUPG -yghlj+R+lvtJ5mQY02ka00eEliBznLE63QhxrVChVnP8o2ZoVf30TM2vjRSS/TTt8ZMZ8S+/znJX -XgRfbnu9bUfHldF/8vnQ3AYiQxiPzQQMGR5cUGBGv6hV3467RbBkx1Pxq58kzGrkQwZlR8wKTMvU -4vPdfft1RfHwJjfVxS/eOvCmify9ChKREdCfquM5BH31dOW2n6I9WqqQPC0o0Uivp2IYhtsjl/3T -sggYMTQqlCmGdTNc8dwkel2K3ZZu/xCjRWmGVXObwtcunx12y3sZ9iNIWtGcBFk4/fo9PXu27HgF -t6g2ZcWuaE1906zDL2XkQdlyqEVxpMASsAPGEDEmOUhWK1ahFVD/s+jqllm0TCUZBrEpaEVPcpti -NVLRLuyWU3DretvJRw9iRoUGNXrV78lNT6/6suPYTqeI/FL8/uoZU/qsIIFeoEaxGmbBKQkeq2I3 -pM959PSo52l2U35d9MYl+56CRJoZiVzuSjJDNuuUm00ROXB4QAIQMPH8p/QkuecXKlOPk5AYLcvb -xnI4KPjdAeYFhucwt92gl4LbHS8sO8CorIA8r9s+xbGHTX/QtNC8VClaxsGvH8HTaqLY8yS3N15S -TEIhkoq23rUEn1c8e4gdp+A01J6q2W3CBw4hYMSI7frJz69YkW6EqFqYQCl7rZOiZ0UvYIAigBCD -FMhIaQmtqYwJVINEFQNWqhFiYpH6nNYyhwrKCChAgRSw18vq9CLExaPlhAAvUsx4qVQwC0LJ3RxT -vFhAsKD5pChLZltAe8qvx1CBeChJuSh5RGn5Wc8eVsjscFFZ+fgumU3x2CI6reLrMj/v4uv/Saac -Sj/MkCETi7GoUiQfXkfL9utEcHvi4V9vazvtV88VkO/jJcUIGCpeSiCc/NpO+6AliX6jYBglxzJM -YDBQYjFIXK85/qBlf5KombXBUqLS9ZkkaxL0AcZkCBqWGicwGFXopNdzGYbks4lu+yaZkttWDbuE -ehmwFIpnh+04aJ73Vy0R/aEYtscvZeSJYaFaTKQYbsPyWtSqIxZt0TKlQIlOsSqC0Zceo/y5jEo0 -w8QFQ8TFpyirjmFCnhNef+FCtez4dcend9XNUEW0u5w++SnC8vfHSavHiAsm5JExgWhYpNU946W4 -wmuQq35SEuWiJ3wds2OTq6Jkdy9HU9y+dHqEt0tqqoL0KcFrXwxtb+vH8A5F3zxVpE4yq1TMpnnA -WjBQJpKa6p8nb1msdequG6lpS2mks60MfjFdbxmFZFAjGq9Ta3bxEXy7zLXTPMCIaQ== - - - YRILtatKdl+oQjZYohffXsluLYJvx5XaVQY12s2yN0kSvWaRAsmAlWi8SDEg/AS7KaNQilUKFb+p -l50xhXxI0ZIjxWRVvygffaTPRfi8RqwFs2fdFHXyC6VlLKdft4zy+zpeXFhOoyBqvDjCBowX0ghW -zyZ3Nb0qqU1PcZsS8lNCnh41ZYScGJBjpgeV2AoOs9yvCg73JagCxmoBCDQQhA0bMHtGgsbEAj3I -QGLFCo2oj8luKCV/M+QAAxIQAgpcQEVMZGUkchl5Uph+GjHTi5Xo5KpotkkBUyXBA4dJiGSLn4tu -Z0D5DxKUjJXox8iqh4nL9K48qIjhkSLF6r5D/DxF65TiBJo5eZroAeMBQPxY6fmuniemD4wpRFMC -pSB5TH68b02/PWG4vJrjF+RGPj0LymTC7dYdq4R4l5SoxaWCjUKx//e0LAufZ1YnGJRJZMdhuAzz -859NS3Crg6XkZ9GQnubhRcQAMVIoEWMGCJqVIViw5FgRIcmxS8drlIyYYhknP1O8nnjuHiawHCaw -EQ/eqyeqdVD+e0Vq1KpnUJvGdJuGVWIhfV53baJpHT1Zd4zy6WNKIJMeP8Hrn5b2CPqoeYJf3iRF -KkpyVTr0epOkIf00n76klklo2RdDWOuAUjNW03tJqp3OX5awOT7JaxXL+uTYr2ptmqtZzrGSEsNx -vNtUcDnGqyQj5FRDpLTEjBYH8BCjx4uJn56u27a77Se/kzxm+fArI1CLmCoGSYuF2zZZrqhUS/jg -IYLTJ/x80s80qf+IGDE+YFRG9nwvRyFesCjAjhsyLtWK6GPi3yWgXcUk2mGFzA4zMCUZ1tHyBOTT -oEQ2SFwqViQV3ILQ8pXTBfBxo4kgeFjVs4pHzyGiIqJlhMdIKodIqkVr1MLlPy1pVKIXsFOpTU/r -SYMC0SBpzaxGLkJQLynS52VNcQsEzYrJZw+1JygdTfSZBJdjc8sjBYsPGC5kiMBcsFQp+Y3hMYxu -XTI7YlEPOu4Qs+KAIoA43faITvs4edVgkWhEPEoOpwDhNKpPS499WMGyBA4aLyHQES9iIOCDjR4p -LhYmX0bEr1CVQCyqcgJFgABAtJhMLtmVAekyWKQXLVNJf7vs14OSnvUsQA8dR/T4YeJ1GyYtJGDA -KDGDhgE/bjTBw44Y1UllzzheVHK4wLRwfIX0C/EiRgkfOXC4pKxgnWyUvD5uulLyk2jx4mKVatVv -yud+8RLJeJVUQPyIr8+0UrD8nlGJZMBON0RSQKiMzHChRjy4p0VrEezhQiJD5SSF1ygjHwdKTAka -LJCAoQJGSwXT835NV1gnGi4pTPPMQvpdvFAwI4+rhkutinLZHy1dQjxoRfVydCmNDFADhocc+RFk -wa3KVV+y+6plz1mKG5A6DEv0fQS3Q2iYhJ6u1lk5Dd0yl/zOnESg04yzjgwVyQWL1CLyRXb5ZcTL -lDwuI09/lqn4rbuNxI6RiDHpISVGRAoVJFi07FiBjWDXk6Y7YmIWEAQQI/X0wRLbwRLyo2XkRwsJ -y+gTYtG+DD3ABBJE2LAximOUT7/DxCUEi5UmdpCRgQIEsYOKGBPspuj4CBswXkiileyO9HdMp1lA -PctH99FC8mLkZZOhSqifEVO5/PsMKH+xEsGYPCigHYb0y5B+kqv+K6pidXrhQtGwSjQu0g6XmErp -L9kyzM9lWCldRfsVjTGFaEp/ipD+ws8jvMzaa5H9Jrlsy2mkdzXxbxar0YuWyQSXX7Xr8uDxGboY -UYl4dP8k/zMcsV0eJikD5FAhBIwYFipQC6gXsV8lYMD00DKCws8rvg0T4lk+/EctYXx9AwbFteex -W5YJ9SE0nJpf0auqaLZFvyufHQiZlxcmJCos0gF+0BCChUyMEFaMVqkHi4iKVWmk12mklMhAOUkJ -fX7AoExgiB4K4KHHECxiXrRKLCDe054sqRABaLgo+UGuXNaBogoiZiSIlBcO10kEn0nvippdGbGU -S4gv0WcRG27FK2yfW7lsetcaJa0Z10p10zSuUY4VERsoIS9GXCyiP6TXVTjtAmXkBxk2Xrt+gBss -KuCjBhAnsRUjT+pdQ6gJSk0T2+1NcS/FlNAfgSF+wEMwRmwFAR5qBOFCQhPyR62qats2AB1ePL8A -IYQwCY3kLWu56ktmVfwbha9XgPbY7LZaZ/48Hy8pLaSSzH3259EgYbVolWJOn5TPvoegrHVSkD46 -TmAwOiat6ApuY/WrAtphRr+M6CexKeuWJ6AEEEHIaMGaZ5XLjuz1CF+j8HYMFolkz0PpuUPMio2X -SmR2T/SZ5cdLdrsvR98cXbhQqXcNyesfLyk7uJgcwEVMjRSIxH59dHxB7mWFqsGCUopfHSSuBNBg -McRLSQ5XKcaTl1Jz7rSTT48CCkxgZNdFqsnywZe4MROCByzxAQYsIcSKlxcd9+W4wrUCAQKWQMVw -CO3OMPkGeAHzA0pJbJbr8HO57AgbMIqY4WIGNVLZcderltbSBMSjpEQkpU9bhieXsZD+mdIHZbdn -Sp4dJq2V3ja9KeyOd5zEYDc9os84SFpMwEgRRAyKiD5/1vFEs572NMGsKW7hj/tbtUWICogYFB9W -RG7EUiL261lHFyoxE1xAAjReXkhAHhkSj4QLFR0pMRNfN8ltyE1LPnsSOGDwSBED42+XEb/iuWM1 -bMLbKL+uAvI9KzojJaTHCgmLRw+R25adNtFn1uyaZPbk10EuipffKmZfQP2OkdWOkJVMyH/Z8Auf -WUb/DZTXa69dux3i5zCpEYySl4sQlgqX6UT0o27YCBYrPUheKv1NcsupuB2xK2lNW5xAplYVrSlf -jjTo2SLIIiV6+ewilPSMoSg9P6fpIUffHHf0RDWtBDmhIwRFE9pL8jgXu5nrvB2ndpxdkquazkcS -9z4akceGCxWjX5FaklqUzTq216n8fQpVaSdDF9D+g0sIAWCs8PDyMtlpfvxmLptpqWyQAhIcoAce -YLTcgBwqYLRIIbm8ilm6016t05tjEjtwsJRIonNs4WsYqM8MiD+x6accS6ppg5wK6NOCtdpF8BWz -K/zM0ts1XqYTf/egJz6Go9f9EeNi4vH9kvSUIAtfw4h6lc9estcsnPbTkoS/dZTAWP69BasURIoU -HymwFs89I+pXoECu3dZZdMWqtKL0kfn3lz1fua0NfjHXifG0Src/bFpaVRmr0BABizqohDI11pQN -gATQQdAP8xEAADgQFAvE4kHRzDBj2j4UAASWeELsZNCCEMQgBgEAAAAAAACEAQEQnAFAAL4Fzlzs -k/DeZee7+vQ3Alpn9E6Z6dMH6Jc+ZSlfKWm/8rYZNh9t2KbUozimYYWViR5KqB1+Un1kGSA/CZXU -FlqqFagprUWCSPmKUtvMf7HS/HX7XkYVO0fjlnOdGjXXdWNZvfZ30KZEVdVSh1ebvrkcMDmCJTJa -Efl/kpiSTcRV1YkudZlIoPYTlVV3oleBJlKo4UQl1Z/oVcBEKjWcqKw6E30KNJFSDScqqu5ErwJN -pFKDicqqO9GrQBOp1XCigupO9BRoIqUaT1RQvYk+BZxIqYYTFVV3ok+BJlKo8URF1Z3oU+CJlGow -UVF1E30KOJFaDSYqqd5ErwJOpFTDiYqqN9GnABOp1XCioupN9CvgRAo1nKhQvYleBZ5IoUYTlVR3 -olcBJ1Kq4UQl1ZvoUeCJlGo4UUn1J3oVYCKlGiYqqe5EvwJMpFKjiYqqO9GrgBMp1WiikupM9Cvg -REo1mqisuhM9CjiRokYTFVV/okeBJlKp4URF1Z3oVcCJVGo0UUH1J3oVcCKVGk9UVJ2JXgVMpFLD -icqqM9GnQBMp1XCioupO9CrQRCo1mKisuhO9CjSRWg0nKqjuRE+BJlKq8UQF1ZvoU8CJlGo4UVF1 -J/oUaCKFGk9UVN2JPgWeSKkGExVVN9GnAOW4+okf0qaTaAirirCK9UfeKnf2ER8RTOxNZJqeV96g -0GhoRXWTOvAZparXP2gxcazC3od5x94rmLKnb4C0oDybUVaKRUIhwQOE0YMa4dW4CTQN/jdponwb -cB9bmKEv3qxk/Q5Y7WI0WwUhhlc10wQJDdI/BrlHunAFbinnnQCYqakJ3UIJzyPuDltncJk8OXEF -298Bufox2MhgvDrk2dais6euOnZM5lynsoV0zf1GfBZouwCjApQhNzfTpMzaABjx3NWQdSo8uq6v -NkkZwJWPTAiOiG5ImvYuW1nwkTIbuQ1m2kh7e7TBBEyAzuAw3OjzJVCtW2XQCOt3amFOvtPSF0an -VT4sUo3WEWvC9QQdooRZf2VSAt4s+VpjRLz3DvyjlglssrVLaMuWbpll4MqpUccUIA5VlpJPvAGE -rRBC5F7Fd8SQgQoxzLSXg3pVzNHGDYal/QREUheXLVvoTSfEACJwJKu7etATmPx18ZyAGu+FfFza -Y6EmAsviGksSFOlZli2gqaa6SUs5lukSnX2MJZeyJrTNDY9MjwmGwA1HWIYX415NjwoFmFDjDC+s -4iEcwbtHiLopBCmYYgeFPi7FNkyEuZjtycYDAGzUH/QfAUMdm+xZTo1TfJldUPpeFuzT3yocDJlZ -DgEWbJxXSKMJvCMmluJJInnbJs4DNrvVkZm5huuaCw6YSy7MWvRWVWgXuZGcuV9F0I2rDtgCzgFV -XuHzoWryL/OQwWjU/3WvbX+Ew9DxN53pHpviSPdZSOncqR/pYAg6BMa4sSZfMA50tenm11NRwRQQ -AMBNB/4dMKATJjvXDtnI0pjaWPTUDuqdyrbOgcPW4BwsEneENrvYgUZ7wGQf58hlsh5gr3yAGu8A -CDSFsm97QDPqrcPfAFtSXd4OlSihC0TmH8F8+3eJ69KITzuZU0ZNt4ju52oGF7i1rXtI7bxkD1Ch -okFufg3lAno7/Oo26fLJt1hw7rk5dIX9QYXsPTQgLDM8ORCrATblQ4lfwEHjQBw0qwa5SLG2KGQQ -iq3+BeUiCyFF5qpZ9WdSEDU8FRfExQRMd5e3txz+PkISQJcJu7X77h137U9GbIngBARFi8RXh7gB -gigH5RzOpF7wu2EcZtnbWFvGz0jigS20xNqzD3vR9yLIF4no7c8pBue0bmjrQqMmwgEdIkaNVvM5 -A7uDWQTgg7YTidBfGbZvFq8RIhRSFhdxBasUbfDXHdqozn5RnItlViv87yCxro9CC6ozvkCWgKzm -OXkuIboQ5RpGbfHGIJgDJxDYgSu6kTp6zq4Zs+MIaAR7rR2jlGRKcEwypBDlACOHv44bUXm8SwXS -Vn4znj5WGc1BA7Kt7kt0gC/xcWHenCApi5m0I15fsfG/un3c7y38pv40vB7C05ks1KGUrdE5ogQU -Vs4+xX0Et1hjmgOdLzsRxkTuwEoBUU2rCqtQI4dgVs/jCgcVrKAoeUqdHiperw73yImwTkrCdvxZ -TFBQMuGxsnTsf5A/ggmsNVRrTKJkbQulwKIohkaks3MX3YZ0FT53/IaqmdXBQ7HvOg== - - - MojXF2ARzQd6ZpgXmml4r35mXZJG3JaffqvbfAnYmUL818TP8iaxKdf/GExnlBzUZa8VgyRKlrrU -y6L2RfRhtbBtLBuELcuVruKBYLG1ipgD6E8/uVdh0sGUYpNSge6k6y1OygMjT0cZEVgdWNkppBcL -/uCBy1wAPEH6sZHJvwnvnDKG02vgUkL1BgnTV0Szys+G4kNgnyHNlhGHX7SGo6aJ9Ta6el3g+i1B -Rwv7QJ/6gBD/O5ZbArSzdM2V6F9IbD1alUJ/bxi8Qq7JN0jqrQXYp3SMUMlGUiyj1C6dVB+wdWoG -ffTxbFZnIDNq8m4kqGRhTkuw65qY5RsoMwJ7OsxRMnBTmDqQ1BFCDzKQFmCfG0UGF0EPNFSjgRI0 -jkSF/JU41BUxbs5SIq2sjbNKmidtdDDOIfLmQZKhpedCygADVR7ggmEOxK3QOP5lhPIQtoOWkk1p -JWTWaL4pPgGAP4XsYToTJ37KQbLNXG+Xka7OxZS6soqwA+NAeb5M+ZFB9pP/lir4jRUQqyTqc4K7 -QganbcriBjok6sgzI41OCkp1QwaSlxcBdNKr/toksJ+AWrVau3hYqnmaaTHqikuLOFCQviwjV8Ba -oqfLY6Qyg+zGZ5rX4RM620Jl3Msfn4J2W9ghhS3fEQPhjHSfgJgcqbr6mSAn5JIYOLe4DXCbBcyJ -BXmnFv5K/IgjAmLpM2UAWlz+n83uhm/B291Z6CaiYkYJQtQBBumv++SRczlqc3HT2HJ3kwwUTsZU -OUC8ncZCL5w6XCc0F6P3L3kSw0SwwRnizwiV/jdRlTV0/iso4A6CzJt8uFNTVsIBs0TIDQg5mc1D -EHeCGEm8Rw0ClOIMDOcp4t8LOC4kqXqEEqsq049f/iE3dVDEBezxylMrkp/9Lk6HBNtiJasxRbkX -cDXpvbOWvhfnVjdK47bSJ6N/xwtB0UgnuP691l+a3U/IdRke4nzRWuwUxJGO3H49M+bbP08KqJeP -oHkSMxp+EX4tS/ztmZvgAsIF6w9pX45YwQL0mG3TruD++shLIpmlBJyfRL/B1NgcGRAcbIDcS9aj -e8sXab/IBP5Qzk0KB8zuqpxdHpc4y5MgSCKYfpkSeJe1thG4qkwW+o59/UMAifm/JxHfZxYXW0iy -g2tmq9sT3SEzUcyhbQwCmV9C6LiDqIlwXnzHh7uCdSeVuWrz+tPGoI2Tx/FeJSJhY1h/mpx0iS8D -wkZ1XyIkvAQs1OGMkOtrlAn4spN+4RRnMFzSE+KtESFZAYx63XUuaPS+blvXbRmAPah8MRHOA0lw -nwUL6Qi8wFP2m9nEoR0ImzVNizXLJkqP4zOneArVC7O3U7zsnOA10+xvWmC9xOimht3tSZXtwbMK -4ltsBbSrMROPGiTlc7D/ubnsVhExjelh5C89L64GYFC7wloLgIZ2cpJsCfuvYACh8WkiQMfdFimT -TcESnhcscrXUvbG+0y9SPzvP0ThAUGp6w5//nm13fpAWgm/3/roKNAJ9RP9XzJz7ob4/Uc0iziYe -HdkQ9W+qARviGPtG6JBoipjfskklR17uLTcwLjkrNfRrVCXYh2BUkgJ/kMcGemqLEZbaJGFs/nGm -O2mWWZIAOH1iJquRiGMPSDY+L9zVzP4yD6DQ7ejXdNHxEeuvYgwhY6UYqOYSxw5wSjlgm/yHjCd4 -pLanoIiiaeF2rJZNqmL/J0OncvDlbnfLE+IokQHoGgV5+C/oFFMLDntNW+nWE7GR/nMDTEzk0Zn2 -KMgy/uXl2WArdbH9jZQfXsP3grz5XtCmUCVpUAFxUjHhYchO0QsrgZJp3E0sxsqXtjYxQeV/yLn0 -D9MTE7P7r+uXECi0HoWcbUWO7Xjsicco9fm9OWVhUgouO+bluSXKtJkAlfA38ZtjPTbVkr9Y8I1m -B8KGuksAF+CX05EzgjYpncaNv2yXDGvHqrMhh+4RMq1wXSYJpGg8cvbwUuIwRCE6TEi6ox6iJ+Dq -5y8D3ctkxrPd1tF4cUNkVU77l2wdxlg6OVKNvW0gpBGHFL/yBeSHU0NSeuQLzjuBVijiR/CbF2yg -qQ1nKBxps9zoR8bhuxlljEQPn7zqH6OnjfCcDA0ItPhUT2hxmir6ATOuS2VskrOBvIRvQ+6vA6ce -ElaD1M90YVGtKIoYBivx/SFYo7ggKa/ynhL/SnXGY20AKq56FnPsFHXcwphmBxON5YsL52mo9VOs -xFkNnd+1oikM54rg/vIIE+ooEXSGoRszHs7+V8+epJdxRQmuJ+yy161b1e6w4k+MZoyoKTJJ6+0q -mvy8b+M9GsLlla1OWhoZd2V2G2qQPWpKfdxEj9dUkF0BuTahgSw4SHbdTMS9zNgFGpFEDErsHJQE -0VNeC4TSbpLVBN6ovQIR5/e+LO/TwLg4Umu2QAS+BhiMM2om+tan7tJ6WFeJVJtxbbvK6V+11o6k -UUVx0Day6XhofTMvqFEBWpIuoYSa5dFYDWLPKX/G1C9TFKTrcd+pk+xTF+P3FK1zWvh0VOaZOwo1 -6lrTRe4mpSKJhCkaDLvC0nFhJpS1Fbe+QV7r3c1stmjaTUKUPmkc65rryo1TPt5kzUS2x7Z6ZxZ3 -+7RDWLF8ko7ZcC4GbQTaqAvqgyZNvdRpmiuVY0pA94txe8QSx2z1nNcAjp3wkSQWmfKB+vcszk9O -/YttxIxNRYYavsm4jRiXm1pdrIJTuGBU4MWXD9BuNi6myb01xDHRgK6AVhIedSu1kU93meT8H5Yf -WzhSC20PuNsNNrnNiySBr+ZWtVlUd8YD3oMxJK4JdzLNW6hjYxB/so3yVgPDBo6Ul46QF9nP6Hrb -15yPx2pYiPccyWDHkej28tQu0LQAX7hlPc3seigDS7BdiF8tgfLxQm7zRdy3y7Z7ZmNXER6tbOEr -PH6UNRAP2gHf2uYq/F5MzubnK717U0Tod1CP2UcSRpxdB9Kk/MqGReKsLTUxFLoV0fKXwspVf/FI -A1MTVH7NyO/A5eBBIXAAZF9lrp2UVj+e1pCkuBikXRO9EnV/cA/7u+xfJtMzHuIREi7Pugrya8bv -AkRhbxZ3aOGymcQCrF86Tm8ETKyK2YIKFw0uHHpmD8XIynULy+OcqJz/rLCrwrnRf/BgK4MUegSB -nKClyBZSimovV5gitks/v3QtWSSN70v6QHsH0sFQemkFZuqKmdh7QmGKLAy0eMgA3pxLycdbSvB7 -8x3Bjlp2XoSeVkBEoA9BnReXRhCFn/abcdyitEKpnI92QHkMTd9pFNZBsoFj3f/UlfIcSZsNXMD4 -Q2+P2krKAV4AGZ6wldwbMLBECRiSkekksq4shiCvgd0pQFxk6RfijRDrG+9gnXd0PxWAcdvrwhNl -TZL6OhZEiXxrJoWU5htEQucYrObq0fCDvixVxfIqrhJTiPkFWHrjFrqMwecPmWSNa/TZMkinJEGi -kcQLuoCmj1e5Z4zZTi5ETrxsUDfybl4v9hWKHRfhiHzFAOguA9EtPc1kKqrbGDp0bOPgOY+sN2bB -ZOdflOOMAu3zAEmzxq9pZlPYvkEKxBAb4HSEZGE0wzfW+bKIScu/HArotDr1s6E4AneVKmJZAapc -zwjRmBkjtbPrEsMdWRXydYXQrKBLKPG5twRlFjkVpihFkAYTnMqHB0L59h8MRzsP6pmu3kBiarNg -VEGqTt/jCjSBTQM5lntITFp7QagkVIPLL4Cuduh9XesmhCyqZiSMD6x1XQYdNsZtFxwOF3Z9EH+r -erC5i/ymsK6ko2eHfZaWgfUJM34NbQNVZGVEcN/cuxQtuNCKbDwd/V2Qos5Ngt6d/3m+CRnBCLby -bEEIM0ORRIMg6+HzuX1rZws3me9E5fC5fegpkYXGYrmvU9pyWF+gmNAjztOjnO5cp/sU2BfBfSci -XSy4VC71kkPA5CTFhZPvumanCvhw5WKN9oJwUCmhDHD/TkeKFU3RhfIppFQ5Jk/o4HEcSW1SY3iC -fFQqNHX7RfAdIKJ1Jj0p/can9YSkscRgoqZC04cH27mlq2rPWV8vJ1+fxQIdbpscpspmPiKFnKx9 -0BBcSrNIRyXfxAuULKhL+rxNhVJ2Zvkkvr8E1ITqwQW/IM23H4lbBzN+l8PZE6xiio8Oa5ArfdLL -TjU/nIGK6UOeaZLcDJJniNwZSNpmvL6x7d1PTlX7t5qeAr/is7LE02dNENOCZtYyYO5BvTnIOwKk -33DlCqK89MwYSTfhH41orMCxTMO0w/R4aMvmCZ2zW7mfqsCu9qE1ZVJ0xcYasc6oI677nDWRSWe0 -vyHmyyVbrgGQi5sCi3zS4g8z79UzZOloNp/iK24hVkGFhBGYauvOlHljG2l+FQRoLkGmR5gy3LQU -L9EkWADhBc0DVLPjNbMvyeQK2CK+xqZCIhY5Kl+VkoTI7E58OselgrIxhwSD3XqRRYJvqs4H6YfJ -c/wpszFDkmG57ZgHLiP8uFJm0b/yk/IngkGYd7Sams+Ow2zAdI9vwXTFyua0MCITXi1TxOsD/bK+ -bN51loctoE5gO+9H29h62QYczB/2PNtA+pyegfmApuuU4t0gEZGgK7mh7j+iwUGzDkecXKwfiZ4q -d/xrjYjvGjhXSPpWQyUCCbr9ahKpOf94abEl0oPGAIYgqD5FFZvBpo70xlw3oVxhpS4RMRJECsji -0gunADREmgl7CAQugIDv4C4jUpdtqna9xeJS2DeVLgNZHHljlHrMhCbPE33X+Ea4EkdDkVzNL/K0 -IZbgu0Fj6aeBLU2NL2PbejOYBnIqFbXRSjhkBORu/XAiqjj6k3JwwDCVb7IlhruES+nxiHSU5L+X -3+bLnTrSeyfVdVQ+93Hc2/HpstlPW8IxxXJjm0zPb0+WycFOuTNU0GxGx/g+HqIpkj/Dzk6Wovh4 -73rcOGDyhKCEcPxaaKMgk03qi5jU/D3kDhQOxkRXXAQ1BmUVpWX2q6OSaQNR05IaggEU/dnb+SHJ -OCg0y0CsD8APQrRE03oZzf4bzdaFVPDoN8OCGs7MhmryaXIwsTqMMMvKDmPnZ7lfbwPuRRxt+1Tk -/jQRxTcmATxKAeyyQn9zGnog77PnQWKe3WrOjQQQnpWfTQ8mAqABKNq0flaAABqd0s1wO/3hR4tm -EUoFELUilvNbaGz93ibSmlfe5CY9hcmtsORLP5TNb2K88RbeGcfCLCtJFIf8EtVlVN5g/UwU653s -fFeDyvhDqLFe9g7DGOnD9Ej4rCw2JdnEX2TdZva3FdKHdm8NjI1mWuq7bFMTIYbEVtmpiaET2CeF -3ysTVxbr9lcy/ciH1erl6UYyIE4NmJI+zfc7XIoxlHEunfSWsTgq7ZSEjGr8NVUw4mEvTGXtEQn5 -kIPrbh3Jy36VteBeEH1pDZN1rFGMfMojNQzjAGnNhqvO468nqSYbTkbycMNVQGmdaULA4V7CXRNS -PfPBEI3bpm0z3bV6fDnB1al3R0QMTIUvy3cizjemrvTm2HM47TeqFyUgv9U8KmoBpg== - - - b78cDlsnf0l+EZVMLtyYjiZOfVgD/cAAFWwIZtbh2d+KgGYijAsIY6ScENCyy9xVbuBx8/ohQMhj -0RHYvxxI4UAvbwa50abln7/BQfX+ENZ4CKfXEyIS1ZrKnc81AQ9agZV8wPY51fyiwRTDktHokRbo -72IC1BJpx7p6vBOPKsBTxrNLdNB6NF0PbfSSUBcDbqEvdg4DkFCN63kJuAKpqO9eHMiMRY4MHCoH -brFgXflerp/PD8gb2Erk7BtDfaCGrlHDqo9vQ95Gcm43WuizUGcG68udZ3xH3KUp9kPEqGRjudGa -e4WB4f+ROMXHopX9fQX3f2ZPazCJbisgVJ7c+GR+MXUHBRBqYx7jhTyiab6GI9p1SWyDkiaYR01B -rymzyZxoqlbN5Lp4NgGjDILueQ2buB84lRmH5tbbPt+6D0VLUAmMazrEAyqZlQ+bkARIEUOF1n/p -ETdZQ4JSOQVf3vhn0/4bfOcdDM2dojkUhqkYk8VTq/MgD5zk5iuf9Ec/gy8JDF3q68TUG6DOQ1YP -i3NVj853uV79DY87gPNtaQjXxNNcJ+o7hSEXh1/i7hkOGj2h6S+jr26FUZtVPU/UeHYHj/k3M/by -aJWHAiMwvettzPrfFh6wMR6uUjabGXQeJsQxMkMm1/mOe/bVeJM+HeGGyrX7WOVi8Qmy70Vl4Ee2 -bOnArUvO6RX8JfmrwOZj0udZsYnyQwdCMIh1hCNfRkJ+HaM7LCs6kaRzfkXKvvCss2uDYgTOUuo8 -EhDhwOw5xnbYFyeZGQG6kpTJ6NYsjkD4M6sIqx6gPJwFow3aTRxwDsVeKSmgdiECHmiXy1lde2+Q -S2VBAILkpkJdSwCm+xu5Oref470GEkakcFe5n0X28ls0SBxcV14tYBn2AUvP/buQ2QYKQHxYOhkx -Ad+QCIFxz2xaDJWS8G1HLM3PvClr4y4oXmBMn/9kV/FDz+qTRM46nGAvpIm1jEotjvfHnkHFyeRN -1+J1aUtKs0fENJPyBim+HVYW6IumSTgi3JF8HYPVmySY/YEy2yZEYAIosBbFW3lWIgl8HqGKmkx9 -bYIOErFQ8nWBUqk81zYdCHshPYJf7o7WEGjuJGzy/vWaPitRW/t5smEiOKAinYcdQYOooh1BBd8a -iG+T7rEdFnXhilxR1AAonyrFKK/WpGZSu0lbI1wVRozX+5vZAuegrVkyJQ4YYR53B5LUhrCi+I2f -06pj6eukWPdwb/fDTCyk4QD8nKETPNrrUz9+e25G1J0Dy7eaJwKEyOzOobEDeJ4L+eS7HSCkjiUx -g11MxURQ+rMxHP5TiR4RneZI04bRE68RiUcWa/d4KAk7mR3Lzr0QJqyhiHa8BaRFvI2VJdg6jVXk -AATFcnHvpLmTJaRrl+paYBW8jvVbkEtAVcyw+iKweL1Ejg99DfC2bmVxl/vbAM0w2w2iTjCYn1o6 -jIofx/eFxHXUxQWxTEOIggMwYh2ZLWTM8psOgcYSNam07dctq0xOhKkeeSD60020ndOLAZkCNmg/ -mJy+RflAqPbmaa9dlXzinprrRnf5TLqYggnigj7I9jT4ZXgAC+dRBycsnhZV3JRBv9dZIbRDzKKD -5kN5TQAhzQMeGjNpeq3tjaSZu1Md+tv3Btfst0C9B9EORxrW43W6fscgJEFVfGtJFmfMM71geDQq -hMp5IDjbXrQznHfL2RsGIKzcQipAMyy1kKUTGa6VN+ojIVkECWt8gBNe7w3tAcm26rqmuWf3L/Q+ -qRNj4AxvyQUcLTsm7FwJyEIHZAYA00UUPC4ygBkDQBlAi/22ab2PweP5TvM0H9OokNlp+l7G5ncV -sU2Tgo9T4DJ43PMydYzvuIyNy6ygoaGx6xuf2ekVerz3fR/j9I7HvL1iJlaxgicDISCxhDljhC+u -fCMNrk/PQY0E2KcmzEB5fVhLtHw6nTMnX1GyT0WAP5U0cwb4AXkT0AVAZkEDlztxh5UUtzN+CyUQ -XBSfOifd4NVpAaqnsOdnkjS2IrpE5nTtLn1qbGEFMgJuPekFTvSxT9Ygraexi3BmF8bC9YsNxAoA -Q0slOB/ve0/iut7j+W3TOX3nd33vPa/LOU/bKWhdRkVt7/pMCju2aXaZ2M5l8FjGXqEC13FdRc/n -OZ/juopej+sVfYp4Ba7jca6n2GN7BT2T4zS8nev3vue5ijufoXuaGZqZno71HZeJcz3H4xmaho57 -W8XMjdcy9YoZFSru/s7pGTre810mplFh43G+gufjWoZekfMp7po5IMGESYYIn3x37Sx2oIyA9QlJ -SHniDD4X1N9Drva9iLAdUKIACSUCm8EJVwCZHUCp6JO9BctAeTy/3WEEVeFgpw+BmgASqqjnz3Yb -c+8taPq3v4jTQu3tgNoX6e9VQElQw401Ki9OdP5gEySUcqDiEAlVAnJQOFdd7pcpod7G/b4itlHn -IFCU4gK+HLg+CQHUDJgABJDpYPrJGVyfbJDtZAE/T54BNUHgkwkY2UpPhcmpjcSnzoA0+ojP5wJ2 -9wocZgDEMhI5NzYyZGVlZS1lOTNiLTQzODAtOGI0OC0wY2E0ZjVjNmY1Y2RjZDgwNDNlNi00ODNj -LTQ3ZGUtYmNlOS1mOTBjZWI4YjBiOGQ0bWwxMFNWR0ZpbHRlcg0vIDoNL1hNTE5vZGU7ICh4bWxu -b2RlLWF0dHJpYnV0ZS9BcnJhY2hpbGRyZTIgL0ludG5vZGV0KDEwMCV2YWx1aG5hbTsgLHdpZHRo -eXl4eG9iamVjdGZBSV9faWRpZDJudW1PY3RhdmVzbm9TdGl0Y3NUaWwwLjBiYXNlRnJlcXVlbmN0 -dXJidWxlbmNyZXN1bHQxZmVUU291cmNlR3JhcGhpY2luaW4yb3BlQ29tcG9zaXQvRGVmIDs0NGZy -YWN0YWxOb2lzNDQtMnh4QUlfQmV2ZWxTaGFkb3dzdGREZXZpYmx1cjFHYXVzc2lhbkIyZGRvZmZz -ZXR5eTFPMihsaWdodGluZy1jb2xvcjp3aHN0eWxzcGVjT3VzdXJmYWNlMTBzcGVjdWxhckV4cG9u -ZW5Db25zdGEyKC0xMDAwLTV4eDJ6elBvaW50TDFTMjEyKGtrazMzYXJpdGhtZXRsaXQxMTEyMU1l -cmdlTm9kMTQxLXh4Q29vbEJyZWV6YWkxLnJhZGl1ZGlsYW9ycGhvbG9nMmJiLWQyMDFzM0F5Q2hh -bm5lbFNlbGVjUnhEaXNwbGFjZW1lbnRNYXAybm40bWF0cmkwIDAgMTFNNDUyKGFsd2F5cmVzdGFy -ZmZpbGw1ZHRvdG9saW5lYWNhbGNNZnJvbXJlYWRkaXRpdm5vbmNjdW11TjBiZWdhbmltY2M4Y2Nj -OGNjY2NjYzFjY2NjMjFiQUlfRF8zNjZFcm9kZXI2Nl9fN1BpeGVsUGxheTUwIDVSMnJlbW92MTEg -MTsyMCAxNTsyMDAgMjAwOyAxNSAyMDsxIDEgaW5kZWZpbnJlcGVhdERzcGxpZGQxYzEzM2syOzIw -IDIwO2RpZmZ1c2V5MjU7Z3JlZW47Ymx1ZTtpbmRpZ287dmlvbGV0O3JlZDtvcmFuNmVsZXYxOGF6 -aW11MURpRHIxMDJsMTAwNDQxMTAyg56ocq1GZkYAAAABBVIJAghmcBjlUStlgQ4SQFAYDMSwIMUg -CIAAAEAAAAQUAcYQQBACQABAMIUYMERqFSQOgEp9e/ewX9lKO2HBiIynuco2Sh1X8RhAVGmoy2T+ -9WlCpjcjQ1wymkiWRKvmp+hAYTS/xUEn6K6CSWdMSjSQgxv2yItrDrj8sRfDGoj7tE2vS1FG+z6f -Ayqo0K3O6ICVQCZIfNK+olp4e3ALFB2oXTqNaoxeyVu2wjWBBJ4iAwTqeg2MnGs8xcQa4MkNy094 -AE9AOt/pmICX0P+CQzr+Gm4/qZJ1Sr5HEEw1ig2rOCMnOnRYfR0wdYcrkn3D1upAB5qRvq0pJ72y -jHUXCPKiRg4ERL8tp2S9tP9OozeB7cUYmAiqrhhNLmH2FgGIOnMT6v7hiE1R98jvGxjOmU23Gqre -9TyHG0nWyHID6tlZabASCOoFh2AC42uxZ1qiF2xBSqQdP91diVdH0bhXDmohNdBt5eReLCSUcmDI -tLpLpEjL+lb7Yf8WfM4Lx4F8yUcPwCMCpI1UAymapeErW2Z6mZz/CiREFKE+2WqJ5xEPmYstXH30 -6IDxo+s9+iswuPV0BfKNaaOrBI1yaS3n8oB0abHyzPX7cRXo3LFNU+BGBLojKpvUeuZusGyxiUBb -gSeol+00c7IjtwMB6Qphcri6c6WF1jckn3iRQ/gLIfBhCav1QZcZU+cgf6BxYBvLxZiOuM3WTBDd -FzQkJgx2HJ3KAY6JweOOaH68mrDGws5tUFWzlcVB9/aIoRZWmBi63ZnNki4VoDPEcCD0VJdDD29R -UtRtIGsOCCRijPYgBrP9c0ZwsTjyWZndwXqktO6YeQsrPf+PqF5Bpy5Ex/90zZ6Auf+26zQfM8gE -3on/EgbWgZg8a4podR9sIc+4tg7bpmdiRWF/xq/690PG/tKciB+qMtedX+Ns9/tlyQnM/QV2Y5kN -HlAXlfOWM12P10H7bDS4bjttYtd/7cgUOYpAN8ZSNYv99XqLq4W/64OEdA1RWbEr4U4jpOrWD6Yh -iLtAKCkfWC8NqhwCdhbwdGWTBQEQJOvULwpbNTBxKBJpXwpCgOYyi9QSZpA5gq0H0udkgPQKIGH0 -mqwhU8ayZUiWmAR5FB32+vUILyRvjJLgJTRACYKNWl/PAILQwhFAZYD7LroBgW52Nh0Ol73BucYi -snQEmfqntipDsh1AvZL5SpRw1nJgmp1H6DhF21kyrgGwY/4osyo49ERHDcMRuMakKlbVG0ZDbKp0 -xrMYaukI9kceTjoV5EYb6R1zOLfVgezewaRhrQAcjs/6YPYMi2RKhMzAwULFPaQzltBgBSgQoCXS -KqbvsLaKU6CFFZe6ssxy/5VA6gXqJ2rIRDEFeBllaJx3Mk+5ylRYo9AJ64rsamRjhLjUVdK+yjNA -XXsZR+SbUeV3Z9A5c0vYq2N1KKEFhLF+uTRcOMXz2tEZEatSTW6huZIhz0+Wdw5P4EHoncozUliJ -JWJ1EiTtpEuxloW8rQB4SVz7kgye+gZ9CQu++Cng9+eLYYhx3y7rJutRt9kgbTUoTLlyGL25Q6/K -VVXIPQxzUEpg1Qb1ZuCC68ZTDRVLLzw6m7xwj4bMweYDqkGg8zEK/J6W7/7jm60lJFxqjKtygVUE -YW9nScE7+IA4Vd6OHnVPYgAuTbf+QglZoC8AgguQUSXy7oWpn3czXFVuYbZhRRfvjCkSfcxhrhhY -wSh62jhGj+YATiNrmYnhGsvRx6snfZP3URTU3dJ/5eRfidXvVWiJKYdBLCjgSzjO6gyGqK1V/oTb -6fLSsjomRblyizSeYCWlZP7yJN6h55ePLyUiSVRqMFbzZGSuz3x/SoqK/HdFksja6g== - - - GVAzKePsvKZ+LBXszhzgcr0POv/pTEwfOo3PbjTEqbobFDutXMwYu5qMhYHEr/6tiOtxra2BhK+K -I+XM5GpryEzk++apJx00I7wgSgOmzx3u5h7jOXEDoNmc0WFNeQG3KhbleaJlpA/LcXeu4Ytpn8Ng -/GSdP5qAxI2qXEbyaael7inPxnUb025zWqK8y457S9sHnRVYAhVHhKeebpD1/zHAgQkVV89b5L0e -TxARIqsqRUMQ0URglGEYW3LmszYE7oenNDHZHZiSGKklmv6gwEdAycQfagTYxiQPfsq79hwICGuZ -VzcQGSaJdXg+bT6nnfivWSrmzoHFGRKPx5KlOS8z8cPYwEbmMnrRSIem5kR66gaWbb3uUxquL14s -B9aSiDKXwSDlZrQVx0wHCOmEh79zd+acJ4x42kI/2R2tVsRtNNgLWOnWStIwh5VvOTB6OoLuHfR7 -y6O/6sG6hARhdUx58KEP79TbnuiStZtvKps+KhL8mWnJBEOHo4U0t7DzvzETYcDvwGROU8uETjWb -EGUPMdIEVhfhYKO1Za5eXz0vWGLkY0WDOkLDNM2NR2SRcPpHrDWKL82mwTYN4G9ZqNNlJj+kEEj4 -iLkRioPQs1/6Pw6k15Ms6hFZu3MLw4Etgc/TXmSuGVuHZAbRmdpfVhFT3y5uSK1z9kAk2Y2SU0bG -bzsecqAzhdFwEsakruWLba4P/GAu443N5oofwPIxWyRNi8w0Xcvk/AI4IatUkoruJbQ9KKM/5lce -x7oRfwbsjM/SYtjyd4TJpK26M+bMsvOPE1HFf9WLZKTb8iaTyDCQfJU7HQIHY3ASkAD0alOIcN3y -6+RwmCCF6jL8Hw9LQfYpKw8sDaMmsSsyMF5NCJSTFzzwVf8ACWRElKNPLeT+h0/3z0UABq7lnsgL -TfRiYKnvINscfIa8s60XrqMaT1wLFDDlUnueDdfAd4eyzRXFHQyjgoOiIBFuC87EBlsWV8vN2DPI -NohU42FnFDqk7MMn6wjS3AyXavkrMLTo+RRynhiGC3UWMlxWqHpe8XwX4kkcZgF/Qcgoa1Y7QQAv -Wi/3Ie0sb67s8nxh2FRXw+XvmfgK2Ei9uXLL68sN+RwRzPgDYdCuE19slT9II2p48gjH2qmUtsyz -yxpCvfEhOEKssX5AhKJQvHYybt5AWSqdCvc9iU31+4jJfg/n5/+7wsqa3TiccSiLA8NGU8wTuBdW -DoXhDuw0S0zRg2aVp8+uKl7cgqxkMteAYqm3AmuKSAFgHB9bXhRHkTK5UX4/XG6rtmGQhdqHc6up -LZtIE81WbcKiIp96pQYpgO+/wj9oeigYsPEBMQdUH5/1yf/LSYw2xOgn3+NlRTlLhPXJdxcAUeJ6 -nkykCHD45I8FJj1IvzRBa4YYmxgBKYZODKIkeM78BWxCA8qQWTcq0I4IAAaLVYupRf5uKJD1n0Wi -xfK8GH8k7j9VhRJK4qkZ+UQQEREVGBG7lQOJA00Dc8hh/N7p3BjljAZKPdKX7xkXDjOHc5cRRkF3 -xYXE4bJx4RcQB6uR07lO2ykSiMO4cKd82o5DJrYccc3kei3NbhRneR2ksrWu4UC0d8S6RkJ4hOV6 -/GHK0UDW+D4Q40CHI3EolOsRxIFAGg1E+UnFx2z4cQGBqCY8yIilWZ0/SWXCNeMCYhxEh/RPxWS6 -ohwISjPGwQCB5N5JsdXQXkmF+nxRjQsHafqMYhSjGIWVCu0l1VEJH6/OVIx1dTj4ERMlqrXV4wJ/ -NBAzFBsH6czkj0OKybYgzF50JlmSVrSjKFpRFS7Z/3juUfwjwjikMj9xL9hA0t4/H73lPg56yt8Q -79qNw8HpHwkxFJWbtKSgjYMoy1lL32iQX37T3oyYUQhvDYfcfxuIXo8amUlfrsnVyE0u8XJCpkws -ZiNnORtdLrGvqeTyoJZ6zDMayPc/bb5wKmXRK8czEiysDuiO/4wGabaLVLfrBy+Rirpz+l/SRuyS -OQqVryyfHpJYeo9GLcjVgFpW+ahsJNuuqJ4oaksrXypreY+0nOu35Ly8HPU752gjM4qRtx3lh8k+ -A5GwvRXbiNaWic5IqI5Rf8bhIzeNBc/9I/spmuHgw5+RQPoc8THcOu0kj3w0oP7elmpmn6X6TFTa -Sp2lvrcD2tSdgdj+4PHWiknHmHJGMYobujm9T7hHrjMQtCPH79IN51xnJD7bI8JAHLSGcI4/TYic -N9d+6c/YxxsHZUw14yCHlLZzNhPNpstmfyBqHERHsEvywiOxxVxiTdc98lv69NldpsWNcCD5+dF/ -Hw1Sd4zus9f9EfxRT90HQi7tdAQvp9e3/YmOBnI9hNePw8VGdpdxhHEkxIb2JV85LUlU5pXbEtyB -yKaSxaKVxJavUknzWg0GCPAMC/NWcN+ZfZ1Uu1lUI1uLRCX/ONip6nXCfSP80WAkl26VjlQ2EqJy -3HdHH7GP7MjiiPFIzjjI0OY4kOxbjXCPsOnk++qomhp/dnW56tcg2kbiTNAYKkCIoAKEBxgY+JkH -EwwwgfoBGgBAAxahggkMFRxgYQKECQz+QMmSFRMscKCBMWAVJDhQAUIECChIUDjQ74AKFjQwoCBB -4TAKYMAsYIELGCo8UL/9eTZhwoMHhwomGAUKDQ4M4AILEgoGCigIAShQMDRE8IAChYYIv+CCBw8Y -KkjwgAIFCNRkYpqFn4rBArOaBSxwwQUfu9/wAYQKFSxoYBAIKoDUBADwADZjs0FgAeQODMQgEmZL -hZy2l9jYynt9hcqgGwe5X5WYY5U4er5X4i+ZF7ePkfRDAgaSVP0JGKjaD3/Sfb2122yP9tWlrPje -M+VSLMTjxjqmM3lVVbLwJXZTHZHaCLUuG4dBHCpP+7C78Uh1vey+H1eDBBMYLBQQGCAPJFjwAISG -CBgmlIUKFCiwgAHuB2hgAoUJDTAgHxMmAIAJAOABo4IEyKUCYnzrysKt3Wwx20QqaavLyr8KoIQ4 -HKoML4HDgXEoyb20HKWkQAB4S/lCxqcttf59Pt0NGxvXmTF/IOBles6M1O7p7fjJ21uUDBgwEKwb -2rEtW+slsZyBntqOBAPGFwxEbY3p8jxiI5eAgbylRgQMRlGTqaSJkgcQLDBMkJCwoKHhAPkbCEs7 -xMn2A8FJNWXFCNVFHNGEYnd1E+XiQ9yhCcLUWispEYQInJGQ55EpNVaiahZ9IOxOfimZiDC6kUAx -1M6BoG8NtrZRMAqbuWGky9Wirm2WWqGlFOcz6/8oboaXcFbMGlsHAwTHfG9b1t1fVhuV7iMMBGIg -Vgdi96s8EDjfNWTCOTPqqwaBWUpvXlLlLjKdgTjUtNsMRJFYpRzzDIRg2gdiB0J+NxCiiQORA9F0 -2pQj8cS1Zyde413dObO6+valV+w11SjQJItiFKMYhY1iNIyiQCkO5X4viqJ28nlF8crnFEWOYhSj -ZDeKUYxiFLfThKMYxSiYS5ITBZDjYccFXcp75nMURnmUNhLZSjYufBmRdYnlRjEKUjxpHgnEAcVU -KXkcRE/3KLNHMYrmUWheOIzilkbBl7SocpTbFOQmHQeuc+FI7IgwDuMCjsP39FEUvUfVcudxoJYU -O9NHQrBHA6mqMbMiJalatqQV61pSWNJGAqmPivmKJrlzLX5VRSz6Etx6sXAut+zRO1dJ9WXGUrTy -YmK1ZaqsTcp196hqUk7TFq/kh3VcSHQqS7cpGRv9B1t7Z4GUdSg6dUdOmnQERXWyPqUHUsFNMpuU -06OdUzpBZLzxbaVy6XaGA8ET3iNsSqkf12rX5Ozq03S0jJrCOuMgu2gyit4RVM3bLeouRibHGUzs -RP1eG/GIVgneuHAYxSjGBW3OKkaRI5PTB7KRuW7dMXE37YzEmccFHFQ+LEZxHro7rnEovOFxIMOU -mUmcJx0Njv65H42VKWd4RmGZmTiCMw43OZ1oCneJhIS4m9pHiA1sdtMnpuVtB9l017ahNy+Py/aK -1XZzb8+s82dn2NB3hr3TcHsc6cre1b1TyWIVLZahrmYVth5rYXLyHudiHhnPUJcP+ZhnW7fIXZin -hcx3jGxqhIytyIOZhGaEaB/h+ZOfuLeG28nam9iFbK3J10fuPNUzS+YZFZDbVRCBuv6M1B15leq2 -DwvfSgizLrvWyl3Tsj021/PciInfOj7nE3OXdg8tufvQsG25bpWOs7SRb/eQN/v+u6dhVbLWLtUa -H/G1bS/b2r28Jee/23nfvbt8El7eGc1quc0obSvzOKnU6sbKfHZ6t2z2kxq/n6lrmXYr+9kb1bau -Qfgz4wIQ3Ca+GlUba7+mjbdtBUwYCARiuqlbqh4ACUAoJDQ0YFomsCChAgxIQCqgQAWGBEhCQgUH -VEB+CBYiNMBsp8K2JVudcpV5nNdj1SXL4lh4EdmWx0wRla+ObrKO+GMm7QR2ZrNRC2suYecRp82a -9LpofHv73N/S3pnSxI5cOlS81tXcTHpR1Ys16YWXTnxyl7e7ssYbCURaubFeqs0Nm9L5+qZqT/ih -vZ3MCdmU93zeOspyq93+uPqKpCMh2JxbR3aleP9R2nQX6eyLEYlvmfJuuRVpY7dJL5pkJzbl+WeC -tyf9Lyx9durJ//6RqIuZldroud+ZP7NuoV7ZJPfUhkexa1W0F8n3kt7Ymsrs171sEt72Z7uJbY5s -CofHUC33OrUYT/tpG8Ez/VUZ2aeLRjaRSY9pdFtBraWtW5qN4m5bxaTvv236Nr+qR3vDNfy17BfU -L+qRtrtWW8krKmulM9mvqZxW0p4Y8hb9RiF/tiIP/XLPe17+jZjWclVunmRDeHRHJn3xKd3Uky6p -fLOsVhqFtF7PpPdHXKRK/Do7OVwtyg+VijHfeSTkRriCUcjdGGVmn/JooyMvzb6RbUVaqlxWvrFZ -Z83eaE/fO8HUbPq5ju7Ekqd61CZciLJa0flmqncmqGWyxZe4o09ggWEBDBioQCECBAYUHDBBYYEh -AQhEAwxMYIFhARQwTNAABDCADFQwiknKG9G5LD2W36mmGtOaPU3n18VP/TK0UciJSSqff6PoRhNc -/odPKXzD+QkUIohAAgNyLzUBJn0reO8zWrkbsRXDFVlFahzdWsvFTNIVvlPKnE3N1XOyYevoFW6h -omqnaRozp6jOOFwm6+Y0JlXf8iCOFYrhjAN1t+VVn3jD2TsO2WpWvCPRZLrj8MtKRp0rHu/t4fYS -J65kjmCPg1xHVMUQU3JGuC1nexwwR645wvIcOU5UnhHOcZBLLE7NVc7mJG49lerI9TiYyhq1tq62 -ao7Dql7LSDUh/+Yi7xgWDyYOI6OhHV1HMHcOvHPv7RFmZj4+IB8bXZpHznpTZQ/fEf1uLSsKK5Lq -6Gzfjk7qyHFItZtSeyR1PmJ7ypysvKQ8gvtLIAJISKjwgDQ4BSwUECJUgJCvBxIqPCDBBAkNDEUD -eldeknvMzLsbRSLetV11vnVTNT/nZV0r1EqpqzrGvGPtRbT/RnGjOL5WMzHQqhzINA== - - - RKxBw7VbBePwu7KPCGBtdXdV1acBh9Cz0prrqi/VJJXa1+4NRVHlzn93fHd3iQ22f8N/+Wwo0J73 -rKvCaqupqoYrzBycvxpubGZkdzOzu9O7y7O6ns3MikXMzDxlZt6dMvOUiYeKhg1sL0Q8/kf86/4r -1eup3t0RD3/ZlKeqp6r6356WmZRoT0t7Y9ozcykvU+2qpqd3Pe3Eu7wi5WXeO6s18575/z9D1NbL -3fcVH79+a6hUav3atDQ0s7Q0MzMzQzMzMzM0MzNDQzOzNEtLszRLy7S0NEszS0tLS7v/7v67tkNV -u9K+zczuWkOtu2NOZmTjIm3P2u5u9+5Wb++OEJHz7BqQ7hruuBdRZDImUm42JGZnWyZSZlJm6iVl -ZhbJlJlpx2Ej1MuGUzx8qx7rDerveqqXO4Rn42pYwhvUO/zl/a1Whbxszzvr5+pysnVTWaWVtlXt -dSP/iIjXEyI+EVF1j07t+I7PGP9iY0MlS8YxVr0GszZku3FWLzY23nJjZidnLo5io52RkZH4kJAJ -l5GRkdEQkYd5hDszG7FRCbsRG/uSsLGxsLGwMRsJ0aaV8LBOVVlYtnWT8/Zeor7bdrDI67u747tN -PnsDZqZdrfcUta55vcvGfTcYKiqhKVtxrY3g8TFztS/vaovRiqv0EIiLhEy4iQ0NaIaGuNgQow2o -xHQMjcpoJABIAnMRAABgJA4JhiMCuVgqhwCA/AEUgAW9kj5gOhRIkyRJkhQyBgBAgAECAAAAAJkB -AgCrIAAjXwOEeo8ONelpVLVaSf2iMryGCB2Pio2WqH0/GpxJny117O1VMQLwj0qky6TR9UWqQDUp -kVzGe+MGnBoZhw4AxfpFOiO5Tv5KjGVcJM1QuaYCC/Gf88Ec2F3t9mGgSv2AaUMdjLc7jMiDxAL3 -IJ58LHXAbx183NxIrQNOCyRR+aE9adT12i6zRDux9PC8dECYbw0ByMKjJRbTCNR20rC8IERprHwh -IUVoBaJNPS2Bw5b7t52JyYLmqCGet7Cm85eby9vX0/AoxgNFpZ+H0+xo2aqz6OqV9tH8Znl1k8En -sJdXO/7b49A0vq2JWjv+q1lJI3OcJSGJMMyyjcxsQG7eqmtdMjkCfxiVZ+bXrU4lg4Mb5fSAD3G+ -dvxjBJSQYaQ6qJPYK1VoVgbhiQcBvJRSAiE47HCb8UF4ygP+86X5f6bpC2QurrvA7ai9gTZkICSB -NHRxKnbwGTQ9SmBaYPTCqbknM4mpcNh5Ks6aQCZOVNcuyNrnT+EHCZDQwzZEmUFcuStLOBUm9hlc -yPJjcT6KSdd8dwC0yGX+lihhHd4M9MoYMlhTg+gPeLC7URC/1Ma165f8ELfcHLgxI6lkUOpVVxJR -s7Ko/Z4JLUWXTge7aji2oA22TpLQgXLUh4txFJFVBqtg13ffLBUjjBC2UNR6xrTYeV7EjfUpai0w -bbhIbbKoEaxk1EAp6MBNRzgT5ZlzHVZw3p41caHtJARnOl09KFw/SDUJ4KGgWMh4NnZFqWy8Byg/ -Yu7OETrkYGKdiUKDf+Mu5YFuU01orA1ahPhOu1dC0ygchwP273L9+zcuvJQiruiMRfQWJRbcIgkd -DCCymbyFVDcjexNhsNrKucwrXFm1PWWciRG3XblyXGgv9C+iS9kEKTwRGmtEVJs0gmk4f1PDXg8e -FeyMQNeMK2MUlwikDQ0bi0ASXEn7W2M/bXr46NzqFUIKTiDAp+W4Ou5GDEjPwgNwLumApxtPK85W -rr7uLYpIwgBH8cL9DoVIgkziUM3siRWO45BSA7CZUUnXndR5RLjHvB9R919xfrwY6IwW5IatqGnl -oHYgrz2UPiiC5qk0OAjq80QE4amwu7nWVXLfywIncAORF7D8twSxLIafuw9POva+A+f1EvljmP0Q -EH6u/vRC45gqTJ+qTKg9ojpcBUwGvZIz/fmQGQ9ItLGXyy3l6qP9Ad565sWZGCQPqqve9ElOaRdP -wMjK3XgRkYZ9kvDTDClSzsRd+ggEPsAd89pbVwkA/97KyKwb6Xty3KFQ98GXBVhiGHk9lfd/6UeB -7MTw7Xh+HPmiaAxnB+aBZDTxrrKNt6y89qC0f4LqI40fnGmkrvCz+rMklFqTn99hi5KBrwQPsg0F -1pN/CtEF68NChN8R1L+BeZDznCEBugEkHiFVLqw+PQ7zy5AsEe3H8Lf+eYNmGOfDIdqeu3q7z34q -EkayXkyLcPQzgY0YMb8NiJBcRVS4SXd3PNxGHdpAKo3yn0OMGvVZlOaX0hCMkAxOKqB0qM+fyIDb -5HWLT8QiwWGQaNFGZno20IFX4dTRrAVn+xJxGpJCICkddM6Y7TPUjkMG1qDJ/hdxx+Svz9YMQOps -udEvkSZiyKWJr/A19uSQijJOw8a1FOmZKBRUm9NV3C8p1Okj3S0kbUXX4YuZGTQXa8HP41ohRDPv -55cO/iP+Dj+XMPOZk4l/0KA5kCwBAYRlfuXRODgbRLGopjSjZgqbMgeHYol0cVW7UsUf9M9NwKT4 -GERorBOohpNNlLCpSvWAblunVHcPNdmo+JjrfZrjWp3VFaOsuqe7Iuw2X1xyNZAtKBpMyV0rsdJB -60e7isAUkFwJkahj9Svk4enK+XsET6JyPmKMKtdVP9qTx2yYTv5Nj8IHxGWXhYPbUZwrTuFH+uh+ -gzKBjdnZMU8iSIxSAr9aYY2o2KA85X4PGlOcy/jAIOvexuBihi4Z52kq7kxlel/DO7Ob79L71Ptr -bhD1hhzjpl5OzD/JRrEd3Zc8L8dVwMMy+/pWyw/klknMIkxlRb3tE9n2+b3J8GRNqKUh1LwEHxmd -eIKDdc0HEes/ah4VMFKjf6tJa3MZohAX7y5Vm/X551P3W3NZzBwToT5/5/vLBVjpAhz7A/K8Sefh -Gk0edAdG899i/hvPEV12Avnpc3eHpO3WqDuhURT+TLG3KMakw3+i/+uw/pDT+3pXpnBacn5PQ69A -7j8LRKtW+Hincjbk/JD2QJJ88hXvsr+jAhRrenGdM0qnCZDjaUutwklHdJKjBFggzqBemURFoI6k -96jVv7VlUpZm623Qjy8jYhbup4BC2wFATVqkFpPSu38Mon8Zid4ODCQQmq+tuQlz9c8kojpOUmcH -E8u3wI6xJQCSohXcm8n5GUKwa5P5VNPPdwpiHxHOBfjjEdq2N8wT3md1qh+ocovPCM9OIxHhVMgE -ADLY3pUpgV5kKZgyi6XM8VMcGNuXbAC6XtYuQPqzo3UHXw9XO+yO5LuRioqQnd5k+TOlYKSNAgN/ -3cIFHFhWk/dC9IZ2N4iRCdJckB7GXr5An4H7RIHgaCvfQPLjU4AvQ50ZGijas3lWhEyk8QxNP/ig -AfS6dtkuMCKkTDR0PQGU1UVa42iInNULkRfB4Mzfa9UmExgttILInRsibfLe94wkd24aQu2hEKHB -xMmjlDBvl/0SsSvrl8uHbyre5DDKRMQlSejcX05HSnaTcBgDT75S+CUrxM/VOb6LIyuO5UzRwNWD -knGg+VlFZPHB2f+OHJuLPPGOG9WoPFtfE1Qi3vBn5ND8XndkPhAGcPD6eXFC6Tyon/YO03/dYNd5 -FQ3bAs2c1ymolyT7d+htAhGbj40Kz9V4InaUtyU2hJ2B6xicglUYG2LI870Hn8R4fIcmQeaV8PdN -Pvt+uwWgkgO3ZP9L3mFyMpOEHx3VTPlmGpwpfS1c3btr4A+JsJOCNwc1vk5WGZGK0TuikLawNg82 -wUrzZJcjKeG6CN+Osf27rO5nUdB0ymc/TYxZR6m2BEhnjrDxoQ0Qo2BNSSTgYGkD8keQoDcedBne -5nh2nromAV9GC0uDtOWMm/g9n9Fr6Ij3qY9Dzxu1ThSYaxHzURpUAINNxJqQR8exHTuhDr5zGbp8 -xEwa1+35n+9yWAOurNqOFWOULvEXpU5czZTeZPkgZQMHFjTAhBTAjhPAIyR65KHQmnWWs+Lgodbw -oDLicyco7hh9Z8GP19o6T90WVV45MaVlfqoN2iNed2whf4ldqmIOvYAQnAdF8HlHM4XEiZHZawvJ -//XaAMgDTQU6t8sc/4yG2T9neKRDa6cOlBkgQFsFwlcTFErsFRsMEExgPCSHIekjT1J25xjh0SYW -T9k8nJMWLfrUWvn29cTQAenx56bZy4v1tAtAz4xxssJMTyqXju0fNiexA38m9h9JKFwhAPRVH9pI -rJyqEzsxIQ9LkaNwH2s5Rl3q/AwELlxD66+oIGaaFz8tbovaJSwvD0mfYvXtnFiAZoycMNIH412r -dvBjOFzyXNmWeSYvJCbWnRBLKf5HiN2vh3K55nGUwCdw93+YQlWSGX3+TIH5ScUguCJx3hyeaZRP -y9cVagTILqoy3ozjoqmwVoIPr03Y8joHA6i7IeFViY+5TD+Aq0LWYf3SYVtmEqDT5p5AD8TDRXYQ -nG/nhgpymKpUJBhYNR6dmlxY/XEKpfmOpUNeTceTJhajUb/c86jFgYCD2a4IBEU8OevmGnAG6kbo -HHDbyLSko45/iB9IlvlDXGRYi1a0BV/InQkEJjoRuOl43Vmrl5x4tMbfU7sXFv1KjDynuiieb+iK -49MFXMqIcgKcbGZUqrXd/b1Kx6LpfKmm6qvPkn5IFIxGxkAi3ryiBWmiUBcL8Up/3AnVnzlL4Qie -EHh1ciKXm2ldJyNozdfOgkOV9K7qoTfORGj6pF0UZwU8CVQ1JxwC9bRfWLDa0rHQNvSFNbZSqk0C -zdvgOYIG7RAPygsaFDEEF0xwn0IKXpCvkLrZ4+ajMWBoN/nigMpR5n3YHl4RYLXwuNmU5ZrXAiqo -KIoi3Q5lUm94ByXUEGQ/r6yTEFL5kWbLDF7Q6pV0iERNBbYF71kOPgtrn6V/rNBI8W/gGk8YgRtl -/8A9ocigDzt5O328inQZJUwVOAdbtEJhRSC8d/X5AoilHlFTLxMPpRl3Nr6UKsck4MevVIaUcK3W -BFE8Ch8KFWzyHsZdJ5a0o8ubjePmYsqaZ0gLwOvRNPB0/AQ8SKYz6W79aGWMpTKarW5v6Al7c5IK -Sjc4E4PqOPITwklmEn4O0dfkKX3rD559PoiYObn5DdkNVGR1UiYNeCeLxQv0DXnXpMBu2Rnj8brz -8myjISF3D9F1R6rbmejkzAUAcvwYilpNm7bdt9uuGcGf2wNkEXhe47TQuY/BypMX9IFUAoJjqE0Z -yLe7nYx7Hd24Tet10pHnvwAfSK+jbhb5Zpx0trHhgpPEzv11oCc4Khbh5C6D34nwMEtLhf9KWQjI -nvhrFgotIgYHoc5UF7ojFFNbn1LO+cM7mQgegmV4WL68hJw5L29g2HKUXf7LfS0uIxm8b7HfDcKG -QBffY4lPVu0oM9iaenvaGg9kQkqnNGProJq5MxBxqQlpOzchC5i9S0IJBUXe9b3OC6VocmVRGslI -ELyMcDlTQPOaosAGlOIoz5+Mh7QfpFQ/Lk5b5QmJx/T4LGL20FbJjrdOowPNkH1M3Q== - - - gwb8YFMMHR+P/dATRucsOBTLtKiOAWAYY4Xwh4vtHQP+QVbZyIkMlEyenvcR7PWm3xizbywkmtLu -1IFMTMLrv0rvmDgZTmUiDLjt/M7TWA8kZBrWCr/3fd2o9O9LwV83FUAstaIzoaA0tYe4iEwGgSWi -oIS0LusUN76BRZBh1fS3P0PPV0OJtLuuWZklyTCS58gIdkwaIbSK80DAE/jhkTKK6Zgk7xLrX4fB -7+9t1f0BzuudNNaHKalZ+OoNjbl4SgC49phIaQp8/fiGPq1i0CBn5KVmUor9FMFJOE/lQvjzmCyw -KrELhXkRABtoDTD9MJNCDmSDODgHk+3gkuLBeRB4QgDvF+IzHvkBMo0uWd/gE4Hk6uywEn9XIG23 -l5RmbbW996PhcPT4q3mIpPVPIVNqETAYaTao017v/7aWtZDJDkALsk/zyHaCZAPkVi/O+IPVQHAV -fNrY4SXrz7K4471rHgQrKICaxyvlo8hkQYSgISrsPr1Mb4P0Mc0zANRW8hYNj5OiVoRAcoJpW4Ro -qUVdKRSQckITMQ/2YoBgGtCOF/uLevFhy2thT2JdXx5TrMD7jav0UVuAeYjuvGpD2kX+Sai7UrW/ -ndm4qfuHSzNcJXe4j81eSv96qGBXoxnC4OURwKGsRPK+gDBPSBt96CUgng+g/uBAeNhrL49WD2Te -JGNu4aouTurmmMwAjf9vDHBsVY5zszx9cAbtIWt4m9glEdZszFi/zPzPm7w+cyjGPAJjbtKILS4Z -7H6FsTymcGI0ElxklkGeauoKadgsz3MNEnJMCwrbFJoar6gyKZiq00G1jWk0QJBEzlgunpPLF0oB -rKgL9IuxFMDp2ZJVtmH1q6wZ7hX9loOtqEDi8jDldo/K1+JroJ2Fbk8XFlXN5JGsZqdClY8UgIJy -VxSGFkm5H+PIhWor8YqKGMQoq65FXZNVD4d5dAna9beSGZeM9M+8+DQMpgIQcvmrDovQ28OF/1IK -CI2HuQWLyqn8nmBRYYm/A/tGEDKH5D/vepWtfQpgE1ZfqtuCW0ESPaRqB6PRARdbtH10KDq3rOgA -iXL2CqQJKDv6CrR1rSABJUOQljuIV952b87FZVa/zo+mmtRiKZwVFlhuEe9fPQwLkJDm1Dok+kf/ -3Q/AjTedR7+CgTM0MLOciwYHmokCgi6WYEMXriDH6MHvrdkKsMPXc9YBTpQx4L4TDSja2xXway0c -C9+HO0L0Aut3QAb/elRTnvnLAqzAClu95qJ/DtMKGPBqVrCsXdqiZAfPnrmOyl8/bzljh6x3r5eL -cs3GqxUttFO64CsASfHLr6C9OmoePauq8ePjykWbFznOY9UrYPs63Tnc1HEKjX9TIi6KYsKyyV0B -0hDRa50iQvZ0eMteLKBo3WKrsVe5o/RqbRWBmU+/ifpn8fqzt/f+D0nw8HQ5EBanu1YYkMAUQDe4 -o4YHlbTq5PTQf2O5F1nNWJBP7l/ZRQsx+thT2wDBgsyhLyn4+KOLfuEs8R8u00VDwpSG6lRm3qMa -C2RnNS+PXYZiPOduEpw+syWETQG6dlX/2jbekOl7ILXT+wc3/8zFubgS/kt0sKDfUnz1hrTC5B2q -hKHNGNEMmZ5dNNOvcxqFFUO76MoN8b2s0/qg1LsrCpvfPQhdffEeWg1k75HKBQAQxX8TdX/1A2Xn -+N03VEYEgO8aUAqJY+LruWQir974nrATCkPviN0zINvQ5frAeGeQXR1pQfRZvQFeVEZNpp+8et7a -0KbULKZWSgvlD9XP/Xb1QsL+Yf2eVvVLxGd3o/uOlLDzjfQsBtv5H7bLF7R9xx8FYR8WRKOr+O4x -2Qsz70dgMfFMAK8yDnOf/ITkORxPLpkd9Z7we2IcfYSLFaCkrR2GzXTmyrRiKH7dSV/CPDXZ8NjO -sSxKSeOfey6JxG47SoqpAfVgH1T+E2lEvnUX4uauUVwDLVLV5qXf1vIuidzuJ3FjdyyvAbz/CqtL -UEbDhzSW3dVg69pIrdeZtzykfcey/1rpT9vnPkMqTDi3sfYsLbGCPzy+2yoYsZ8XeGmbyNJYtDrt -9AjcDDX2ErR6SnXhuDGBETAwgRQaSEvVxNdIr5uRHtcCXQJTRGgThn0JDEJ8CWQa5RKwt+MS6JZJ -RfLyY99Swjr3pyC8aohdxuMG7I5nBHLZ3RJwlrbkWAL7QbYEUghkKEaQcgpCgSWQsrDVX3w6S+C5 -kUnqGkYhTUNbWgINnlsCawCP1JeweEaMnQ7RglgCLT58CeywfQlszlqcgwT1HF2LGJkv2T3jJWwT -D4NLYLPMuQZnzoHBAVmto5JGVZjQiswEuriWCewJsALY82YCWdUm0WUCc+Kjn5HM62P5XmBpDGJy -7ICWQAsp2XWWwM+yEQjZdy1RuDIdpBEbgSeNt/s1jpYRCOsp2wKf3wMBTmSbRYGlcwn0cJAyGQIZ -tGpMrdlwI5T3VgIBPCA8H5TMPAKLZWQ0N4JqE4ijKoqtyHRaOUy7QnzK8oB6ET07Amnzfm7ZBRc8 -Rt+H0f6qngqvUtnPjECEMg5cZa0VRWzxcn2ZbhytppveamnOI09WTlEafzuKxq0DgOE6brCBqF6V -+qoLGmZylEsB1KwEDR15tLhAoCW4OoSYRcvnd93NufXXlg5irUfUVGNyq0+pD75yFqk8VXVzDeds -ybc5ZnvpXxbSRRffNzf24PBpqlrM5UfUAQfuPY/3BaPIdBemQBtruNHAq4vPvFhWGuX2tmpi6IYW -malclpHqSEUEH7lxFRJcaPuLAJX0YWA/afGu3qwwoI5vMMAnK5yWaIqtjo3qYJh6geUKUv2GlQKz -FNLchEEpMJ4XafZcGHZEKl2uzOD2eXIS5BJewihgt8msoEERSCHgdcdnbwzvYy+bdiNJM2ZacrGB -IftpL/GOCosMo2S1NvjEkNBpBmx2L1m4wTxjzNiNXjb8T0HAudQas4blJlia5l/nB4eFM1Y6+q/i -MjIDoAWMCGj48grtNkkmR1/DWJLLIFseFKpFv/R6J18v9mjqzuuUz7UMRt9v4/0+ttL0S734jIJw -6ijl+4yDcBdW/XWi1iYGzVtGbbizN9q1q2KwJwmnNkB/Bd0OcVJVYTLNFoIRsvBSzghwhnHZo5VS -XUNcYSnn8/lttc5hR9tBSV5ZGONEHc21PNC0nXdF9RaUKmL+j4wB13+EoFH3+5lX4xhBPxx50+nQ -YthzSVIUZEYgyXIXVd8WJK3MDvnRM96YVQp5nCyLPgTEpbELCySKZWa81O9mtQMBfU1V8usHtKnF -rT8NmrD0lQkc0EZO3yfOAjcGdwM7C5LGl3t7giREXrSgkjqZtYodSBUlQ+KzC96NK9W+BSZxO0ak -sD9sF2PwcVOOFHAHKMB/iMgj4J9kSDfbLX5Y75iysKwph0IhJ5nsOK/kSM+lJ2TQc8w4jHEbljKc -wMAPCojgEGdWuZuCaF3hfU/7EtlaUAPyJBbkv/RwSs1p0h6zEADd1tWhRgXsfDKszHqmlhCNY+OS -J2PW5KO5az3Osk/SJ0ym/Ch6SPBjCzzWFh5+dwFaDoTQCVr+8W6ri63PYi12rilUzML/oD0WC6tA -ORSB1nAWMwax78q25jst8K5/1jpOh+GxkHUVN9Sq5SWZIRmg2JdXHjPbGl6MtZNxI6x3PiSUqaI0 -8KynHZ3FsgQDhxOJWgJ7XoGzjhELNcz/upBIXplJ5XnW46zUJXZTabIrN9Hj2tbpZvlXE2wlQkCY -/wuf5OHrde/tqV4yppzQDqI0DJvzXGW6e+mYMzxc5IGxpnsZeFsYwBcqaMEhXugWAPtxR+G5GZOy -qTac8aGzpEfgL9SzAcDU9F/Se04MpetdXIyCJqvEvWXhf02jPltDC4NHv6O2GNjm5ymy9zb7civ1 -OLtCedLuH6OfCLR5Nqv+Zyxjm0k9zHa0uvoWcvZwkJgMkqGZacO2PP0tIWmhJWo3YwJ50ALiFJhK -JF2BH6Zw6p7+LIKf1acBDQx+NU8CsJhGVAKTwWjPYSxXMvKNf735QHdNAjj4Lwx0DiXfjQiYQ4i4 -Der3xJAMbLbp6MgSugfEvqAL10+oNhiVo6xNSUyZnsyoV3zbcLaBa7Pm3ojQYsEzbVahBQXAKfIy -G8Ss9vpKcRpaXjzIGJO5e5EoLHarK8pfBAPsUU8YZI3ng/XYZX8xSvttr+aGCEZclhTebHElfFXD -ItLEGu1vuLVG0jplyDkwKqwQ+AcefrgTTEqBNezwfbfvvNKwJQDmzJeJwD2A4asoDK6O9ekOOgHJ -LsvXYucXKAHX6WlwuNmCzll28Y0y6jK4ZhmbiiqgYb5ny7vLUTs3VOW0uORFvmyKO7hioU3zTiae -xOxs2C7NEOQ3X9xsjXFxhSnjftLT6PIKDZ4TqshOhTGcr/O0SplhPQGiHHGkp1p6nip+0QcHDrrq -wzRhVz4+Hy9etj6dDymUsJq2S8NuGla2uRwikEG7q5mlnMXRAj4LZDMeav5LTJVmRvz4iP4nVds6 -SqsD0HjCUDu25FuLZNTbTeADeufuJvtWp0sywa3wS1yDDOVkRnTr8a37jOIDCJV4i2OoGJ2SJqBm -+0QmBbmqwh7jEi4qVdx30OhbDfx0TQ4CPDt9FOXz9lRs/Lda6SrYTqW9w9mmPUykxCAMe4WL7dZK -aHCp6VYzsqWhS7sDsqmmaNh061xvrHqY7NZWn3FFdzHktX2ALnFiMRXEk7QaZlgK6yewdtxq8twz -Os0ScikJoA4k7nP52Qh0OzIgNhmW9bnV48H1l49buBWwHlSMhJ5PXG4rlfv20HggntJmRs7P3Fbb -VCTjtTXo/S7a2l14ZPIxeroGD0RfFzC0lX995fZBQoIUyLs4ZytQqFV7zEs11zNTFNgxgWxFj4o5 -oKcODumvICSUTRy4mAf23ipQ6STkqw2XArpxH2kUgzooVYn4hosqScZ9CI7RUEHVXDu61kI9mbVE -HuOhFAEIScwvk/18mRDh7cQ4KaH5dwlmDZCHbyqdc7bJmVwder99+bc8JZs1c8hlAfizKIQzOopF -5FQsPGkS/9Up8E+oOzXsbGNrs+yZkTDYanUli++YSbOLNUFtTEHY2hIvgE3YavsiI9ha1kK2jSfU -myZGu/5LHwTVQpsVpFXksT8+yash4m9pc5JZRlm1BBU2pIGkkUHWP7pIe5JxC6Fka6zHVYFIspAL -J1n9JTnmO7knDUsyLH/6aDZCl+QwuK8kI2GK0HJLZH4yALdI8pojf1HPe7z7Qmr/xQzLsjBDrzTa -I1ub7zTIQ0LHRzKo/VQjGQRqJASBPZJdFiniFHO7YNFZwtCLZESx5kZbXSQ7Y6EESCRDtoNInYTC -5qpJBF1N17qaMW6PZIyosNxjQT+RLHvVBzIUrUwMEpEsTB1P4I1iSxgYz+6xHXWGUZ/+NdTr/YC7 -WZbFTZnGLnGqA6wCItnfA2cvySDdq3J4SRbEJBLmt5W5mC6SKWJjC/+VoyRvV4AboQ== - - - XTkwCtmoGZ1kQH8ud4WPkgw1Gc2r0K4uNtm2W2tAdOM+kzytSghPAbiEl1Ioo4ozyROnkd/mGw/t -R8PGosyUfGtTUvKdp+2GyhG9ExFUKSWrKVmURFUptRgWmbGxtNRPMpyJey/MDW/iKHx3kjzR2zb8 -qIq6x2qa3S2S54s2TR1xRbKJk69JptORDMjEpFzv7Eh23SuOIWGuCloiHkVyZtIqBuoMnAFTg5OT -RXKCncdWvHOc5NIJihYsbHHUGLDqUA5BkuVfCZEkm9a/jNiwAS+9U3K0KhwCS7KidmvpvrH8SO8k -2QZmjNpLbUvyyJ6Qr1qmZEEKI0vGSgrBG1lXdjtF3p8JZOUoYwj5G2RRYKRYHNJTVgn9NBsgFPws -inas2KL02ijSIROlRe5NKMFmPXYKszfkFBPULt0bsmEIiaPxyeujX8z00TeAHXL+Z3p5ND1kOXYB -YznX3nCgmrFFdok/FSIjm4MvFr8Gmtzz++zu21IdlrbprM9QauFx44LeZxK9VXnDgTyvUUQs+biF -J7ODETq5H0JPuMEtKwv/G6CmGpkYfu611aun7L+Jp78DQyQS3H3QqNeZ4vyh1KybJEploUDY8Hzx -6YVfCknrlmhzVr0BBrtOdaCyE9cU63qNgchiOMOKYAsqw9Eiqd/eQ2fkqpGkkr7il9ykhPJrOyK2 -roMAZsPFyLaXjo1oG2FnYKg4RbtL3Ecb6t8jDf1iBJri5SnPTtjwdBHbHIKSChjsmsXT8QFPjozU -RVkAUR2J9qgT14rtwyqEuDRZzNoUx6prTJrZ1ny1KAtUB6+MUZpdZOrTI7f6BI3LgLpwigBWshT8 -X9dM0h+gcQtRa5eFEOBbaSxu8rWFITlt6qwzQba9ekOoyZ/8OjjjIq4DoaHJeroFJ/YlLrY3ymNn -SwJ1zDXqJMTmGUTn3rtREiDJsgiznemD3j9tYAL/GDNim6S399aoSoAD0cWTLg1rIVxfS+/l+3qt -9UCPidxI3RMSJH5fTUjDM9TsuEzYLV/363nqClK+54K0GVhv1N1aWyG0+9gHYl2x3kFjVB+mALxM -/VXGzyxt5mnlLukBfseoKZgz9mNq8wcyXduDCrSzDpsQfN1yjIOOgMg0ETbUpkPhVIHzVYtqFNV4 -byPsWkdaB0BtsPbifHMoE2FO4UXc948VMxrPQU2BfOA+kHKBVRjjnGSdW9F0kchclfanM6q6KVpG -CeXIR6EtEG5iNFevOySB6lHumw2pghEMHAXgjk5DyXqDd63sMAnPggMn7v6ekd+P/uAaG2B9QMjB -B6m4KC04fizRpZrMHr5ZRV2+AbAIGryHRAmODd/konnlplZN1YDVLCLItHcjLqdudquabFFYXTAz -vIkT+44zUQSbPdkudmokDIZBgPWJQuEOnLlMbfO3uDAxFgjPBwte03qo083ZGM4pHlj3Emb9InF4 -zXiJaQLwTcsxwSkGlRNR8WGjwCop2MXJ4MsRTnzbmP0Bx3lq/ks640Ar/3IRD3LwgjK8zxRsaZxW -pNay8ejp66M+kcfwAcRyCBTd2MexsugheqGREhSG7pzeU7dgmHWwUpMJKgk7FZgNwp2kkQe9LlHs -S0QGMl/eeHCf6uaNaqhoF5xpgBga9YV+bT3BdX2h+WZHgyc7Sh8W+JqiLLNe3Vjb9exeY0VwWclX -vEE7HUcuzZfFnw6qeCQzhbkgoUO+djGZIJVQSNgUZi8tpU5sD3h2cDyCoSmj/rd86BFEYWZj/4DF -6HfplBckEsZisAlM/HY3NLt4/mQop0qBrc28JYPjua/K/Jck/sNb66VrpEQa3c80K3zL8Mcc3zNF -B8Ju5P61EgHyNuK2LHUZPEBkQyKJxkiJVcXYJFGrH1ilKdi8EpyL8Ssw5tTwX0C3NoMSpepCSWYH -2kIAr2Sqmn/hA48Ay+F4IUCsH6NP6cd8JkVgWsErDSdWCKInDdOuo0hZfzfk9Z9t4a+DxjrIi1++ -xi+gAJbZHOaWALouXJqCDruMKZfzYS0Th+38ixrJezx8id1FwUaBDqFsad09H0N5EF2Senx1tVe6 -Pi+HJxDSUgPfWoB3628uSJ4XvQwvtoQSx2Zd5hNVHI9E1XaEODAEKMVGepOYRACo/4oJXQNHTW1P -D8M06KJMkRDuvJLw4nd/kxmROgmxITMG8+0rYV3slisUB0liR8SP1XYl9WkfSM0Vtn/e4CcDtP22 -6t9JXKnEtQxKM8zxXp/N6vAnGEukRTHlbH1msJX+1JPdcGMBEa8nP+ymHV86SZOq0s1AGNLJiv2F -INi7yFoxJSkf1LaSNh4BU8aGwkSZfnAa3vhnZrMKqTRt6gSOwJij7Xbp+lORgro1OliraEJsiQp5 -uuUVkRLiqSbrsU6gr+pOrhOVWk/DrbJDZiFs6sWEm9eev0+RL+hFLjsmm4ki9d9/iCvmJJqoh9Cd -b8tRCgne90RTAjCDy0GCnKR1LH/y8WUkmQzODGX83pd/FyvAZBiY1Wt/Tc0DinYvLYsbIKGk9fvL -7bMbUpBRxS7K6fuEScRDVmhz9btB7dwPY684F5GYXhySkGf6m2CBSSkFsNFr7c7wXcQ1w0MGRM/3 -J5EGWl6dyYjeepkh+GJLCDXbHGQ8h52LulGdY4va9Cg03wjh4FKe3BFxIMlJm4P5brmYYlTTghj/ -q2D/UxnivPEzJd0XPwgx7VreKfjhO/w4rbCIcJ+x0OG4GQjdQqse0DJt8Kf6AeurJvOOe6xWmxj1 -0vlWpZNRab5NVV/uFSXysuPcKwQmSa7AQRi2XbnZ+CQJRh7+KoKPn2X0pbMysMBEDsiQNX4mB3Nj -o4aYaA09lCQpCdedsi2MYy+a0hhg1hhDBaysprQTE9qB9YzST5WQ7SxiC+zSsUCAFrOVV7O4MpzB -GVM9QDdobN5gQ+l1+TIiWfSlb7XeQqMrc1pKfg6Au+74zq3btG1qy0qwI8nQXMxa4GlG5sMt9MlT -FClPYEp6Stg2KVIFHezPjoGWLjUx7tG+EDwMqo9XSPaVM5ybUgZNK4XMBsTmY0jr+gDUl0fojB5M -YgUe2eDqipkEkFFCmxprRTUVRT+wmzaLmovrS5LRp5f4pp83M9WhcwTncgI3ihtqMUgJRjr6Xzb5 -0hWFUKmIRrS/ayO2JkRSEKc/VSEC5dSwBCWLGMEsFadZsBYs2WDP9XE0SDY3H3Y+nesqtPmIuN6D -bFoKyGx6XqndaWLxR3QOLU/27rzKHGMd3Bv4KiXcjiAZK4SGKGGOJrNDjiJJe8E1xIpwgf3fkn99 -Oi+kN5Z7Aq4pgrMBLBRaXLUiQyW3S2SCkmvKcLYYqA6t1KWkdBIzkfaoLibZSDu4emIXdWBlUQBe -+jRPI3E4GTideIE8X4F4yalbk+VPHFnlyPTbehRORWnYskXE1PSxMjLrm4WvMVcxpwr8GZvVMH/f -Y37mo+Ddr4ruDE1t2tu9682vOvNM9tmpryR6RlOfxDSeT4gnMJaazPeUwA7JGJY5DFFbQLL173ZY -Lkr558I90Ewx3rjXZJV/jKc2YV5OU0PDl8l7AZUnjk1xQWIJjieGuKz1HPzvokDbrAtv7DPFBcnz -pU6JBGs9+SLyMXrYoyko31RJfEHX7MxvEcLcHel1XNzppDXpntgWIrbs4oXhDaR4yEA8fGjcTgY1 -IwVrPFEURc5vlBWhM25n31gxM7MzWweTT9mnQIMNuCP+JtCLhmD2kCSbNsS++pSVm5hQgphy5osl -a0iadxjaZmjvRXtxZ3e2yDPQPtYgNy1XJwY/7y//nhiEIJOQ8/eR2E/GHm4/WvZzbYN6+pqEhUCu -L3dZoEl+rf/edgzjNis7j1/enjs1Wg5LI1N9ipkgkNR0EoB/XAoM2tLYS/gEXrG7jJ3jjc5TsL7J -+3jXiaZC0+5bnk3fwM8c3KccxzvnzZ30PmT+UUTQZzvFD4BpvxQB/gDqGDhJpItA+QEeBaEDQb+z -6AcX5HbWZzcNLDN98uTBOMn0fFrnI7lJQf2hWtwscKBDEkn7VAvEd5q+onrIBfv1NSL3Tu95hr1y -ZZ4VVpt4Gfd2KY+ykREEnsD57xPg3FLeTu7WJ8T9HJljgv7rN6SGMTh2Iz/NSu++TaoTzHfnvkkY -SPy/EOPh+vopdra5XqC5fnTeXs51r1G/EXqU257ElX5ARUcYYGDSEEtNqhRlufaqbugBy+hnUJow -5D3tiws2EXYCOun1VpQ49jNZFv2IiKO3p812njRDiPRaO2Kw9xaeyEo/kI+H98zDBj7/7IHxSs0r -8cD0w48deIfM6/IfQ8ErQwXgqCczANjI3AQTXuDVvxAB8L9x443C73MUjljIbtzchRp5nECCMJRi -dQXIjNQJ2wZv5JdxUBbHFncUKpyIpa1g95HxnC2FtsMpdpwI6vJHItOefO6PkyF+G1Y8z0KgnS+l -hbwiHUG/EBZVk3MKjWhzVaKj8grYQp5usid9Bq0VvSoZ3KCH9SA+f8ErKRjNVaZMjsM6HFXl16GY -KMDPnrXIjtbsnUSNoNttQUqRNd9UTLczbuwXi+uQpiZa0GYQbSvvCZb3NHnHVqqOG+Ndx4VLS6Tt -0UntmHTBb0dkQKqk12o7Z3jhi8ya7diSIrw0xpeN9OA2p82ofHZNU93Db2zZlGI6EQZYAyee+xTt -FWO96J2IMi4gJRT440vww8Ww+G+Gw1cEcKvqJQFVYtzAevrlRzSb+zTqdmOda53J2LCLkGx/KHB7 -CoGQBMgJZ3nGIvjzJwrYt8+SyTnHptCWVUIx+YurYjimz1kYfPq78lv1wtwgFek5OIMg+MKVs5IJ -4oFiOmcrAidLexepTUVlfhX0zcOcBUxt19cfrcnIUFFi04gN/FvBpE9hZYNGBP9IYM+2R9C7l6Qc -vK2iXvttewsJgNQ51bw3nS41kdAjytlzRT6CQjANsUXtzZrZ76DhUWlresJFiLO8IYgH36FgBm/e -3/6WXUmn24s+i/D6RtxVMUUOzOMvmzHIMnXRb5L9OKmBErpZQ5lal68Cg0dtxjCoSqQqJBnY4YLM -UyPqXjdklBeaELo3RL7ZjBbsQrizKoFAUDd06694V+DIewwTkiVTXQI+4bPaXj4VNevDZb+FqvjK -h9TmLO3ncw9bjCUcq6WnSML/1c35ER5ELsmZKdo9pILNDgn5pkyS71TUkb4gL8hzQmrLOloJs3Cm -Gc5aDTswgtn8qA6zDj6G5gez17o6iBQTBpDhaWelxY1igGCsMhakuL2JXYbSH4ZMiKlRXwwKoJG0 -/F2Bj4EvNV4EnfIeJ658gaN6O4DGY6a4xdaP+bDFiELi2Haky7s8UA87emSDU1UdIzuMbOTwKsvA -zEt/vcDjpuj04A92Ii8uiqDJkrS6CzyWQbarHH+MmE0l0Oimh5H1/KdbwmreFZKMq7V3s0RFFdoD -rx2rCISR61ep0Hv6AaJWBCssErOnmWDRaimvFC0tq3BdfLUT2le/DMntM4CDY0ZAgA== - - - uidNnL6OAdTp46NBPUMIso57rpEKxylvc22EAaDybfv4aPWSyWW5pRPb29jclfBxTIY4JuAm8LZ0 -p5hRSMWIG21i5h0eSlGu9V4TxyjQky/5aMNo982TvO82OlZEz8JlOvSLg3Itui2eAEjRLHLoN5I2 -z3sR3TMg6ur7e5ROmlnkYROXVJFVSlTkkd5CLhwUZR86I1gc8rytywQyTU3Z/sQN8w8J7dlAWTb9 -EMSNAKkyRlZR1GXjnNqQDUPRvBpI68RnCiXfigeSaiPWUEZbf1iRDjuLeBwKJVgSTmaXhke1EurM -diLQQW5xVWdivm8Q4kDtag5qilpp/NP1T95sGrS0z26Y9BxPr8XYRMKEiDVABOtM/PQIAWotSaGt -/OwW4jOEWO8mKg+9t9pHk2MGgZWs3KV+dLcl3dl2q/YlAlSCNmQz9QfBsIW1BJ70HpKsqo2Yup6y -1cZKuOfWmR6MXAQIAHf2NeIAkQiJXGaAljgQbGc9UAsxdNHSmJlj/XrsZfefttuVc8oVewhqR2jX -xH0g2RdRvG8KvqmpR1MCS/wy7DMAEEuM3ONwu0oP8IJh+xskA0cCYZyFl6zIpWBNWxlDZfhAbqBR -zVZFrQF19d+W1KZ9w6nGcgJx9Tvg5i1x63UQh7Z+rfOnNsp4lvXgoc9QFauakh9+jLv4nOVilMDr -2MujfSJceNl6LqZj7U91HuK7FuO0xpb6hP6gc7ABVNzGmjRJscSblgq0Fny5ORweLgV5BH6pghG9 -jWw7JdD7QPCVQfIn3iOGO7/CUre0PvHagsdY1K6kkQa9PoLs0amTpzVHCpuGJGCTnFYKx3XXHtrJ -54k+AY7ZkChyLkRrXEpk5lqVLUWmFaIRiJJISAq8OHtLW0t2KOKmZOyeb7cMNaR/5BZ/3oWqZZLV -2ei+GH6sD7Ek94KsMaV0qkRCPZpoCrU3L28T5KPHuU0K+DKFJNon2p6Cllrbefz6mwgfga5LIwAD -6EQ7ihVUk4boKTTWO0gcc1oVD2NfQ9etC/BskYD9LW07LOkZBIefuSCTH0HPAeYlV9r+COVEmJ5Z -JDCW/mo+dF/DsZAjcJC5aKp/U4ETISZ3yFpVBPp2zq0cympk+F0jci0zmmzySOT2B7ffUFkj5EHP -JVb7OGTO7/6jTfpb9rl1Ji8rRHAzT8z1Jf8AR3dFgI7nCnzsdmpIzQURTSC44N6rqQhQitavUquh -Wf9NykbwkEFatjUtB2NhDnOuJ9D1RQwkAMGytSTmx0MwkadLVT6IT1+cdMfU/in4rQEKRFbNN/dV -hBx6L8kEfN4wd+C4uKYEn0Ovfm40JeNWCKv+4YpPeY1+GcD65T9QRabuhqULwCcyiNRgqXftH3FB -+mY+3raz6nQlizbgQrKpgN4ag6k8NttpXhOq68PIGurxvzjJSumUzoMsqCLetLGRQLPQ5NlsEHHN -iRE/aFZrY8S5rXakL2gFQoJPfDhWdzKGETG0vVFzZbROc31IYHVwjAVq5GlkiexgVQIgyuXLhdd7 -2Bv790GZdQn/jLfnnuDjZ0coLCgRImy4O5F0ZtnQcVvLVp7xDkygVRjY5FAxEyLfvvBeho7AmfoR -pCjiF6Si6KRs+4H9ZvFQTHmGf66KvOk+4oPyFsSJA4tjk1ozj5QMvEjK0PE2z7dakea2ieGQDwHS -qEZt2Qmdy0bjzWaqSKRXuAM9XVE+bsbpKWqZ7+nLhiYmrgIgofM/kGuptKGu7NafLINZJH2gOh5L -0Nd1Xa5XODWaarewD3M6f+AndOWhOtgvGOK4XRVT7PvwHetUOPCUgmBZ8p27jo2wZPAkCdCpeKlY -/wQ3tAPv9MSfL/GkqY/U+6LPNmtdrdguEoLxNIPoJFya36IVux8tEBQFNJF17kQ5CRDkZhJcN4fg -CRhEgaTQOXwh8uOtPsjYBCWTvObgvO6vCQhDFIK0nTRUDdOZK0A2bOALkaJ79Kzgeo8r3z5agnl8 -Uymc6FkqAF10OIkiW0LDHIKL0i8ZK4PCXylghXCqkEiJ1OD4pKPLmgPByxe0jYtSurlt/JKccwp0 -4IrgRlWLjl7E3HOoaIOv9B2UU0nBJO7P8yoHdCBt+xB3Hi4kuFPYxeb+l+arUfXqTkGou0siWz1G -Jk2sminU7xyF5Aarh6Z6UTLpXUmVdYyynJHa/QDhTXbJbGgRjGCANlLnoCJJAXPPoFbatloIouEl -d0+JVmtaEsYbvvJgf4Mani3AEaYUnMFSQ7iCaTuBa6GaY/0aajPKXTgOib9UIcH/4PSEnbTsgmYT -yE8gAaQ7V2DefPNkDtBlGC5PIYTJgyIh+iVwlyYiQ6PJuFUwxQ0mjNX6J+Uh4huGdPjk0U+XLAcb -0oaW7Df3GHgZY1axlHDf4e81LwY7zeGPAQww8TXGQSPJMJwJ+6grImvFPgtbKemqjbKsPYwsr2C6 -ZltAF4WWe5h5U8ZcLwAbV+PA1bxn3dPGb/B9VGhFJ6uVlJ119JgjfBjWU8mW5z74b10MpSFpSxup -iM/IUbvuYtkvTN/hq7xf7HyHV4avCBrAByg5zLC7VCuKKxcr9pdh4rY31kmFnr58Fg/MZqlJ7Cmz -oi4DhaNPKTmheVJXk0lBI0DzJHEgQ1wxWP+/iA/Wl1ISQSq6/P2AavPmD1AsfjlVeXzqg+s/vYwv -0IGYpXBx5mg+jQFB3IuRgfj9tBBMuaCak193z/oFLTH+97anBWhlwj1FEI/MzQb3WCz+aNGNEBh6 -9pSOnwS+45+RJd2JRbhTobrSV8YP/VPC0GnxzIXSNytmNtwDy+/u7bRRR+tw1ky0YWwj5KCqIvJh -WJM4sF4GnOwmuZMK6Eo6oMg0/6KAvZO/zj3T9SVJkAugrsxe2c/6qMbgOij4COIDnJq6l1nJx7rN -YZFlUf4RfU2nr8LDI2IkkkEtijHGaPwPRNvHa79rmKyofoT1PekoAUCyqiUuQQsN0tbjuHpxoaqT -CXjD1HE+3KYT9HMLUIiC5ZtlMn297LUCQIyFqjnbGQph/uGnTWY73Pxa0LJ4rg+L2tiPJfgn+znW -AUsYd7xNEX7Jc2fDXgbfGvtREF5HKugLsQ9V3pIABU+/KQIQR0PjgYfP8pZWL9hZ7AFi7i+B60c3 -IB1MmjUSEwmv0QygIjUX4qdCYBs+N95GzvV1MEyhFHcKJu40bjgupxUcjiXsjSZvyXK6xnhlacSZ -ukbSfLGJruE9WOG2LTcaE72t55uZ0B4C/mgw4TISfA+o5E7ldzAYUHZrvQhRUt+2NPJFwLZxFjIy -+VUyW9K+pMVskUwn8ODZa+BSRxrYSUVyBoQhpKDeZoNRK9IVqYDHlOIF97wYWqWHCd3AO5R4GgnZ -UaVEKrPUwicsobf6XqSbehlCJWMzXiqjghx/Exuj9y4tIaFoaUUtZlocd6eTzThGCINh09YQvPCw -hfAVregrrSB2s7+5sTFc8xEEwuECadDDKE+DcqpnB8wWHrxT5DkYZ5IqcB5BWIctS6v3OIYR10+H -MoZeaOYuQj77LbPnhSOoOKoDiOXiAFmWTtllcazL6q74TiA0E5+1a/xBK3y/WBoOud4uPz6bNaHT -ElijuURBuZnQDsZoVX/aDis+bycpRG6L96NArT6OQ2BUd7vEdFfg3e4o7+XWAdbs8D+tDh/R+bcA -pXrHc9eRwzihCRgneFt4t80/DNknKUyWyHSUyIAziwoBitzTE7X7BcJlqoHhHFHO0HvprtSfM8HM -gu1RiIaAuH3aYLOcjKzldOrOdvGnrdx1f4baOxFhcUkrhtK0lixEpup46FL+T7G2cO+e25tG44Dx -1f4SGyV9CXtwKbXYe9yNXKx/rURzK7kkkHBiFmPqVhMgtkGVy5OgXpgwvUDXsdNwwD9jgThUIroO -y+xrTypLc4zUqNyoMAoTi1w2Ir2MJPiesNH/n92cWyuV/SLHyHlrDG0wKkpp8/T+9CLj90YmzAow -SZSyA0JkAtaGv0IUm5JA7ekKX0fwKMdfSHZKTno5JMgOL6TQZpmorcjRmscgV+NiC5JNuRCLArWu -jtjKmNcPEhFTvUrZT7CpT0fy31frKihm4cxB0o6wYZO08RkoTsGFsJMesx7hj4jgdkYoZHgK+9bR -uk7qvzSX3Dt6q+BG0+NB4AQii1Nh5Sdrmh+6KwY6skD7IIgwEMJhI7hsz7a0dmyKE2SLhIeNNEV8 -BgsH7tVnpO2+1Q977PxZH3+yiJ8AokcynXG/ZyWSjezie3eLsANVSfRskU3iEFilPX6r0UNktSeA -FwNNGHAs5Sqe3YaIpDrYJ1GeExYNRhjbTLRxBk6gKxWNVWvAibXnY2jEJM4asb/FtfHtSune1o0q -XxJV2ebaQSyTaINN/OYfquOhTUrGp8wlj2owpQKVuE+JZX8YXu7tvmpVCCxuZq1nG1pdvHDB4Duz -E++C1c92sDhiSmGq1KdnWKYHQN4R7CWh40Enxg2vF7lqU/f/Dvr4FrlQHhyKBGHPIR62JRZvtMXM -CNG8EuZJTRpLca/F9YpjWmCBTsSLr8+ugWu2fuiGsqmjQVsJtCjtzjjmkRVHGpMp6HG3zs9KmR3n -PTwvgUkhLfLJnPtnaSYsQG4Fof2jYlMKeWpCM0Rzphoz+u8IDaoigDxD0uob/GM05nLtILQjmnJn -JDodougR/N5DFA8TXsswZCnc5nS9dL3BFgmhZ/h6DXCBRc8iiSRKdUEHI9pNzQ66StQ5a8skmevP -wg0AhqeIIq/9Ep2qa9uba8E2X6KNt+jcdW+JptflEGtcYusX0/YKUq5MhbnOc5T8R83MgmRGemgD -RuxFAU0IkE0YmXMu7R8BA4SENB84O15MCbGrrE/rkMMJQZ9xdkuVvVvQVYojBQBHbgUTgIfEsPuI -1r6UpBwgU69I/zlP+7MWaD4NaPEKx/T7XVQsEgbQDsJJBeaxaY1JwGzh55XZs9osdUU9CWiqxTG1 -T/sXzwyr6zIfrbFypbXkyaPSoeCz3dkur2ktOUDNmhjQhabh07csKv48zArbRerAA9FYPxugN1xN -ZcO8NxgtR7ul/WMz14G9TruE7LZHFJgWS5BvSc1XPSNF1toIEtv/Nv0s51clkblLIN0s0fIQRsyk -gN9gISr4MeXaf4OG/OYsc7N/MtYHJwphiklTMIaKtR5xo+lfoXU1Tn9YPAhsBg2KFY/zmN44InYC -NsFFAYtLvZ7eNOu0Sx+mK06CeUZNnM6dK8xCB1h4vOR/wZCD6UK8ebH5QYi/SQigKxbjSyo8n2lv -HiA1jdIgD7BXguM3AiX85K6GBCCzWJbjRWxCTgM4+Es+GvXmqCsBjQjrUXOsfTbA+NesQDsEA0EJ -3UPLYvyBxAMEA3MXHJvXuTepWCa2qjOcz8VoFoQozmH31Xf6Gev8LYyElbzxMy7vlYihKZnPk/CW -F7JKIowEpmqBlWDBOjte5Fx7PMW2xrLmmOm0OLEk3sbCJTlsT4JEYA8G2+GsLPelmw== - - - MUvQqIuSPLyslrFlTCBnB9Kpf+stKx0syXdFLuOKGVBVa1m7W7G1t3KbTKh9BGYv+b5TC/icfAAw -cYFyOdAApaeHPk4P0TaModjX3oZpJQMh7xazK0X2kxrMeB1CPJk8hK9eESMlCHjoMcQn1oW6NXGu -8DnvJilLss0XqdSzGwwbL7SACYhG9qAsPRX1VqrNspZeoZpDXRWVW5+f0RdEoiIEw6AfiYPRALXd -vURg61CaxX4UJl0CkFmSSbcGwCv7yz5xV8jJidKMgDBH60+wpComlG/YtdcSWGi6Ng77ME81C9mY -ABjjvvpwQDB4QNNv4qPKec97HGjHwko09b07YWWZkczTPcrg97H0izZccRKA3/CcD/LFIDzIEHuh -d8OZXoYZcyMXIh6kVIG+yV7kmwZZX/5vmcJE7vjl5NDu22i4DmrS+I90QypcEVZNXRdhN7q58w9L -Id9BSdM4WYu3wERwJBHhJSMRZXg3BJBBDqPpJlvFZqYNNS/fMxryRx2njbIOLVr9iL5IN6T8EmoR -gQDQPjW7Qkvou9RYVMaBtyGFEgBf181F2gSFSiYp3BLJPiqLwKEm46eP5CSFfvM8ARID9E3GJyPM -9OrJehEfywuLzfuze5ayOu360BUiA1oPjKrABQlJahYoH23EYnYVnEBKI4lM0iEDZ5nRT+wb1A5u -1YEKGzSuQI9HyjJBlYvHleaAKqllKTOeeA56Y5KYiwgjXD35f8mp36kRrGSnV6d7CU5RI87PMOSA -rcukAB2z2MmSLwaqHRySeV/P/mdj89owtcu1WQZtiR868LWdudo/8GmKvI7WAE0x7jGHMQ95/PGG -96aZneLBY5Up6iO1UXhMaSlqdA01T0kH0bGAouKgZpAXhlL9gp/R2zoCE4p66LpVfAMROyP61W4X -lyjcYzibCgmcGjhk3hNpDMzqaTxo9wjfDAUuMk3U0LKOdwENep6WIaQqBYj4M1bdR4IrZEDh9k6D -M6MJPJ/xfCiz7Jqdood/E2haPuZIgqa6ZSsTLIikVK9w8AWKNGyCTluHw3bzoLWZGzUwlT34ZBtQ -93VB55UDY4ZCGYlSCogAvQRkLdC0yGBs6dYmendCEoxMY2Ic2S24+m2TqD0kWuYJYPCyiTQZOXgs -WwKLrbZhHxkk17htFVXSMBNAuJszAftG70NN+JBWnkA7snD2NDP62ONRnMs1x4BDyhHAPBMTri2G -x/GF31CIub0KZBUwMvHWiVtYeDW3HRg4okeez3GHZmX17XRxke24GgNk5Ctma8JhYmKwGi+4Wjek -PPvt98mDUS7eyhWKrFlXkFh94j7nFmmTAq1oAfNmMYuKXZtcTdya8CShYqrUI6VgQ0A25IjKUcOS -u2pEpNiN9p4yVuk6ikLU7KlTrBKEA3Fuf/1S98BqkUBu5EIJWQFhM2fpTNK8FdvuoGuipa+j/rfG -0Msw/xMYcODAL/WIhnhGRZOjoIpnqtB/eGtB9QswpUuPajIxQJq0m2RUIemvkOUNUvwlu5FXhwuH -LLToixTRgFz3nPYjbYqUuCvUkrlSS+25iQZDpQA9tPALOwnvFEg3vj1Rvlin9M2mOZHpg7xouiXs -kFwhdkWO9iXiHX+u45MxOBUfwApQx2QhbEQT/A60PvApYE5NtfD7MTwKid0PLCFatWcbIKLO209Q -AfuPGWIa6KVnHawtfrH3Ca0X+IpXXUeXAsv0WZZZ0rrernCjv2s8aBcbmRgyef564PY04gyOiCwi -Y8hoe9He9Kqk5FaShtv3+nOeSRQd9/+SEGNIi6ijR0p6GCPlSOxfyNIdAgZynNVlGMQfFomHwArn -elCLGwMr+g+AmCoCN4llRDvh9+GfsNts17G/L3cbhvHCBMq04klyfyrwTUcB81RBiCkzm+KZydYO -Hf2EpRaiZvD0bBZDVwgsrK3tCrdwAtV98xu2eYQrQvqgKLyCq8wYXRo3o993kVHuOFTKgKr6ZYaM -Ttd5rWZPW92CFJ+2aT7Ma0XlkYCs8IBp00A9urVXBiluNviXhB7MOoLzSJMbhQubYvl3Er91Fn4h -/CUPMpVVe5/2k9/GAdzSmhIAwZ75wBTSFNtJixY8ag6WKBI978D4RyEN9YDEDUJrkZ75wcFHpAMP -RGeg1/3Q5yKe1cz2jPD7Y/vU6fYIovLU8zBMBnmojFS7ipp9wFBEiROWPyXIOOUh9B+tiGXZmkxV -bMpkQQXwshGPiGgGYJC2rBEdICuEth6+EPSN/uTutD/jWQ8eyCnem9ANz3sWNpU1/Ys0gTIYInC+ -y2KVqe32C8A+nGQLmvFOg+MMRbpB3UygpOTPar5PPR9nW6Uv2Kx0Z04L3pyfnCHK/dxK/caCuRy6 -i4X4ENfu1852EUdYwNV584q/hj5EeX2IyEw7aZdH9CjbTZMqnGjZh9VKco9kNcow1tHMd5uqOZLj -Qw+3vyBHDvG4l3Uca1JEiLns+kGoIqM2jlw3B8aUpYu3ExsiVfmsI6n7nQhzJm3V83gYihc+d8aS -2USypI3dRzbusgQYmhUffUJYRn8fPF2f8To2eX++9VsroaJnBo3TunZ0bGKb0q1B11LgUh18fpfL -plsxOXQyfJcxF0MiX/AW8LosAnSFf7Vki0vDmFmx6TxfU476aiiHB2ay61LwBnLtVkOKPtLSGIuj -R2Yh/1fogkVR4jyCawtyR5YRePDV+VKLl7o853J1Mce8PETHE2eWXxitnzr8kcvjNL57Hi7UqbOj -f3UCAljZyMCAKvrL46/SyaosRqBbbdgwzb/VqTbOUqcYiItVy50Ym0UCe/ewqIwZqpDNKnmhwvSs -m47DEvF1A4+qQZHNL1/DpSOoqrt4LzYBGHS9l9Gk6qtETIek6oFl6yAccXzUkQ3de0bVY2PShzBr -US8vQ+OiWJGnUGFdQc1hP9Lra4o/AV2yFO9GQlGzLGzbCNMxa3ByI/i2pwiFjNGSV2yQ842aylCO -IZH8pxdHCfylNZkZ0+qterek4LJMQ+rKsz4VM5RXzCA6PeAfJruRCRfnavJFFdBZ3Fh/SyiUXlpu -bIGswT2e6aa0gig6bEFxDJIhXY05Llwgs0vWk7YtphO36EVkaiTI7Rdbpwmx5b/nZeLRqdCKg3uS -bt3hDS/KEDWlA6kcfaTG5Pkp/Ss0Cq+Fq4tC/+cWFHGUWCSFalhvI+h+4k+dxybE7Qy5W0aj6X8t -+46nIQYyrkZxqEeWVMhKaLm+8kUZZljRkE5eg+ZmZOpyaPUyBrArbKK0F8gQp3m+Bfz9wX6dnDmn -oMMPdfg2wRpqVIe4NiuXjBXOD8fa73hoVZlp6OK+nHknxFpysIYEHh2X8dzr5e+veEPya/09Akat -YQBGpa+HACWmXOE/WjwOHpZkemOE0OIrK4/YO48CkpmNJlT+mGV8VJqNrowAKDImCotdfqv6HJyu -Be/DmPjMBJERMcv6YMSpi3XbMSWT8jkJ/wvYBBIvlfOSj7sNRCuuSG9kVHGQiOlETASQPcZlu8hO -X5BVuuWTrPnZHiSNsqmSryoOn0kKPLcZOJ21dOGw0YdoAjgxfufQff0quhb/Wy8/v5oVmwVaIJIy -DWjh6FID+U+q0IknnqnqMjQDwl7Ob59CHhZ0qfeKEjUa4CCGwP0/wHi7BYJKIYkGhpGEL9PuRJD4 -hMNlkjvR5I4ZS08djLgySoJ0IH8iRfCiNVA+hgMd/nUmiC/SgREUZGQoJwdFkIjFAwvdh1v9Blui -ZF9iAPUR0QVWnMKbqgQ1YUMQEHkl74Id79H8dh4iajSmxzxi0sti6Dwv5HwOo/kUK46TySGHDIeD -kZXWgtaLQmX7IeU6jFZs+JzHawG+8qVtRQyrCj3qkSHpikk0zDHWpZ7xGApTx/7Nmb3QZpghC7XK -ziOrZElrWCxYF8lxifj8+neCoBq7v5u8ZvTc+fJly9oBsJv/44/9XTztB/DKX948TXy3wubAvUOQ -9tk1zLhGojox9ce8F8nLXMverZeFl3glDAclKv2EtpEr9zFuyMpq+GscAFq4W2MP+1djABJzeL5B -jUVu3m5CyDz2B/GZ7bbQcYB24gDvewf5aiW2u8sU72QnGpBztiZjloll4DSZq1SRRB3BSSrVPtPt -p3UF7F7Mt8YX23ZpwNK5mdqdaCR0cyQzYcZKrE9floJlE4AcCQsAQRFZJpTflO35Lesvd7q2RWum -BecVL9mYAwQOLbYDaff3SkiG8cO0Zi0dhmOd58UbSCcM6p4tw1S+3Qabx0kdxQhEaC77hPHJKDTL -KjGgo7mJq81QtpIYKTU4yXtJAC2N+CYY2gsTX5P+XKMofY4netepsajdjDgXx2nR0lWewefMcgCV -W332i3Po4vSoByk8Bws7J0phfU0m4te8FOPcoh6K6N1anQZEE11RnhzLcWudOEIWnjwIMQInxXiR -mSwB6n4BxMJFK3tmnKs+hT2E27gjBOCfAITwuFtUHMfL8JgOnDSCTv0gZpd56o1pi4Z0piGpdIt0 -XWNLdecyjoTl8Oywmkfz0O9oCqBA0K6QikpkOaMXQgpctGAysz5uuUP4eKjYHJhAl7RGBw14etG7 -W6FbhBMBJxG7hLN3EhlYM/WDGPv6GF1zd6Ix0Ms864PYJ1hVQMyoOq9smwcPozVkAEN9KCKyLhv1 -KtUIeMsVs0qPdUjWifVJfagnvbEGulPenNEOiDRjResSZayw6F6BJabVSlzYMrNbCNggeWMNPzBT -7BUEd/VAYJw72GTQQxZjFpep6QC9AzN1qDlRMcQhaZ3Rp2OBV7ZXQaIDnKds6A7IZZRRJ6kCI/XJ -LJCCO2CvTeQ9K+TGgitVci8glozInp7ZHeFSzXym8eoJtWSlVqaZRtzo3U4jFIy43l1WJ7fXywuT -zIpjUH645HUHgc75wRjSLyO4UouYhBEsmYGMd2yqUXrTFFIUnGK5qYKyrx1in1rLDtlZbJJRjK1C -Gt6WJDqK2xM98SeqiPWZfhZD848oi0YtCCajD5hi0oRomA1gyJS0jfErqUw9URX8EVH9bfmMjBPC -kgIhxTUxYuPvXbfXOIdY1Y6CJASL3z6T1rioUmEPaTdoHyAsUaMEHNPko1uUo/XlxEYnP05bXHmH -cMylEVVGYAvJL1I6NifiZRN5rztCZgT9wCJlylZLfyBhQUQjLJcolhuy/4NSdIoJ2s3U47AmkpmP -SHbNHWZhV2a6AGkWNIipvHGEc2JqW2kuWhU5pAOgizab5nJJCFjMs/iFtMRzK7v6bQYyzxH0gyQ5 -AF/NEVQ8EyAGEjCbwzPagC2hDLgxjRdB5fTw6flKkuPga1n41ZtF75e7mIxb7GTEv7yJ+BO3OwA3 -B6F8RfO1H6Zdehew4vTXfmPyUrvS6p0iIVgnDATWQKSSARYW212Yjzz7RukDiGONm9ss/Pn891bH -b+9z9/Yr4X6ZmfgGb0SFTP5PJFfHEBFg6HReaMNpFs8U0RCWgj6P/KM3lNko+Zllhg== - - - CUP3jqp8wXfRH4/X5J8JJJa5OgJGy/63zmejgCorct5ipvjbKomllZ1ec1Q2QfXKJ9TledCsnotH -TgrhZvZ6FUkjJdjpLcQpwBskyiB6SEKfmKAU/0O8uzYFhY2ArPECHPnLGyDeMCi54HVim/ZBqhOQ -qOyCcJeT3QGTYPYVDx5I3xUYfA+08gGAb+4hrKWEKTUU3tUFXPNm62m6IpF3JfYJpNIZcQpOY8e4 -cYEhZHehKUQIlAejIexzVpvSQKbW4NdgSSVv8uMFSjpch3nIE0qsnZ4MD+vviJ2EIIbhaoUQJRlA -kdrRVfhtXypyz1CZUqFgLE5o6QaoUt7m0aEazqOUL2wueBg86Bp6+RSRUZS3BS5WB4z9Pi+wwDBB -YFG322xOf7S9PF3lmsFhQp6J1bLMUU0priOn12wtbBaUJjRprq+WIGrE5pIbg0y0lKBIY5bZvu7H -a6TtKAvcBErMnlxR7D9lJP2s/1GCs6jIxczJnTF0dFp0Ucgja5Aa7guJclikr7lMmIPqwiTSDAqs -OD56ZDWWXmF8qYmhy5q7DaJtlNEmUaDBWUrv2D4sxkfnROCSM1V2QPpfD1nabDeFJG0gtDSSP7OL -TmhmdbeNuY5oIqurfGvAE4lFCanUg9Xkf7fxImLm+HG2DDxNkrkD65p9rF7hx4Rgg22dRSmOxgKu -xZyC6wZwrFk/xzcRi5LSsGUQqq4OJmlVpbSMLG/xJfG68ni55TkppwcXKohHV2PGg9eED91OCIcn -YBQNGIdZoEbCTGtyoC27RCZ5OECds+EtUFpw1KxIQdM7NDmJCxlgJ+p0vMYO1pbuLmb8jNQYcCub -SOgefLLTC4GUJbWu8bSBpgb/2qoUmbRhsKIGy3H45rGaEPxKQPWlMo8MxcQeBoxBjNrvo0TPYTwJ -B8dwdaX/tFDVW3X/IPDJdIPwVejZJxyiEngvkr7lSaG/V6R7she6tfIrhIsw4lhXge6tYH+KYKay -jlBypQisWyvGwRvNHI906pcyjYZMA0OijAEorBkEfWt8uYGGTpK+bE9/GDeW/Ex1nZLPGLOKKXbq -ajCtaelEKNKJs7MCrzJEgUr6d0b+kQHLIGwdzOwqepInFKazPIrV/0kOuIODc4xFTabEQdOqTOjy -lVvtAHHiAVRstq42dG870UJTcKivoCpbIAYCIMHm4jDPXIwosXTN/8IIj8aB8syjYlomIah9ueJK -jO668ZGsWnnYYbeR8sbTNFYhXdb7SRbsUIyUpnadbD/C+rqmU3Lqz8vio0ivsyqvH0KvOwLIzHNq -NdUqAS0x+s1YIioVVmPtmLE2y5drNTQUfJbqFpQRgCrK9j0pZCVsblFs9Qt0rgvah5tQhUUvbxcr -evZgVnk7ndVM8iCTSb+LmeX4lmUk6+UJjQpKmD8Pvquqq1MFZljT3xzm5OykPtsKnGlU82vURGCU -dagV62wilNuuQzke47QIpFxCtdtfpCzMzPBnYx79xUKqFENjMIFoSiVsMK5x3akPBgFBW4Tt0pvD -fFT6xCpo2H7OpcTeqozVUNc8EA0kWutbkUhMPU6nY9Eb83QVYFgbboY8CTrDxMEOEocW3poQZyw4 -rLzck0Xaha3dJumHT6xUmoYe5VurzlPssxFLggZpyievfyLrTUsjScxyZli+xm9VDA7lCZZXg81A -ffg+sEhW6WmsbeBJzlCG522Ne2rpBkJke24JQLBx9UVSwxLjCM/AtyNVo/XjFRYwkNOJ5dC2QjPE -HdJwTfgOrhH24eVv67JnO2MNjwS94lI5ETtYywy/gcJ84R5Xcb/CZkkTklkFZgsCiC2PkA7z5ep3 -dw9krLNrx368hVho1KaTySxfqRV8n6lwMogmEqsaR3bJliBF2v29l3NH8hk3CYiv/Y+aGbaO0IRi -rL7xsOHlZmVZ46BV8e5TkDj9OFAjtIOgvPusmUPJc2B+DkGfrxSzQA5dQPDBObyHqNp91gv7yLwY -SCjbmtNTdnDDEcZpQx08Xja62wZPl22YK7Qh/JkNIbaCRkKws4Ir+0q7frb+YcE/UU9ILZHwEg5n -Y6BCTwar6C8SRmgR8w0MGWTTIdLCSkIORUtmHMCHZHny8EnahGxH9H5Fiu4c1RjN2Ik0vbkJS7NG -U9Cis8F7wkqaLlAXi1b1rXPTA8aCD1g0SosOaTRoNAfhVfeND8mIyglYHjVD7MjhT0yItN4GRp9O -szRTzIxUR1ZZ1LOMXJSc4ZdDtN4VmmgEHdDvkOniB9DyTuuuNU2uP6dkaDf246TTNpZmy88N/kzD -/kWioqQYO0KaYzEiIdCQV9ytYcBMVwyWhuB2or/dseZqW5IXouJpQ4zTrZMFibNtsachNKZIzF1n -YQ70ZnNwSK1hgSHPavMoyxrO3dwQHsvy5NhRi6QBrkE/IatcWMNoN0ZdZSlZ0mgwEE3RVegSYmJ+ -45cZjiZp9AUe+26qeB+P0LmQCy+H3WSsNcMN327VB1iif4AkpBU3FljTcxVJadybEbkHtkgHrv/r -E3ELJabOEeFu/rQFoXZ+D4YBYhlNkTuZo1M1IqHcQQERSlTUW/ATX5KWucSsM24+Db357Gy0bkMP -5h7gWtGfXLUbTzRrHas48cWPdDUsg8P0EBg9Lae6rgxfICHd2/uoyxlJCYd6wtHYH7G3kxl3YFCJ -1CVISEtFRnkru1jfKsrXfMX9uYvDfHlDiOg1er+h5r2cPemBO4TcMgRWSgduyfHwi1BroAnn3qK3 -K9zqb9YWva+JOduZxgjXN4ZQbuigwOkRbQZO7WPs3bN9nujaLJPZ+Yc9DMyzsg7uS+9AMbOjgMa2 -H3KONc6qOxijeiLrhmJlW7Gm+sM0LOfMsDxPAg4MqLgV5cGm+kdjJMbI2oFc3KZ0uXdWhNMp4+hW -epWjX04ExsacyyTUDBW9Lmcp9Fs7vNaJQWYEVNH6G9uFxRWDSb6HClf/zvtHo/XK93zWLBF9hwVB -h64wf6J8SK/0V3Rky6nU/2x/EH9ktMJhhEEFOZk+l+A6pWp2otHz9ohGL5NDWRowG7IH75l3McDE -XqdJZ1s5NRpD40FDoteGlGIPOyarUaylnh84abbSMSJPmg9sDC2rlyOxApfKD8RvYD/of7M3yVYQ -7PKoY9SJClSeSGo7I+K778nPydXmNu5r6ZtIXI2SCEhaZxYGxDT9BMH3gPYLACXeP7L5mPQ3DMrr -PCoyJ1DMMfR4om9h2NR76VlNZEpjLJQaiklA8BpaCWU7/8pQdn+vZbIxfk+x1OP5MSB1GAyDoi8d -cbEuYJKePwYzU2WAc6l9poEJbOBXZ2qMjSdO5Uxo7zSVCeXQYtVYYLyliIn8OWZluUmmzVLbwzPT -WvMuT12voKzPKmtC60ugg+Zgh9hyu2MuxMoXmkGhJxrzhP9P4pZlCK0yJrRRdaUM+qAW/HwDe2wg -BCZ+tuyht9c2N1OV4bmVhL4oCCM1pLv7PfZBCpOUx/vErBT7Yc83jBgbdLVCniorV5DFjg4HZ2X4 -X3KCm+jtz4wjkDFHXBzqG+hVcTcIlFsoWBVboHzdFOlH/kxOH5OrUuvZzfR1JlrN5s6UG2fU33Ni -841nvvpJYz7WyMRBtx0A9xmlWIZMVsmqDzMDHkmirFHaqa03wmCKWEYZusNiGfe2KsroGFaiR26F -Fc97CyrMyhu6gr5PMiJ+adApdotS0zw3HOlp7mr8yL6nYymE6YXXJNY0+RYUb8hJweGeHDFZvSmv -92hOws8uEfPkZPwLNnYnAFbo5Ka3fNF7PsHenZuduBIbnDOzBOYAiZ0CKq0AA+Sf8N0mT6LFt4NV -M6s/ohMhCzhoyQ2RBRbJlb5vV6X/DmSv59yqldb8GshQQmPPARmcxj2E7GhY4GFC6FJy9yPJb7Eh -YXyWcE/StoSaTgr7JHASK0fAcK/cCMDBVCTV9vpDOIpJjpSNegP+aeuFGsWvEW0Fz2zuW2Xd8bkj -DO8fql16mHcsy1R4B/GfXHndpN+FaZx+J33aehZOUOikxTynGhyrnk8z9qHBBJ8lsGcNXAsIuD33 -ZNCVQwYk68rQ+FiMJgD60yAgvkeLGB0r+PN1wkbu6r2Dd8+p9OrPv4dZmkCEdo29nX5obgiNatIK -NnoQejuKLajR9QiNdYWMCTHRzHCm0IflZEPzX6GO0HAWrCAajUZueunwtu8R+bcM4d1aqRHPUGP5 -VSR8Ax9WABaGELtUNCmN1aYTbqhUI15rP3tgB1ZgG2N2NwATsZ2VJRWWHrOd/In59AJEaQOatSqH -KZAATO3e7xZoAWeENYw+64pjIO4cjBr/tWQ32eqNxtEmEgEAQIhEAAABdwdQCOkI+ebuv5fv7Rvv -7DXOv+/L8c3954uzxvzi7qlCGb7ec629nL+//uLrfeY7e9djzv3VH29v8+7/35d7uGvsddzx1r/n -jLffHH+P6659zl973t6fa3/1xp7z/7PHnP/+9dV9392567mb8fYZ36u7p3XX+GMPX6/rvHuvgCzn -V3eNt8473+15/r1vrXX3/P+cu5/r7vPtev+9dfc539w59i7ml+/sMf65a8w53xWQvZvvjv++F2eO -98Zf78rJ8pwv7vdr7vJ7u/756pwzz1zWu99+M788c461x/fNPPN9ufc/xph3rvu/+F+Oa10BIffj -jPPH2uM+c72/x5x7unfs/a+93vhy12rvendrnC/PmnuXw57nfP+/7+Z8e47nioHl+eZ88+YqJ8sv -5vl2fX/uXtZ4Y609T1/9L8/c2/9z77fum3vP+/a8XTlZ7j3M8dv99b73t9eca4+9n++unOz1bs/X -4//vjT3PL9b78tu7/7h7z3Pec9f7Gl99ude6ArL3V0AIz/l6W3v949uz93u+nv//crw5xnhrzb3v -Pe/73Tvry3k69+1z9rh7Pnvu+u+97t3Lu/+f2xfnj33G2W/tt775/+15rHvPHv+bu7kCQryufcba -+9ff6++92ds+e9l37f1bAVn+P7fv57jWPXOdd8Y+ezlvD3ve9+6a838v5p7HPnPvuffv1prv/Te/ -13v3Xu57/17b9/++YmC5VznZ+ysge7l7td59e5lj7T++F3sXVwzs/ZWTvRdXQJbjCgi59m++ve09 -FldzbImgMVZixAGgOY5peFqNImtwAoGQl0osMZBMXICoQlkWQCo0rutYiqGVqUH9zkXDJQojRw9r -GRNZY6ZBvBdRXlGbrZqOZnqCtvfM9Y/x9jtj3jfvGF97scb4muyqGkvWKLrWd4+7tvOOr5e5/9/z -7l3uXvvQudfYdp4nk9tgb2QUosaWSJbn5mats9fbex9z2HsP881di733s/cydznGntbcjeDtuZvV -dRzT1pjhmOTHJNFMYiOlyzlXlbhBlUymSK5EEWpcxfVMxwBI2LkyxZFETxAWM0+raixZY1paQyjO -GOCEwdLzZ7xfakxNx5K1K1NEBWhsx2aZgtjV7LxScbWmY4CUFNFSpeLPKDSqMa0S0Q== - - - 9HSpUlWFnmnGomeauavKOjOJjaCrKQEjS5hrFUOuVQxZ0UsVQXZAAAHENtzn7/H+c88RzO/KOke2 -HAOMGO7C3DWGAOH3Yp7kGlONAjRdhsHYnKUwCGVJblYI5hhAM6oKZUluVuZYYiIDSNXsQDwOdzay -qkYWS2PHAOTHluSmsxGUFDlsLcRmNlvdbCmdJEUo8/g603W0pmKos9nASsZW5qkiVRHzUonrqEyR -KlnqLM4ktrMmSbGblRnrxgDkqhph4kGXUawJwGkadJn6r7Y6Z54zzhmSRXi2PFt8fe6e52/n2EKy -ie26a6/tuu1shmQRSBYxxQ1qZcZOEYpfy0cgakAqpsjPWK4qmWJQnYvtlnPYc9faC8ki6AmCZJGd -7cXa8j6x99uLLbecf275KpYbfi22tmerrdaXY4shWQSSRcrzJFnORjqYOI4sjDTHDHqCbLciA5CZ -dHSt4rixE1uKpyoVXaDtXKrYSbLdKpabFlmKARAst6JWY0g2sZFuZcZOkeVW1HLb2Ug6rlIEm44t -0RRB1qXG0gzhcvjufjmtPX43h9kRFV2qXZkxey+Ivdt/5nlyuTfR1t+8s8ae5nj2tsdxznu2HucM -5nGN896c1hkW9rvrzXsGWsy9zHsG5sy3x+HO5QzUeev9+dbfczwDOb0xvrtr7e28MzB7nanwx5jz -usXc+52B+Wfs2Zy/zztn7Dfn3fP4X629th7zrbWnNc8ZaD1tt/a8nIEWe9vb7W3NN8f8/p2pbM/8 -2665zsDtPey5p7vOXOu/+9ae77u17b3rDLzYc7l/jXfPu/t+c9/f8173OgO71tbbYPfbexl4M9b/ -ep/7xjfr7633Xsc68729n73nsaex5+63H2eP+956H/8M5H57/3q7vUkG3u6953ndcrz3brvH3m++ -sffe/53Dvd+M+eXfyxzmtvv++9fau3drn7PWPOPsse0dZ5wz9llz6+08ycDr5eth0HOe7wnf3cPX -y797+Prs9f+5bTG/e+O9O4ft9pPN4Ym3sd6Ty7HmkzvhH3/Mfc/7BPeu8f+/T/zlnL+ec11PtL/c -5x5jP/Ge9xOr/cR/P+FYa857Gd8M/NlnT1/dJ193/Pnnk545x9n7mU841tzDe7Lz5Rlr7ms9yd/L -22s98ZynJxN8uZe5z/nek4w5/LGeePt6k0nmW2/O5W33xt72Fm++tzfZHOs70XqSM5fz95z/OAO/ -nnjZc1zjjPXEy/hzns5An7fNfOuJ3lzrzvkM1PjzjLnFOHMMsztTLzG7L9a4gxZ73bO7264t1rvj -7DnP33339WzPYJ7vWmc9yUDf/fc+e8+z3p78/v3Edz/JYH5ivf357rt37Lnd7fc24831zmA2a/u5 -51r7nie6e3licde6d8v19vp627Xnvez3vt7GHAw47DBU5nxCz42dEKDOlHld9OZAa/IBSGB06VQ0 -0AXBVCHcj5NoaHVrWUIEVHDTXwSwuEU0aDJl5wEcOWARDOdhy4DLkmHIfFDogULQUrsC0YhZ0FRC -UsTncLXjXhn+bRZPBOc6XidEhnhhRK6YQAlOG1qirsEVCfXBwMeFtSxzdUT+MDzgS3fKkBceKs5J -VyH3fqfLyogVEYPzCj8rg1lJFj2QoCkJBDuDtu7q1WXZOtDW3S5Vsmw+gn+blknsuDpVY4Z7nQ44 -unSWYrNVwEjC4ipmBkaYhJAx3SiksSZpT9P+iyVX82I7FxF46S0OFaASW6PJqSi5miKHCrjrqHIq -mo4r0aVyKlpyKprJFKeiqZjKrSbrZKVoueJWk6XCJaei91zNU8WpKE45VACHCnCt57iaJAdTZZhp -iioqgMuT3j/uoKZjMaFIhagcKuA1AKbiYCqVGWNxarpKT1VshZ4qenKoALJUcagAVACLdaZScmyJ -aKoaTbJkjauVXFOnBPeCtUZULNMxwLmaKpXKrVJViarUADiAi2txq1SFkiWLW6Wqu5ojmZ7cKs3+ -RNVVxaWliktLVeqUUMVUXnGpU8J1AqAKQKYZOyBlV6NJssYMhPv087XkuBRFPfw9l6Io7imKpii6 -QstxdcJWaDqWq8qVq6qOakx9pSIsxbFY52ocyxT3grXQFBVhK5niUqfEPVlmJ3V6LJc6JdJzVNMx -wJhyqVNibInlqeJSp4RYplDypXKpU0ItS5FLnRKY5ABwuszRzeC6yYQgdqAkSaOqkElUBDU4q8ay -PFW2YWWK6yifLLMztsRQaxRhlExV6pjhTABO82XGrEqyTjuqMVuKptki1TFjdqwqWpcqplrzJFHR -rrFzgFha0ZqkXUk7qsQStedqV+No2tg5ID2thLQmKbZaJrmSq9GapzXFErWxc8DKbTIhU7SqaMeS -ZFlTVK05ugCwql3Z0bXaMRXtqI4uEmQkS6lxYVXFzcskPyIGo6iYkvJYYlRnBrXJhPZJrqJoNc/N -HSCmIQmzVrNzksaSJPE8liTrTEMZt0wS5zxATEMsIlnkao6rTjoOED+rmDpT1QWPsDN1qU7zBJ2p -iwnAmTnNE8T3wisVQTAyJeHMkSvzBE1yVcfMgAxhjZ9XegKwphfYmW4GqMjyDAUwTzC/UhGUjpc0 -ME8SdoIDxLSTopmCxVykcRXT0RxD1CYTwrhzwaOQxuLRJD8rU7S2c7EZdy6Y487Frir5sS+zYzFW -catavkyy664por9zEdGwNFJTsdFqnpvVmIJpMqRMWBqlo8G5xi5haYRPlakJSyNUNIWlUVgakaox -DYWlUV7NcxOWRqxWKCyNBIyksDQqy4s6lii5ljHQGEBcVfHT2QF7kiwZQHSNmHEVVWSJxjItEUZC -BqAnGAKZ7Ko8WanYiAQJIE0FAM6VSS7YVeQb7+y79vJtmWQAcWRV/HH2NL/XwY7oAJJdzdEcS3Jj -82gEjqqCilzTseRaV+RChqQ6PylyFVHYCY4ByM8ZqmM5YC1HcMCKwjSluKrpqBLR0biKlSoTFUED -Vr3YUVVIWy+ViLEfEIljFzYj37E9SRYlS9AubEZqy66x86U6zddYpuy4iuWpkqsyBiNVm46oiNqv -2hWZtqz9nUtOtVKLrWh/51KOAcaPHbCSpRhLsC2T/J2LKpKlaMnVFDvuXASMqx1Nslxj57nGLrZz -OVUcia5UshRPVIWtRFSLK7nS2FXASLJjgBSrYgBTBDFoPdERa/yspKlwycxYpkRSppOOq9lRR5h4 -UIqq86M6M6vIKccRxA6wxk9GaWfLJAEYydIeWc15X1njx+OXUSVu9qgsRzBdR2UZ23Qur8tdbmMI -QuwEy3IEMUrjmGcAZHpysgizssYPR7BWVccURWMj6zF6huzYEmMtU/ysMXSNIdjfuWiRdakjyP7O -xa6jOqYhm47muFqLcefyYGExcjWCGiAoLZOIpZgKMEn9SbbG1AoYS5QsVepqkimajgFOOwZIR3VM -UZuOLHtx51LG0FFUiqmzDNV1VNXLWKbEblWRmTQAuYrliD16kr4/VePIHFcBmrIcQaw9i/n3mL09 -iz/2UFpKbgSMK7PTMkmXSpr4dy89z3KzjgasZEmOpliGVmQarhhfXMWVuI4wAFiqeZKrGAAJI1f0 -xKmIYtBpjusqwjYMiEos03E1yZzpqC2TXNdxtI6tVFzHkmSJsPTc7BwehCAZr6zxAzvX9UwJEJAH -DJjk7vm92fOylzf+l9NaRZYqBoCl4nUcreNIXMXMWKIwUaUEwLBzVWMqlGo6AlBSIpmKAfD4Up3l -OErFAJhMqWqAATUVA6BU0wFZV6PayRylqWdIdJLKUSS6hA5QGsgkW2SKkI5lTASxKC1bpeKZWtPL -nUDEMb2gZwqyxg96klZXixStxrHEoLSMYjuU9lemBrVz56LlyChErSr5wYT6vl/7/7fX2+vPP75X -e/pujK/f2Xub78+73/fnjm/m2ON8933j7vm+Pb7cd671vRx/7e/e/+a9vcdvZXW1yBQDsZh/nHn3 -9t/3czfnfDfOl7s3c9097P3v/PKPMccd/7719W72PI/LueOd991e739v3LH2/OV8d3zvvt7eG39/ -vd3z7thfj2Of9fb+xh7n/GKd981YX93zxfjzrbv2tuZuzxx/vTXWGvPdcedZe4x9797de3vsu8fa -25i7+2+Ou+e7b+5a//Xvm3tae/t2nLfnOGvOO8bZe9dnvj398+/56n09jvf2V29/PY67t6+H966A -rZDFNsLv1R6fWJz193C+n2eO77387v3zzTdf7vLtefaY356pQlkmwGSzvXZi9+duEw5hqVQqmcL/ -PVgTjzvxYKEnFHTQCHwDFwEMKpgco4sAzi91fKnj7V7qWQopFwEMRvhFAD86jUQykUwRLhLBuRIB -SCSCc0FYKPxGJgMtgaIN0M4D80z8mAdbPDDIpjS09sA8EEpDe2ACMQ+2rBUt62TQtmYglhPUkYg4 -NBBLR0Ly6HQk1pb6kNMMxLJRJkzWMpSpNEqMV8s4LYdl1SzrlzktnDktic649MqUJqXKI2s/HCuP -LABReeTVe+VwFUpClUcGLUQtK9gsUAsRx3Jq4rMQ8ZlTGoiMgwZrVHLSQDgYDg4arIHQaCBQyenk -tAz1jEzOqCdmm3CEUJ8hpyP0mVtBGdt8/ZNDkf1x2AMUhYTCSEANaLPB8cKGA40p4cAbV67x42B0 -Eunc3AxrOG2HWJ9giGADBBuHI2IpRMsGPi7TVjeKmv5JuFAjRBCJoDF6Aoa0ud1qs1A1C9OpINAE -XByEoBoIURK8BgUBxys1dMS/bTPoMCCo4jDg5q5dAUegYciQThuGzMlbSBvwsXYFmtBH2kAUNP5G -E1sxMiixVIYuhC9NY3sxXm2B8ZcK+Bov49VHnZY9JCgv+IQMGx1iDiKy6lhtWPEVBhezmc6JCeLf -CUKdOJQJ4zmQ9TEYaGg1FaqpUE2FHKhlsZUJkzsOZE04kFWqPDIHobA+BthkMm0pKoRQWCkq/LaE -FDXhkCcLzJosMGuywKwJhwXTwoJJFS1EDE4WmLUtMOuKBCYgekJPYcmkKDlo8IrgoMHgxIN1NXoK -0VP4bR0Ek7Vse6nbS91e6lkKPwUFk4Kp4CKAwe2lRl6qwCgxXi47VhcEHasLVhyrC0IkjtV9aFnG -eTREHUGJo4aFwm9kGplGJi6Cc0Eti6DE8YINj9V9oMTxGqCbHm2uKVi0IoFigDoMIgkUA/XEbNrD -K1i0lkCxGCgSKJZYQdcxDz4tMOt6YHniN7SOebBlAyVQLNoDg3gMsMVz0L1+Q3ckwv9FtEt9yDlU -HzRYy9YMxLLwUsfbkdCyR0e0PmgZQwOxgFrWUWggFo0i/LaOemK4lPqQwQYOZF1OK/zflmX1W79N -yzjqlzkWp48BtmxaxmlMmDALy6pwmTCZo54Y9VtTH4GmqFNojsJvg4U0s/Ff4UqE4LGs3xaqJ2bT -shMkCVcQjk59W7g2VB5Z9V45XG2dwjreAjUVfuG6ELGWJSBsRM1hoIFYtk0DVpBgCQ== - - - VpBgRsy0EDFGJCY09EYUwBGdqmynq9MyjEjkXM6jIWJUcvo2LcuYRM51RCJMEw/WPUvht2kcXGi8 -2ZYRCUzAzWEQgkgli9ayk4NmcpJoJN8m0WgNRPi/BFFmdHWOtOOgwZnWQEQ8nwGTTwcDhMK6WsaY -cAgnAxsJjAA+TwWUOF4BLWMsRoqHpvkMMLGH3LmWR5aAKo/8iKE6/7WQqpCdlmka91xH6NsSEgRi -KM7VHBGcG1II/xdOTt+WQdAyo6vDZLRyEcAYkciBTE7fdoIkmub7tgTQ1mnxsbqZhvB/EC0jrSDo -J6EwyK5g5FhdUGACbmls820JMEjExeEigDEiyXZxBJMGYoLRTVgMArZiACN/9EDdK0OaPBQoGP1T -UFMte3w4BYHLQ8YHo2tZKUISbnWzUB9OuwwhMkzU0DJGP7h/c3MlIpaeIlvLyrAB1pj4OJ4WjS6G -ynA4ViPMgac2RnulQnmwY3TA2lwssVmoWsZw2g0lqsBg9IRWJtgW6YSLiKWaxUUAR1IVsmOACFgf -zTkWBGkaM1W6+zA9UPcpebE5ntpxD834NKymk1DlkbVskaLKkH+N/9HcgigjUYCijESxeX2bgpNw -SRQkCZdEcfqeiQJ8fZuiseZOI5ITKOkHhzgah9ayD40VaAemc9AJ3I8Lm66HVwH6R1z+MFSuy8LE -oLL1CIxINEH821CCCPo5QKLR7q5IstWdAMvcrFBTrw/UUKQoDm4OBepEHZQBygQCPvV3gPf+GKzA -4ipYnJQ2/r6LAB4hWhCmDYFAgLwetgbOkHFxIA69EWosxMBWacJhwiuU0JMnS9YU4RSRMBrX6P/S -6Eq8YghcY7dKBUgVsUKRRJ9bauAUfO4olKwINDd1hMqz8m2TjkorYKGQ1flZAQuF37Zp0jRVeByr -K0CQMUk46JJ3R7u7qhXMCi0z1/z5KFg0yUNacCYG2LIw6SpbbONY3ZOHjA+FFhFLtYzbKGg0N8FD -WR9yCtW4GsfbLOtFDzRqgWN1RSASQdOyjnTgSTTrSdlCEQ7ke+QU5lETjC7wXyUTx7RsguJYXRWB -t9gKMoK3vUKbNFUoCDoBiNNCyyAmHTGwuQTQxYawLxAQ1+LgeZSUF6ODFqkHiIBKITF2DiAqEoZL -NjAGIJcFR2myYDlQQEqP//keEKXbadha5uoORhK53pJvCD+jNaZlkVGHdHfDNtjhx2vQKD05zoDh -YbDQshFCiXAhUhAakDeyYJ+rZduC2X7ixRHQv/O5H8Pm5aARjV4TnNEhk5NGhQ9Vy1DvWN1RqXtp -d+HAY2AkhHcMRwSQg9G1zEOem5uQOdjah20WaojAYHMbTtszxCYYjK52nJZtRAME20ODBRLRcEQs -TR3+oUIWBFp2nhrOzdEPF1X3h9lVm8hod7ekOSBSUR1IUy1bFwgl3xBAnNuxuhsIquwGTssiB578 -kJ7UAU3qIoBX5TqgH49QFyUcTFyq8yiYhAtVyxQYGOGNuFxGIY3RMwukzdWyg4jIN/pqswAJ3M01 -nTZoWxoCLk6wVQOblnkaQMr3qCSETiWG2qAgYOhSJYOjZSGGDnFRgQkeURm5UA8phDkSnVvLQGpW -t0MRflvM+2iuQAB8SF1dVEHAjtWFQBIKtEkLvS8CwbIho91dA690SEvqQJqqHy3LnByrW4b82yA4 -DEsOPYkG53+ZxffImceDQgVHlMFXGFzRwohwTbIF6kYSWi9I10VE3rBASkEFTG04BI647MKhdaJl -XYXcA/XEbJmSQLD3qdJdFAxFcC7Mw79totosGYmlwMCP8kEEpsG1WTIahXMuHL5hyExoUiVnhFQx -G6ZwHmL7SHDEvBDX4xZAsC6mcPsTmcCEEzptENAyRsdwwoWKO40J5vAFUQ+XDfqAQNRACRZYv6Sj -KEggFNZ9ZbYF1rKMqU04TFGQWHAPHG4QwZgcDepWKGI5TVfRWploAuaLYtm6HaEg0HQB6r0+hoRW -hkBxBCfcCxE7NJwwaaplmu5UmBYjQndxLL8QvNayM8S/zeagwWLG1BhfBBsgcCg1g81EILv0NFH6 -KBKy0yh8ZAfjHKuLwaFpgzuMQ5VpYDSFPn1IBk0IzkqaZkxtdWEXzuZCgR1SIavCwFM51KxmDqFp -KA62CM4VYERwbla4tAYaOsKI4NyLEHb3ngSeTFfQ4OAD/m3cboUH/NsQWgkE24MohNjzn6xuUASC -ZUcoIQYtWfTq8ooAOSX/bddg9BASvDEXJeaVUh8yBPy6i3YWIt4qX3dNfxHQsoj/FFYQ9DM4KFm0 -RzPQ0BtFQnKriew6BLGHLHlQFDzyefq2beLBuhEO/7ZtlBgfnBXFv42DrN2F7NB40xP/tsmEiI64 -wMVBAzlVus+pNoVDgjlRfCUZUZAsEYmCQ4ltCs+jmyggDAcRhWkBJFFoIEoShUnCJVFoWWzz0Lmi -TDYpxnyJOBiaXGl9WNfjKEEXiR2OtxOCEHUHETt019EC62I0tPIxdEpqvBy2dtcrgTSbTcTbMuCp -FLFJ2A+7Bcr4gX8bZOH0bfeBf9tFiDg098C/RukOFEBEvkSjjcp8vUakM3CJV+OV0QwkRI7ADJeh -Y1ChGPi3ddiAZusF/m3nAscL/NsiD6lvuwv86xY6MCGTJwsqb8lsEv82D5Q1Gw1xKoCIPeQITOLf -dkMrBg3ZiI0uLY/hIRwboZVrWeWTEMkYgg0nkjEaOFJ0DDIflip0EWhxJUY0UGCJ5AmJf9tkTyK5 -kW6MCM5lEDC+TSfwb9MKCaoE/m1ex6LCMEfo27oE/m24MlFhDEjyUXxDhSUJ/Nu4rZVK4CILB+MD -/m16M+HgW9DgYG61W5KDFEQhFDjg3yYwgQm1DIOoBKO0AoLbfB/LI0sKPvVzwi4ClE/LKBDI6j4s -LBhcOKaSZoMY8G9LFZ+BglYBBOsaNERQmwgCgoaWjOrDpIB3d0JUeeSNwrt7FjhocGTz7j4Y3ELB -ojlGBOdOXOpDbmRGVzeZELsrWXFQefIydfdPvFQac0ToLu5EEiSgQGhwp8OBbGKaJLNBGBGcC1kI -P812wuQPw/MArkSNv7FU+N8OIjrnckBSYBV4QJgFTQEnazBdav8tI7B2BaUJzIJm59NBeXhLmooO -UokCTRJy6AaXYnSJwSajbqQyR2kKfyY0hU0EAgGHVoUKGCRCMiJ0F+VLmptw2mmqQG2623DgVTbN -xDewKf5Hc7ADBFNkp+kq8lCxVMu2yUGaRiAIIu5E7JbupiSE90Oem5tJMNhcykRCczGUcmDbJ8xE -8ZFwSRSq2rFQtIBbG/JFy0INm02vigZNh6bwoIutIFL4wPExGpVAJVgjPQ5WOH0Y/6O5gdNBTTsJ -jeYuvpaRQg0prqY6BEPtLHhqCvkRaSpy9PB6VKzNxRhgNrfgoQm20kQrKwogNk5RGpEUPsrocO4G -hisW6XQaWFoPIbrxsBwsKLTsoJsFqTbhURMmxDKeJoKS8jIQkRYSmR25LDRYI6Q0wQ9Gkmuhg0Yr -i8JLhInY4YcrUs6AM21Anmpz3DecXhNcNIEAcnAGPK4VRMQmGHolOig6JjbB0LLLQYtzMROYRwQ2 -gQgoJPyH8tt4XKneaIOqU5iQy3UaBw2bwuNSSyFGWYCgSi/aI1IkuMw8QgUxiJao0zJJB11YxZZ8 -OUODUAEJFdtoSOMM8S8CyqUWAW4cNBjTYAr/dwu0DFRTHISSokLTq/LIGsNVeWQwVXmYdIoKFSqP -DD4WFhrjQsTgArP0ArMmHMIPnHiwJBMPlkZPpUgJ1Fp2lhy6VAq/zRyNEuMdJcYLGSXGCwuFsBAs -FH4j01qJ4FxQUykRnAvuCM4FUeJ4RyaI1xQsigSKJUNPoaZg0VqRQDFIoFi2c2sD1CCBYlFoCha9 -higWLfNM/IbWMQ+2eGCeid/QmNLQBtiiPbAFpaE9ubNmcmfNQCyPbWUsJtSHTu5IoEyYjDJhOC0U -h4NNIbLDppBl/VYtm/jWkBFCVO/1bVqGai3TmJKTAoLD/rBupmFg8Qh9W+gigB+PkCOUaYA5QjCP -9kLFUkUFYTEyEFaxA2+CFSR4kaI4js5mIVEQKHSGg4Lhaakp5YZiqtS9NM7D5t7WZqGeThsVWCgQ -cPEDhXJgExUkeA8KAo6nT2kYckUIcWJ0hI7Z3AnEZuEQ2S9RIwVx8bNxu5AHURC8zsrnX6buahlH -GYRWKImiX0gCCtIKJVGMIEoSxYIoI1HgAQMBxep9NEdq2Dx5a6Q2evNkeEGZengVxL65yh7yc10M -So1RJ/l905IV6dDdw4HRWjZBbdBT50DW5UDNgax70jKTCQIxTSYcFhiphYhRCxGDC8y6C6YIXrgZ -B02XcdCAGQcNBh+si540ekJPpYkH6wpMPFg3d9yAQPZSz9JZChVMWjaChWAhg64pWLQBaqApWDRF -waIfCRSLAepgbAoWbXBXkkV7YJ498RsxD/bAPBAD7HFwlEbDAFs82gPjxvDbOt/KyVrWsKwkybdh -EqfFaXFa4WYLFyIqOX0aCE3GQYM1KjlpFpOT1kBoJCctMyWn78xk8ukIZT6OUApmsAZNjwtFIOLm -C+pYqmW5qwjE0kkjbxQ0mlsyOPBEJwZGQtgb4QIVkTnYGqNz4mbxENllgwUScfHMQ54aURC0uFTn -ocDACDW6WagOp52mWvYQEfkGo2NKRCw1RU4NIOXjeCLLgadq2YMRwbmrjYMpFG6WTN8izgpptFky -I8/IyCx4OgyIXxlSBVWBSDUfzNoVjEobhoyWeVYDy3N4qTUSCjaR1mSHxMKTOROFJm/Eied2VBTU -lR4beYGBDlhXVHDh8gZSH/KAmtJWEyaDi5cJk8HTpqbCT4UwYfLkZMLkBzb1FBV+KQpDKClKa9nC -hEOcmqikU0h0VRFChWhmAAEAAABDEgAAGCAWjkjFgsFYD6QG8AMUAAN7WipEODosKpAIhLE4FIph -IAZiEEVxFEKIKWWUqaJxABBnxtfHzOuGtGyr8+s0kq1jJs/82QMlTZogJ/LkpKUzr0liwDRMkfv/ -vCT3t1ZiWu4RX0jr2Z6CBUvoTHarDgb52Wp50Yl34s5KI2ruidPfKWVy7VsTis0MBijy15OhdAzr -xqZaX6sWA+Pv3pSOi/ITxkFupEYzjtQj/ODAKoGJP3bu5FXzk46YYoAswI9w7LX1xAV6B0DjcSN1 -Qw5IFfc60hwNwcfFJ57BXMttAIvzzCPph4DPEUNQAz8KgjWiC9gA4mtSBAFVe5GOaZG6jiwx8GkI -XrZFs/1DBS6stN5LsJHXzHOsZO9Ty3JogOQ0Xls10KGYRz7eCu5ZB9wxpFpZHNVQixnaH/npEgBh -QxalIY7HG+JxepgDc0n96uMZi9WyEwcnwHvkusSlz8A8PtY2mvDaKYz5C8iPhH2ywtBq6hCyGyy/ -SpBMZ//3m/RNjREzQZwSRv4XF7eYIqpE4fA+Iskfl0SBwl/CghXHXYSXOQm7rYzj8g== - - - YIkZAa6Ex9o46gaedtP30ocKDDomvS6dZqsXfL15o3oBzPfmi2QOtv+IndvWCrxpVQHwKb0sEtY8 -0+sGT6sN+b1eLwFh/bb7zcRJVtmFDSEA6dNd+ILyPjbSyi7FJTAgJSBtMHAWRUK//FUYDPDX3i8g -D2HK03osbgJ5JNR4KgQVl7AH9f8xLoq6lOxR98SZz45dMki2euE46ONpJCNMDgfKLAgYH5k/h+3G -yF0G/n5ihsxPRc4y/TlZTQn8+il/U35PSfXVhlIZdXm6EMKUDt+PLsHd+PPtIjptCGm+0e1ivU4w -XuWpQ7YT++MxyV3l/wmiF0capM9NaKU2dC8B5Y5J1zFLFYZZcWWrINs/baLh0Mn8q74ku5jfUdrD -RTqin+T9qGZkZjk4ELhIsUAwxuewpmEXU5gvY8zHYk6jqH/t+RqJpb/rT3glmJAk5/AGbKyHR0KN -LT7FHA//oNPrIoWQdk3CsH27amy/heOxEsu1UtfkRPJGhsfv2DLsUxsQzvKuzGKl1CXm9N25Db+C -izcUHfbY+rzD3EvEDAzXjKnYckYwjLCb+gF1hMJ9Ys4IdrKlAMsbv1lKVDdlsHytklfnpmpY8r/I -JyVon6GtnnLH/PTJK7N/zzB3xo6lnDnvxYOJC/ieesmL36yC3BXued5l5h6JagqNDZ747hASPd1H -lEGU+1wKu+LJWkTsMoja9laj4snAk7J/H6kR8eS1OfEAr2PwXM25rprgIJ4qKz6ph4GgeIr0cS7e -WW7Et7cAdnbCgeJJHvGZ3ab0iHgyXGpuI5sNIp4gR+bGZw2XUTxZny8jRmvEWqqG3gMZ8+x5SLwq -5uaKrq0VipgESZSxwoksI21dF2DO1yZgurs7ndNy5f7hRHyXVzRzsFAUfKeRsbVLnojMfM17Hu3v -NEc5Fioz0F3pp1plc9lIuVd1KSDd0EJt9iWrRTTUq+BSgLlt4RG3iW3wHeN1ZGLbMREZU9SEsBf3 -AiAFsrROHZN4RcxadOR4dq3zg/LZ65tY/CX/MZrNOtV+od4i8lNL3mXF0kkUAZpztNg2T9XRNbtx -mqv1JG3pvs9zQSKYwI5DApycjQrGJlJNEqmO71P2wwt0dK/gZZ0OSkVDbBB2eMbk+5fRVPHqw7jP -wOpKWpvXxCEkKZGwaQ13nhLA6dbXK7m1hhs61HpPvy2EUo0mZbEaFJQA8EI6GM/LCJZKipeF/kTp -vCIQSuFLQPt6Qw6w3BkMpN8DOp9DOHJB6/ubikNlQwtfr4Y10SxBR0epCDYIWeaGMdfXufgCl4uL -r0UsHGWf4pJHWdQ0RK40hCndc0s2sdTMuo2nByt2hthSwVW2m+LPv0iyVPwdMvhRnOuPp+gCwRpP -eeA7Kxoap3awT0nk/001l30zY0ABtRSGIrfwzN7jKQbFozvWtwzPmnEwcP1DdssLbHYFILsphbz0 -eFLQhIXeaTwFOQivLMLn+4RVNp7eaj+M0dMt/Ou0h6gp8Z1syDHCnweZTFj/2AmAZ/PNp5b7VUih -KYROZrOGTE7vTzgQs4rc2oiAd796rQ3JtgdccNsLlm7yGlAGx5Sc+VpJghRG3R/JQCHGQpOV/HRu -MLcpDPwXs5gu8/YuyxhlFDEGa0irQOM+GtZ3O88DLsPpM89Yyk8oHEHXL2pMpOjQRxB7JLMoo70k -YtZpzR9N6lY0u3qHGOM3c57qbESs4N2TCCOsbM8fzBVCBny2Fgl2DTPqyi28aH8ewwT3Gm24aYYU -TldX0jUqjgtgzrFDKen/hBpHVkWvbbFzmbuFIA5loltzCZcdk79BcENQV4LvpKsQcpUo8x3Tb6e8 -8aF0iQ3rVYv7w0pdXJoCEs2Utyc4w3e9QU8E3g0DJV+Wsxet43+jQRbvQD0nkm93yLwXdWSCX48e -UUMt0hiVaEAnrc5juA/AXdJ02cz88vqWwhvmFaZqB55RBPmnBjeGWSuhuQNqZ+tYXvqW74WfI1MV -e57yP57upb/mXUl9C5Dpk/KUvJABpZ4OwISQlw3CtOiE5UWR04YbLTEpyc4Kf+aBU9ic5CcXAvBn -Qe4jCkgg0/PFJxYV/Bj9VYiPbRltwPYLtW09BKdBh5xcxoN+XeZ2CmPiacV1tmnrJDociCZO+xyT -dDp9q9yeacJ7xP4GjJ8mtx9Ht4YWamYMELSnOraWRbPdS+wmayUhm6r9195ji+MCJRdti+xPnkWD -7p7qDltVxko0tj5G3x+QEE19WDtb6HE9PFdiS9W2YWFws5RDp73Wp6iv0y5ITsUXa25pVYVtB44n -7aJYkNTymDWJHLggInMxWATuS8L9iDCOkRgexHovk1Dr+i3VFFul0jHQ/ot7JHH+lJP3nlRGAoQA -CDs1zbEb5btBUDsiXQEuMCLtaVjnSX0QorMMy9L3v6GCld9y0WSBf33cNWQMggc48zCoj6C8qY3F -46ZYOjsJnhqITgssqpb9WSRagOh3UbcZgokNVSudM4H6F+dTqmGSrbnpiE8RTt/+Y/N98WXeOtpC -/k9AbpKkEa88A1cDJ0L1L+IJWNo/mz3Tis3cdHUhApwFO4J/vcI2fWKKw6WBzNKI2p4xb4u93krA -6F+LybhKb5T6F3vBv2vCziWqvMeHf7FmSbZiZQCoMCL3qCz6V9DRL5bs/3cw1GEBIoRvs5uwvwqQ -VC5IjtfK/5SRhX9Vgax4Ye3H6d8uS0Nh+lHNq0RL6x7vrmFLtuJffUYoHdO/QqasJoR/gRQxEwwQ -RLXGMnaAf5nWnc8Xmr+NFpg3FJA7eCvSB/1btr72lJEyVvYk8O+NopSlx/9ySKerpQsQi3QMJuXI -4NJtToiJCDzVla2o5o2oJhWG4PpyW+mzNBKzZEmldo4iyOLGsYamd1nESm10ZjrnpK5kUbT4ZyD/ -30GzTmnOAldmdP2OI4FWVFEQQSc2DAPxe8UjAaLRhS4Z33EAQtuF5Negz8LGtKbiT01SWhSNEWhC -W6KwGGZxNvZJtXjGPhpjxX9FhWQ+c4u+uDiwkQ/xMVVJnyXWRrzKVDMNqPImaAsDQqb9ugJCw7dX -JQKZqnvsGDqpRbyk21JhcGT8pno8EEyTvZBYyZ1OtHMKx8lXkTKBY00W+sd8pOFdLjWXj9xaXump -bqY1IxzRmnz5m8L/JCK1hjOXGjFqDd1I4/kCjqODQraBbKhOFcJeimos9+uGwqrlurSP/iRY500a -eqFNS/7cpKNCrSrk2KWyDaSVnhtmOvSJU0TJGJFTblePcpagRqBxEgVfqEVkVjWA1YKyagLiu3gh -qjFMovSNc0ejbw0THJCs3BEP6TGovA0sED/H9D4Q0E0GSEWQbMv1fEt7tZBYQmB98P3ogJd3fsLA -mRQckvGAnQOpN8vyP3vkU1Op91KvINzFFCPU603isVfbQ7103PKskwbQfg8mPnN2DVjQUvpFPXLc -LGTpo9z/2jzUqy/dHTbIlU3oCfWGw6luyzGXkXrbkgVJdQPRpBs3AAoIqYmmh/elXoT35kHVoTNi -Bba0HypO4y4Ac4OB2mvccIq0JN0Y4lKQRqr6tsREAnUCgyV30r4QLdNc9Ukc7Igz1xR3RZiu5Uhz -4j0uhjDb9aJKsU67DKZBOpHKizacdXEkps/68BxLVmzgIr/IBhtFGwQvg/BQIoLGFoKu0qZC9d+Y -UaLwYOvCJeHLsJlU24mZXKXsZ0P52XUV47vF0IDYqUcpFc9d8VcXO9aBUK8VmCxvAICWBWZ9BH+0 -lPQXkbMcNRAfJy3NeNP+U3VjRog4jZRRzBropBSaZH1ADJziTFLhGUAa/xIiLiBNKWZTRbgbFcvI -VoiJMVvepshsgSuCL3HU5kSdLlT0omqvVJGkCtrCGLVSgGG7esiY5MtFrO8EUY/FHrT4fmnfDFgS -Y1Ai3H/U7h8KDCAo9wt47f8CKu6kVdaSIdAJJfiPvAQ0o9c3fZT2MYtC11VFYLl9t6n/6HWYzZzM -Ilr19vTSRi1A341snK/eDO0INqcKg68S0vPP1Vuo32GXUfUGqhHt+6QVuepF6CYqAIE8JlRVvX+E -tnXmpFkaAqc2NtmLFYO5sMKA8hfXExr47LVymY0DlQtgb9XrBeR615/I6+odbEfsA525RtX7vNmF -TVdvYBFZ+kG2ABNScKOjLal667i6be90aouXFTWUdwS/mch48jx/z0Bj6jSbcBbzWh0qyXvvdb5u -K2bVB6ayX+i2fYQ8KIAgunvY5Kh82pYFyZ241oQzHEf9bq5LdcDZdTnEvtfvDZ9dDXoYhrqZ8Bwz -eDu/Sb8o4kkIw7NjvD2nAT9BOpVASavIz0/CrBsGigDSWp8iVGw1utAl/K33+YggllEJSuvFYoRe -2rZJE92PRMrI0OVfS6TWWU90OKiCVN6KSlmkahlVwonbAtgF4OHL197Azs4DzB6lFpCkID+lLYnJ -IwZAEjCkpF5o4DRHQkHRW9F/CBJqEYYZRkF0lLh8DQSLGhg2QDLoXay9zu56wbdKx4fKCvZgWYID -ESgDwKlfhX1oCVbGppWaj9PoUzmG/uYGft3fTcBqRwxnUecM5Fn4vXDqLJ2blqPuHu7e+d2dOVbs -UM8c+l3+RwJEasqD0MBRjNL/okHQ8xbx+5ug3v/SFhcKEKxVlIS6KQRSypCi46Q+yvrxB353f1aj -Ns7SM/NA3137uvXe3MPdjHcNOOP+F8S97y4r/6Yv/iIrSTU/ToJ3l7Ec6Z62kwDHnjicYQ+yf+3i -8AmSpgFbSH8SCgbQR/Lu6d0dRLLNWRe/jd7dkX631AB9MeSqio89T313O5IFxQMmGJNpXbwbvUw/ -TdK1kX9UGO/SaFd1yvy0vbsJ0Ca/Y50ET0pRFCjCaampZpVGnZ+6s0TAM/k/U8bV3eP97xGlAjqO -GxhSv+NFCXGw/zhbnCtw/xhTOPiRTUBgprH3Ifa3Fc/FN1YR7WVWl47rQ4eZRfCtdUNbBvct751+ -LTtb0VoFp5wkT88x3AtSqSXU8DOvTBI9WZM7Yzw4H7QwBJ2P4/HMpb7l+++Q5T3rwNhN5UZziXaO -dAuu+42g+kpNRKJkmLlPBj3MUTe+yr0sEi1wP6RAVC2uS61Wnr0bQX9nja8yxPrQE7ZgLskbdPjD -/t2NIU6OcebMKl9MLCuFUdHaP0aZRp3qIdHrvm8ScJ91H23sDXQTBGMVCd1A7zwwwT+/rGFFl9Nb -roFOFORbkraZMRd0Bqgjh+GAHSxM2b7o51PG8WVkC/crKDLrmCyjXDaB4xsHz8/Ep0+WNo1vHKBw -E3ZvgY21H6usjbuB9QeUFq1yB5XXDYYq+Kw4T3293dWZmeV1gs3UhPvmcFUrsVmjAXmFlyueVTFz -awPkvbz3nv2uzeGA9GyCDg2Ck/LeJSnt4IWJMtVhgVW4rM3apOWtWhjYxbE/BzWg0OCKao/qeijJ -eOymgUhCjEH9TFTg72iI7iB78XX8FNFdXmcFaab4bZxOaOaNL3AHave22pJ474mT2g== - - - fmqg5A3CaqhAKWd6WBnUDux6g2k+TsUmhHSnEsOD3G2mvDligW+m53QFPRxYFJcjpElAVm6PLTYC -SZmz+ZtyjDZi9xNLW7T4VFPBoRGUM6ihvFVwG41lbmd5OJSph/zb/xbXXr7S4oGeSaRqy6H3l2HB -1xyxS4xQDdmgavvzRO7XcEUN/URH94fL+20WrPCyvBD6ejIqKsBkEu7eaK3JlpkeLj5T22uf0V7F -rRmY34quHo2h+MXX0asRhhldbmpadItSXWOYWUfXYkwKSk56dO99lQhHYd+8biq2z9F9dNIbj65Z -3wftqzhCBatpRmnuwBqQNj95dFX0MrFXdLESNoMXjN0DnuJXUjT5TuBwMG+5YWyQqUfbMjzJPW4d -HzAjKp4HVEImq4iYBy87ijGGieyxVEfEaIrfy9PvQ1GfHALF5OgNHCW7C27Q4WtSEzMuaCn5WPu9 -ImG++HZhSyB7X5vl99ZCxFJ7emYRKg5G8o5lp8MhxIvW3FfFcK6pRWyivKa6CyOPht/LXQQkDYUt -NOivsvfcrEE+rR6XjGdp3pNiakCuH9uXmX/FMCUs/3mP2mUupCQJNExp0PRwtVrdIiSsAomUHyTS -cillM32Gtspu6JBjDSgLhEjKJmDSW4y59z5s1d8ZAB5dsTDldzV9YnQwdHsQoqgj5NrfejM2Js0p -EReO/GtBZt5aq6F4lPt8XBJToLG0gsqUVevFEpbxODFmJH1KnURi60xHyjXbtKSbYi/MEPXKFEQq -WdyLRcM14ukoKE10Dg4ezhzRe/iDKjqREfWXj14Vba6ZrWSzQ4mQnokCViwckR9BCO6MZ+qJZb+a -VYOIIDNugWVwNx8pavBB616KnFh7Vtv8ZXY3NtPlPR2ndN0yTDfkglGzS1elS1XpnZsh3kn65sQ8 -FnJNKqUL96yYZbpVTXINeao5Sb7NdI+FKokWYW8wY1WtTPeyZsH0kXTwO57pBhe3vAa/aazBdK/d -s/YOAQexZf+UW3umW761DVttgv/8weyKK4/LI3QMcnmBoBtTc2/2aaAU1Pmxq/8pKuPlVAC7C3hl -rLk3s0cm15L8QA3fkQUTGbwyODss09Mk4hwqgweJ4r6ZgYSX7nLVDeX9CFU7sDWOpadbfJyyHUAW -ubkXqaV3aHaSmamMOn1yRl2uK72fl51iS2W4tpAgzNYv45ACW7kkZZbcrVyqeLoZS12GKlniFePX -9vpKop6ia6nOxq4auyJdiWoGTDmxl1a31VNsXMylgZtBL8ALonvPsqRYPMxNBsD8038UA+szAvn4 -jZSjixIMYGeXBaZ9gnHrmtcpVbIHL29fi0viuWVok9Q8EozuNq2fayB+gpJmJHg0kFsyEMBP2ZSj -w64Ua9KYmYnsA0oxR+CLC2YVzOp7Crq5BKWyiwKG/V0p04wVgfXPJPdVStLYs8Hs0+8xlUu2Q8fO -GHcNnUG4TX3g1Evwc6N2mXeKXBKiC13skRwF/UqKix6sScRyUtTgjpOnEKNuOnV7aXNlKN+GtFPF -G11aqVfxNkHsN6cEAvgPGbfqK8OaQC/mqNXTyAC+LuaTHbdXj+l3LH76X4wqzGnWyS4gc0wCqp8/ -FeJ1/iIrcnFO90D6MYoyHSqnon1863Ec14til64pcxn+FJv+C6dxKLHtfOZWCjEUVicFJBlWdm8K -SKc9vNSQAJ4rvyinicFK9eNyXU9GgXDDuyKmHzt5PwYBZDu45QaIkZNOl8VRBKE4IaoLfiSwEhdh -4nF9P/iue0RscBFoPxx/NGUK73Puyp7wrzUgHyIh/Wu0WRzWw/9/j3O4Es2n+ZYEvwUsPzOxXJN/ -W7mZ5n1Km870owj9oGZYADpwmkjKDbYm5p+l7HNKU+l3+ZxROlT4+bjKWOb8P9lL64NFqO9DWuIt -6Bu/jJlQAqo9i3N47/5b3ID6iqnJLZmNKk9U48jLTqXKqzEGQuJpF8i7QNEs010j4y+RuygVg5J4 -1/0GnkffjFlDvnoI2knpANVMZ1dIM8JE27vj1c2gIO8CzY7byj05R4PO4AP25qiNK8ZXsuC9B09g -aXBjaKnWOr3fLGCAi8/pZvIfV/mjMrZMK5FJci/XyLrdqfHtHGAQgfqqumfiLxELuYFkIcqR/xgw -iuO4AeBkvabbvL5+dcMhAOiI4kHqs7JBIJqQvsAZbQiw28tN8hatFSvV0L+ZFgB/Wy1RfMhyaOu2 -HHWxId2SWT3g3LrNqWMHY+98nLsosNtM4jyZMEn/y0Kj+0Sy8XzkW13zAghHZsoJgzMT7F5GDlM1 -6faa0tDrtggoRai7wNJjEGkJdhGrT55yiobez+Jtx2QFUqmYDK2fOKLC0wkYamJiu0D9sIr0UpSO -SGRBWDBQM+Y70BsoLBGgR1OjNJdEu1CqG0L1Su0D8zch/DdXKG6F5pRBx9Voo/FWqfylZQKbjiUg -fSzbMsKo6jVkkf2glqgtp91kheRpGWrVWeyL6hHStAogi5h3ntgryP787Kuv9UFdIZYDnFjR9t0Q -qllE8oJQIxRvYS/guh6mTB1SN6/Cr3de3sWfMteXiPqeJn7XQPhDQk0i6msR1MKbYxno2B5SikEz -oHKbiMX5Q2ix4Cmcj/wfcU5YlH2ATh4OOpLfecRHLGOwh6sJpwIyPoj8qAX5omnWF9gJy1hL+5YH -IsYVPqtNVpnsjodLk2XjcXzdWkTOMsoerrneFXg/vgrm9sPgaPzV96Xw8a/MLsenub5HZOfT/OFF -a98PULzNkTgpPiImIW9oafV+bqguPSoMNQjcXvZhgHEiZ5UxvJdwCxN23FAZCASbSOLBMqTwpkZd -9n/y/4BhBwSz1FqyS3yVL7QoT60g0qO/XEn8W/4NEPF1iuT1rijvlA3vqlqsED6uZtiEiZSBc+0v -PE844sNr5QAbLiS0ZJW/PKAW2hywnG4Zpw6rJpAYqX9NmRZemqv5T0eRBvCq+Wj/A5GAANV82RJe -MQNVgwCG6+aLruYLh0dwAsrijcmKc24bmk3SZusXggg0dwXI4lIkWc376Ev+wnYXJ5LIBrz7PnrN -4coczy0qtZxAqpsqlABGorbcMuJkNH/uyQbuiyU/J5iscSNZ4+qm5l+xErYw6YD9VpR9g4pEPnFy -qNbYMbxPcoKFAUmSUXjUbPIDJTuTqVl5F9+8cZP+qXrGLU2du88xKvq7rM7HK+ZY1wBzZa4cZ3I1 -rlxkrrQQL8Z5d5O3WMav8SYVFbI9U6CW7A3Ny+G7270D4W7AdnwDTz1/ezhD9DV2k4Fts4C7OVRP -oh6OcezqalxFheP8mTV1Fe3NhQAPb4X1kxW1gvb9CUkCCU+W1wIXNrOUyrpnzByP1xFT+K0YDh1W -YduFP0F+fnmm4EqlBqsHAnTK2zDFZSxZ4XrmLyVJ+FbmmAZZ3pKdpjQpCY0KRmudprINhNgJqM0K -0fmBDb/Uqu9+FlL52I78YMyAcMZhP1K43zjiBFcft6iovLxP/6MUB5nhWmuuH3IQLqMPBmde+ntC -dFpW+TBJP2hpRPy7/BXu4lHhp/OUNzr5JhLQllXuE+gTx3h7ZX6po3Wcm8p2lfzmc6mzSPJMdvJM -waTUzPwTZYBalXVAPnUBK5v/gVJYtEhmFb28ZwPo5VvxE8x8J/AlYx1LWwMdvt6cJZRjdfS8qYsI -aKHSacHCwbO+W4MA246vkgg4vzzZMrKeLSJAuV22u3Y3hYxjlSvQBGiqxr7m4dc9iKy4gxCCfX75 -6WEHyXyFOEkYg48hGRswjQsJm2sTU3w3HBRxVzAwyyN2Y3qDzR9WxooLGvo3ettf9kuHn2GyBF5w -QMUxsosW3Zi36zLolmrwfSaYOISweXsuc6aap5ghJvjwwzlDZg/tTV3wXVmOISxjMgMX2ZgszyDb -OSijXmZHkDvfCy0ONjdqskB4kpV0iwnIYEHUFS2oDBEXQ+V53SEGD2nIalpMNHrHbYdWA63ZVMbI -vFrBpwvYkwrW5j6Vl0aXE4a3m5MyzsAGamsJ7S6yM8ObjFqMTPeTidyZC5VekkCmB3Z+uVChzmA7 -wlgnhqJjbZqyamkfggrNTKhjfFulFHNTr2EgHZScUseLHHRcjXV4/TkQ+KVADTWCzxa4nrHaOG3x -iVxJdpZ+GDBuyTlUljdrzoY/x4lRVkJj1+emA06Lxgx+0MGHv71dCTBL2alXX4kLMso0xNAMxlW4 -Qf3Z/c7SVc1L+A7db+lhe2Err3dnOEE9zbT3lMZR6PhnWak8n+XgyRz8IYYQiRrpqi9L/FUMFRxk -oGI9NuWZNM5MmwIewAuQoMZtkm70s0zhMAq2Qc5o8hRcZi/fry5jHSK3luECL8l8pVzskl9dRg86 -knmScWfKTspCEPmzVRKi+3NHyJsDkt6v/t1rivyQOOB6E+IwfT4oZjPkEr/AJDuopU/kLk5nj0Og -J4pdWDg535KcPYxnZgNdCszKyUMMKT0BnrdDQARzgpXaUZwONukOVw6AMTreM6SXZzVRDBsqtjm8 -4/aV1zV0kycIKZjIGAh5hrekVsQuab6STQnPIm4MtotFkin5vQelEcFlCO2UNhkfAiWI1pmzhpuH -D2rdTCwH6wQaXAwwK2b+MiSoMeQlzgqSHFUOP5LKKC7JTBpZ0GBCPslLgjKfltCgggDfiNWn037A -9i06tZRIZUzKHt7Dm9ad+bYhv8Tk0nrb162eertGBgERGb2L/fpQ8ajtw018qzryUisVZUdpk532 -v+bOcxTikj3GncnQdk+NOCLmeXv+Hyt+oNNEODHq380H+SPJXPwBrPcT9YLit+pZZD20TWosVjtL -ZKDFNuj3i/QQbRv3W4fpPL7Qka4aJvLN8daODKkTDJ8RBp4xFj6GgSCWUKDULKyj/Ag05SRti0fs -qTstNRDpZmx5CI82XEeNmod60EOnu9h4hK9mtHMO+kTtQIKLGhEDXUUUDoFmvFKzmw3JmlhD14wf -hUviJxcTbjJCwFiICGA6HVf+awOhBY+GiMX/d+jCR64Idd9XFwKxPgRwpIYfBhdvokRUhtRmcuE2 -AVsutCVhrkhX1nEB/JOJNYTUVik662mWSV4BPGvlYSjwjdjOZrTZaHv5IEfhfaEnhmDwC/0YBU1S -iIChrprLXNCk4YfsUAwCXHJkWTzzHp0B0KMyRxq2A8NeEURCPBKqf5ACOfGQLPTniM9jCpRWZA+6 -WYClTV1ubyUAzbS3OH2U7OQ1nsOX0KOTSSKP9qE4mNYq3erZoehbkHEGAQySbdvCH4K0cB2Jt1Il -8ol2JvyD1NVVt41o10NI05XZB04VkBCfM9NaC+5Tc6/Znp22Xqt09E7Syoe76ZhrrMZku9Rm1Wuu -TqAilX0NrCFmtX7ZOMxGinugcMv+gCo0k9sPNk77eG/ryTje2+asU/8Y1rY8vQhGPDk03rEmx+A2 -hhPLmZuWNbdhnb+QcJYfFhCcQwr5JvVAdvSd5PU56MXauJWKVyq4Q4RElNBxLY2Cyg== - - - 9MwweE+bpvhOlgye160AKBSE4JVpzWUNI/g6pwLaRmu41ooGUg/GGoUbufuWFT9wp5FOSezp43VQ -pgboYlmIUvbMSOZ9b6xBSsdpc3IS4VNJEEPZdJCacKDN/qit5OGsVP0vb+6qI1AhWfAAYXB7fBet -Z/mc4DycZvgtOu93VrLMKLrH0jU22hv61QmE6X/NmxbVs7bP982d+d5Qnkofv58j0CfUpq070iRs -nhf1UwAKS6/TXECpkq0VC6AIx7/xW43Ew+xSussjXH1ILRVElXDATF5lYPleA92o4aZXceuf40d0 -m3QmC9+XnIGCQjPxTVTlA+F001tcq+/ec6Rcofo3iQs97rJeX0ok/JDEBK5cJQn4hijgfy9zkBbT -ZxH+lyOI/62GhHEFVSziSaMRHS+zM5TUSBZ4Akt6DTL5C60WOsVFRNMRGj244sr3ieOzdMXkli62 -8heeF669wnpU5rR6OqBZn9vvOiq2a4naLeSlMpLkIhTGst89u05C17Ln2/Zxkc7JhPYu8KOf41ih -7Mkf+6Buk0y7c1p9nesddF9+YhJzefhPnsoo6Qt/HFNNps26VutInJJ++okmz2R/Il89tpIo4CKD -sxJIrEjiql5CEgojdVqgNwwWaMj897Ghj16dREIqQjbVg2rSPVS/eFfQawqEQzjQL+aICVDfbjbW -BG4kWCG1pwl8i/TUcgV6LpaPFmkfBahpsl+TDRMJTQbyV4xXCvKG4vQsfRuBSU00G0uHpNzCOZWL -/2pd7j5X+XXgPRQF1WEKIFjSv7FI9ALok1TVtd3YfRO1nfvVTJvT0ZovssIF2AenqGLYh6QayABX -yxFa0GAXT3UQt6vcwrbAPEoNOeFBTCL26x3L4NMVDeiNUp3Ydp2qMFIEgEgc/YUrO79Ifl820A9m -1MOIXh2HP+MXH9YN2xmVwo3Zm3tqGTwwYM/AEOd7QMCSE/IXF5wNy5S7xfPMlbH3bi22bsKHg9jk -x+KJhJVIwm16eMAc2eFDST1oPV2vksNTfIgFqifZ84Ch+7VSCNFD5Y/F30Gi8MjF43+D6pJKifwM -ySIgvoN/iRgMfzJ8q00RxQyiaVUJhHdpRgnaUH1Z88VSPDPLAZSACdotbqQwCA3VSGouDovmABPv -wP/dNKBJBRdK/TOzIhA/ZktBeeE/vKvxYrCE5S39jPUVD9EDj4ae2+pP34500L5XklOA1gfIrUOH -EcG+qZ62W6wFES5TdmP7u/Uss51uutjuBRz2lj8oGGb4QJmoktpptoAYhi8tVaF+VaZ8icI6UKaK -pgwHgTLKou3O4G+S8QDjuTHAGfbJuPPIKqv+UScKnpDkGpic4XnIyOrvS1q7+82qeA2fPxPqO+BE -NQbHLkPOd+JgAJNWMGQr7odzOYrj4K+cWN02iKdZpSmZjiZyxUOjP6fAmKxuLENlWTlbfHsRDfE9 -qvEvUQLW8Hb/IP3U5sJSKaX8j5rvBy3CCAuZv40F5cpapC0zZ7fLSG8oWGYK+bYfXx1r9ZKqfs1d -3ndWD8TfAeDnbYtnhRqNOxgQh0k1N6gm+FFwgYymcsbtKJcpyJeAjPuPh42ZFwD71xjr5RWa3Ufk -ILg4W8aoaG8FwSVB5nS8JsXaMzD/yk54C3HPLR83T+2cGaOgX+rjao3MfUIyiF19rMjltK5aHpJj -L+2SoSA9YXOkTlSfZVmQwOX4ncZbdrMhzUYzMHovWsajBOIgaE2oVCSzZWiZGarE24q8NkL3n62Q -BPZbgCOKEwXYwWmKlwmV7Io16AQYaAgYYYHNFvZFVdrzlgHYAG8AgJN/heB+9FUM/akODC4JL9fm -NrCZj3FZN2ZfNwtRc2F4JNlgntCTSaChlqJp+hOBKFnzXi9LdTnhIrMDLQUr8uo8BjAbmy24Bkja -21mL6IPm827tpYqLTFXhn6hJl2eN8AtiyDUpFV98GOap2rHTOz7Sq1P0yNjQo4q5n1/kOWHC4AFw -Do8AB2MYxIvmuXuYzmDXMy7ROokhRyRpwJ92OPsQvsDhgT6Cl6TgBWBLSDp0vC7Ne9OVL4qwNxDc -szcNm7c4f2au2oYNrh2OFBBCP6ChiLjCMox7B0DxYCZ4nCYVU5OSTdlmuX0ILOcgndwMUNtr5Xkv -oC6xQF8WyUbRkGgXe/ZK5QiS4W/oKQNbkCJPRmeW9bIYRWAI6M46xi9l1hER6Qah+x3Z1pYYuQv8 -3MCjAc0VYhgpQtjg6E7aaZXYD5HxwsmBYEwbZWXTy6sOvhX8OBvV70t9aZbIlFIJfljkp+4KWVkY -qDpGXPk6PlHxvHLfJkC7WIAvp8TXEWIyoCxnTVmhr63XYjifhHdZLNiBWVrYbr5reDItfulXClSH -tM4KPRrygmn92woE25Aw2XLZawbT4GwdcWpiDs4SUn9kV7UnwKGVRL07pywhr6EKhWs3SVJsHfkQ -ccTHIzu0MjN/DGOHvATSwfmTQiQqgsDzDZ4K2hnWKZikaw+Ga8pYIvTYqCef41fgACRcv651kfZv -7zv/xxtYmBCUU3cMFAjZ1gvWzJ9s2mKUTjajwshp3SwzDgc4ebnkuupy5QHnJX6kLQDkWp6oNEu3 -0CiAXHT4QUXRVUFSxdV0mPv0e4fkCxtDwSGnY534c1DCMUdM9onPKCvuY3TTb6AJwjYSR5yfBe2U -AtlUG+ffZ0OmlgaJdF2EUY2R5FlVs2KV4a1i3oBuBwDHspcgVTeWuWy4g2fZFM65nZC0aMF9D/Be -XlKKVHG93JUADgsOyOAMtJ6/3HBxdjC8V21Peytt4LKR4aswNVx8r0ZdckN8OI61Kkw4OKgjxQKk -i5H5VYXogn+DebhC4ppDxWjtqZHBEtLjWCGyDSu3ra7lDabWNQAEL0aDz3QuMRWEepJ4/jbbWS5S -D1U7GAaBI6HSBGLro02vRvO49Zuh6Dmft2np2xQEK2doscK50SVm+I6j3CoBO3xnIubPmB/Jt2E5 -XquFlQGxiKBYSKZpdKL8LSeg17p29EXPFQoxBDIRPyHyK10f+aeHYqz90snv0AgGj6i8ONqnp4zB -vnTpEZws1fN/NgCTjpPGLntV4DIknApc0Wwywqiw75eLRoqjgRk397tROML7K186kdw6L94ecgrP -nKBCBZETFLy9W3CURfXynO/xwcfT7GBOoan7HQHJ3CCzCH864dSNV/ZjqRsB6gSw+DZegeRa/w2g -217/PoHcYIDrZ1TD678aBDB8YcVZwo46n2zdZaNOXcQL6H5JcdASyj5daCuYJwFZXBjsi+yA/U+J -t6g4RlVNHNVSNIdVXNbWQY6yQjBJ0Y/iWqL8mTE0k9C7MBprtHSRZo12oR/YDYC+XxxAef4gE4Hb -piWxreM6CEWbmHE6wKyix1EVgY30x+GvcKqRhHrG9S45/2T0klwa29LeBq87EQT0gn83Uu/i6AEN -VlFeJOwG4E1Mxp9sbI+fMNaOq49RyblbkEmhfoC5+BBTdDfIygOKrrX+SNGE1o8ckER6Px4yV5Iy -F11uF9zSGnuSSEUsjoQKgJESsdczRf3mxwMtpLB75ONAicfxGF4HLQ2HEnZe0dWwao5MEMb4N2s1 -pnD4Tdzgv1H1lZWZeoX+0Anzxte7UUazRkGSJQfF1Sr6Oi7TvZcdhFmDxRLFnyvBzHumeyrhUptX -iG3N/4nUTiWhMVzBuPsDU2r+mbJVd0wyma5OTZQH9ZmqYb9tNpupZovdW9p7jOvlLX6Y5AC62z7G -9KQMPFV9BWFk/EY1/Dk2/Zrp64ILife5B57VVoDamCFuYrf6kpaJLQHn49Ccx27m6UwGthTUDWws -Peo/zS64EZ6WZf8D7GzomuNrB8O3+SUjeL3uJ7A+BpjTY4di38ZFQgDRogE+PPL9Y2cACOLWJdLu -agktIEFb7AiVQeILJVINPfJbBUEoEx6xEk8pInAI0kuG58ZYncc16JDWUyFLlk3/QgQ5Mb5RNKL7 -u8k2avLL+xuSCfGKmTsKJo3OBq/eTmnYGx50/ihUlXcqXKgJpGe4NEgL4gLKj2sbXYjJynH+ilLM -i1w9mYJ+ncxnDQ1gxu+QRWnB0MPS8Ag7MKFbKAPqk1zRDENVUXQk4Em8oblY88Nb9YQSzB4jJds4 -085NUrP64g0mQq/PqUBI4IMDYbjKLnEdhPH0GaFiVkauwjS4DMaZ7cyDNZNRwX2Ne9YKK5yxRd+n -P32pR2G+gAYq2PiH4TMQu4dBybjAHuleOrFMPt8ZlJRRaSqS2XBYvOUJ5nDIHlhF9Hp53s2qer+p -NGFDhGsmfJJofbim2QmMWfWhK47PO33sTziVM7XMtn3lBTW6Nzt4c4dUDP/Qzp3cXewMwSHTck5X -c4ml4OixpCDD9Cja2ZC4yA7bOJsNSKrAsISMyuC3fe7Y40LeqFxCKSPGTQ+aYKgM0UoYATA7MgkL -agIVBqHTjfVpO6cDYa48OfOVVRJ6FjnBcxifOoDQNEUuei1hgNdr4WJd9jRedDyyQWnOoC4sbR3l -hOtW3GTtxBgZOzz/pQ6RQ+TWaa6sBXqG+YNhtWaUdxf26EP2cwYtvIlSLbPrzMxqRqqpRFkwhoSn -W6ox8rRrE/z450zV+8kK0Mq5qdxBgvwrBHCr2V3kL6S6cMS3FswRejnmPUNI797PPyqPZRJOo+hK -Q4qhyUlgxJZEFn3J+jpXgjHmJAcRsI8GyAOe++4QxLOKQDtNEgRWTEpkF0OhWui3qbNmb0rauz4O -68fVG3fM9OIDOuds8zgXioRixSSCbS3YlsOlB6gWrsSWMrUIwmKyarVRaKHuo6B4GvKOME8t97vR -Ieg2xUEvTeGIBV4qRNlkRvp0G5jvXxl8/+T6jbt9u7gdvjhlBq/454fKYVIlrvPQPmneY3YRNuH0 -E/SR6g1mrmqh67mMtQPbkB5309LfDaZs3adGMzGXY2ewTeKSnh9eGicHs6G0OnOgsY8qKPU3bjOI -6GBb5OhEkyiaiNmdwQWkuQsOA/pwWJ9VufViP20PomkYqRQ5LjRHVtTmKGqp7gr2D4IITHQpAx65 -fDZJOHdN6oVcOBaXvH/qrVLj3ZKztfOUmtRfA5/LhIBTxXH7yh2+K5mW0Onofc2RMMymkEPYYbJK -qcPNXtNmMw7jy3MyKdwnGtrqeiGc2yPfIMDEWRCXWeKAQ8dZtobKJZA8/GELVBcDoQQh1EvyTidD -wD79PTec6z/8f5vrbD0IDJ+RdkJx+f7JO/Q2XtT6n9amaVdJtHpY0v5yad+502rSBSAn2DRw9Uas -h5wMuCHbaJgk+C5CHDGej0ucDPSuNiDOBSpWEN//WqRp0KqLSGiQ9e1oAyXGe1MrDZm6Jxtnnp5R -VJ+zsEgnln/KKkuyEREiLXzMDKNXzZb60l5pP96QZCtLsiJaojf2uz3E7A1ca593AurQ02ZvbQhh -0rdBCaU5Baqwjl9yDdscSRuim47caCWoWf7dPeiDUkm60/M+cgjdZq2MNIbokRVsaA== - - - AIg/YSit0Z0IViQIxpxO4PTiswG6wxbKSV4dGhz0D95law2uAA/NgIhv4lL2siarE0O0SQAyuMcc -HnU+fVUgnGfg5maSigT2oxEHUnVM4LiLNkzEEoxGL6bVGaPntplhGfmG6JnYFbeh1go0CuSyVE4J -eggr7m+N/M79MBwDbVRZ1n6QBkLNvTnFwmPW4GSM/hkPwkqw7cCEu6TmF20O6DYxXYRrvC3iLu0s -nJMmiHHVKIWQFNqCP3RjEnAoiRv23Jx9dLs+ovdDM2qkRYtKVZBDAglLM/ij/VgGYeLcIPM21UDw -NR0pq9gbji/mzTi7Pw5mWAz13g1g/ujfnYdz4pBaB3UmwpZ+Baktu3zAzLmZUUg32WaDvHEVhwXO -5SgviWwQhcCRw8TgSRygMKwqLJB24NkQGjbORZcmFuU0BvEC0hIv1MvB1HnVrN3jKVJjph2yThQ5 -CwJEAK4Dl3PK3LXrwAnTyUY2rztj0z/DSNBKfqU9aoVF9uGOQB4m9Cld6mckqkRR6EtC7bW/NpEI -zgkJs3W2MIUmcrNr+PwE9eyVyWQycoNtgARYFGj7jEN8xo0cTd8/TQAtBgQQsJPBoFDCmyTECov7 -kZpgJgdVQURCc9gtpy1UJ6VRNVmr2PBT8JSwB4KDfPtLqvE39bGCzyNckXKChXTtbahVGTzLhlBa -u8qQQ9N+1GXchs7snDUN0aA9DUx18jCiB1OhY8GhZ7bbLUkBXNEGV9MnpywYSigxpQ/tAMSuzoHm -ofh0ICociRxPBOe5QnyUu4eCKGB8vp9ondMtw6sjWZj6fEY3K5eciJQKcYeyTAEoKoUIo6tbMa1r -Igsihng8u9DENmeoharphdSC6bUuZCfLOBCjpEBmwujioJmCaB/zas+dtwGwJC0tnLO/qTPtZLkK -JFmKV322KfQ0Wbx+5C94AhJM6l8onXF8nDtRpowaaGz4GW8ZRoPGEkXzpk4/vAAxg6FPaWM1HIbd -QAYmK7yHRsVIWeDplCfNyt7pfePtiESrcE6MXWyQNtzH71CKMQxuHsufUyAJG26kX1uPA5joIfzE -0xjU+gSA5OP6x4dGFJzQkYCzOtgVgo6dkBWL2RoLawEzhDzbC9pOyXm5LwlGJxNt3eQgAXP5O95h -H934//f5sM4gtEUO+9a4Udd/OYV1KqcLx1Ctic3WDCoaYviIvwpA7ArGcB3LmDtmG9194GMjx/bK -6WLoVpgMBZGBkZmqfJRpWssev23E+Wo9T1ZOzudTvuFxSVCl7+GkgywdYvDUtrcjLWb1o0zntSaD -1M2bPviSYaZJ50ng8LsMi59MscgG8nK56pEArxd5lp1XGiTMXjohbIy1o6wWi5GIx/6NzqTZ9COa -IVwc86hIgi22iEClJzrza1YIIDH4udOmsykCxlQvVWhS+0D7RHck8gmSlGEgEzNYpNVEowB+74/u -D+ka54tJ0tfeQiulndl/AbTUESoWpLI3SC2pjWgnbz+5nAPt+7Ne4mez2qSNqIkRraYE3uvYHXVU -49XLueqhx+p7wiL00UfLwTOUcB0QM2eymFiLzpFcAkQ62lrNZsfsvouQzBJmtYDTMrimeEKD884C -OjJ+kUqCRoZwvfYyhHFap+CjNslTAUwqiZ1m0GC+E2mBrRlfWm3IN1ez4Cd7TrtlPJQumR3EuCeq -Fa55NrRwT64ZyV2NlHlJNXdscuNSPbtPuCWCgKDfIjlCqiG05Meo+fUNPidLAiWaeR889Q3m+z4X -eYtCoXkRuJbMdmKs2za2kY6eEFptyev3OE91oC4vjlVZZ4DQqnwu+GJVbIaVXBrsugKuEndeWZQg -UaJd+AvUtFXlKS7wek1G7nSTcHgX5xRGLj7VpY35orCg65B0FWPb5ghWnqlrJda2choJtfFKl/Re -4X1GKKmXb6vsX9IPF/tVhRjjLjP9ehe6RUjMB2vquRxaLx9ikvisw88dCp15AsfYNgh7FMaimDRD -0Q/Poyj1rLViQIkTgebQsFCasT1uCFBPEBTkoAje5JESzV4JBMswQ2iFZyUsRM3+DztDXZuu6C6q -GJ91IokQtVGvznK7S8z5h6QaxFoaDnz3+0S2hb/Bvpos2kz1ximkl351A2jkYlAFCFGr7Ea+HU3e -pvMKUfIf8obYjdVFbdpquxTs90Jx8o+p+EoOAOH828bamYx/cfHz+VU5rhI+oNjCyf/dTSvzl7sM -5B/Dr/0mxws+AafnAV9C7WuVOR5j0o8pnXJIcEjH/B1j4+mFh+NaPQca1wQoLbo7nwJqRgqN8b/1 -JHEln53rboY6deGUIHoUKMRPK9aziZxrbW9NwaQdD4665VcpFklRrnEe7me1gecG97fnhi4/8T+9 -ItsRuJMK8zxsv0NJ1wbKO9MjZoOKuWUta3vH4cMSDIxDaSlOEuiZ3J2noYjeoojzS46XmWE2W9Vq -Yh55TbofgxcaHNoFVStQwpaGVCJGoTTwRBDRcAbRycX20uAyVKxPC0uZ3evwb+zd6nEgrQP4KcGF -E+zqYSiBxPEhbZ9D73QY16+jXINhJsbMXItsOo4d9fPZj0pP09Ue7FChPal4ECVEZQddYz+kKUCD -A6PFKeg9qHAOWgYD7MsGfIAfYjtKIFgMKbRinN0VRna2efAJN55vYSGeV6xdb4x4yDbp1ekVswV7 -fITY/uf0cane9AtubEvsqJhJTW+/Fa3e+CJhb5SfRAY6iBXOQYr4ZEjaoxJBYJ0h3xIW6c0L4YD9 -xhaE4sJCrtBfJgnPT5HH8ETBkneBZ3PYU72oFuJUHeYCMVnkpdBDUU2WovK/awi+h0tEwsNhLQ8I -3lcCJrNmJppsIb3n6WdGbInlj2CY4FCUNgxJoZCCdw2f5Kaj4pl6SXVmPTvMdQbBrXaYTTcN7s2c -Wf02sOXtAuoEsspizx45kJWaGamXcfBqyNnWVKKejqJ6kgop/RH6QAMCm32DkHucGyNWwpvjU8xe -RdRcDxbyM4aiBbcevdaeZLemTeb/yoVc7N+3QKjl7VYESAVg1Qb+cqa0+70bT6I3oLnSOh5sgBHX -wwee8S1vGumZsypXaItbeXdO1QN0LnwwPScg5qzkMM+ef6p3CNPC8f1UsvfiVrsXRBPRp0SJ4p0J -dYq2e/zRw0spo+UOCxd3BX37gwqRHYUZ+bCgi/S9NMgQq78zDT6jJVVY7WvAEq4wLGyPrpNYAXJI -qHFYkvo/J/K7d2nl5fVss8pYtRBVJn6QzHgvUDVVE655CtVjWVaV0DrHjbQzOyVAGfa4zoenVHZJ -vd4D3zPsqXgWakmHRRMtd2xnzWi8cs84mIDWnXpn7HnR2asllQX4D/Idoy6tnk6OOgVUTAQuILMr -zpoppQhpegCwnkkLQcMYSLjWp6rUn7kgLGWJ3qwWGrjxBRY/yMvJjrDDS16K1JoCOw00PDl+QTrN -aIKJYHnGV/0BEyagE2ZnEovEKpzqo1m+g2zgFwffdwqJzHloqEBB2UcHnu5BglmtwopyCJS445qf -97TWetuaAgCaAR/WMqEzfQhsHS6EA+DmiF9O5WfTxQJXQwkFgf56GK8vv30cd9n05rzJwd2Ue63M -XIv5iTKGCFR6/hHoQH0fiVMKinbz7Qm/M/n5d4mBGKhmV0d7nmgM+t+HBBJ2sw9o8kohAuX+faF7 -+kufS2/ssQJriWBQV1EfHgiQdTLP3MbRJRDeD314PVX34vAgh9lxoWL2XfEgj2Eu2g6aEO2QD4vp -RqtectAxZwcgBINBrJ3IjTHFhozNjDWrxp9dxS8D8wnYcnCjteHOvcoNaLApvecrZZBmDhkUfcBm -cPST99uC6ItwZy2zF+SclJaKKKX62YGyYodN514ijspyzALq8T467DByjYbn4VT7FWBLWbgS6aj/ -4k+p7YKlFn71+oKnik5JJ9banpzjUPbHYEdtAbs/KpHknPKZse5ih8vjwj71f+niUBefCVmvTASf -Gr2XrO5jPxKPezwlRfjZPiW5jE9rNZ4gQuOtDZNg5rRirlPBSOjc02fWLXfg9VMf+dqIDOpP9eUY -Vp5U9rGArE7YOoU36Qxi/n7+z76BgkxtaHr1nkfglgzF/0XORZemsSgBvJHlPHTaA2WJW3PGMm7U -WsWTiy8VeY+NtpnJO6wr0K9SZGdz34hEkibh2gq8GTeiDz7BiXBeTEBld9hNmXYjHoMgpD4Dgl2G -tzR7JWQiTWUUnSroI6s0zYtF1cjo+ToiSfyU4C4+9YrY9Ybjk0jGQMsUrtc6hhS7g2RtxHCuv5I9 -NyraxOACejaj1oyclBBM+DzoFileIEQ8ZY9gCEDwQkgLljb8pesQhgazeuAz9JOkHXA0VFmwgKZZ -0GRBPONfFzC4eKYvV33OYckJ57ZEjXYZDQgx4JIB2Fzm98jRbul6AdrqUl41iSAdTTmcXHORYnTQ -E8JKJLYwrl1pjLiaZVx0RJ1xdwoHLZhMcJvGPqxdmWS6c8dnyDwHMQzIlQIjMHpgkt3JTB74Jtgw -vhNniO0Sy2CeGBXZwW2dZmm42IhTcnQ9m8zJQ0ocTcpwA4rfeSQjfmD1j8UkqXT6/GTrwOhgux3m -Ue0Rg0dYYCgtvcNAIEbVQO94Z4sUpSYtj6KfHbCwbWlp/DSvacQa0wSAQaxj1VTGnjop+Hqr8v9j -VSiyjQwumlUYsLSyFq8WE7BJpNmg6KM0R7IXhWLAWxRftIiRO4SJlk9fml2mnv4IpIYs/VRo70E/ -gTMtEuv6sgMPmT5kHQhSQYmfJkOEnoM25cN4FnV5x4pS7gr9vwg+iar40A9HXoPYWDItThQCMC1Z -bjQtz0dtau3W3tGLcCHQQuJOrCE3iHYJ7GFcT+hlC8tMm9Ofo7iJyAAwXQ5HypFjDVHC5OaMOnGI -6pCWEzuYEsdO7/kpJMay2WucQrJaFGnk4aW4/xE71pHMKG5hLCOuAEAMTfpfQ10RzULOQeIjIPhv -Sud830HjK8WisQg9VUx8+AjRGhRiSZ3wYySE2Im4+UCaCY/GSQcFFk37BoAdp2rZrKH8xhn5YbSw -1560Rv8afRtFKMUlOTxW9MsqzmNZS/e0AntaMcv+FXn5sz4a5q+XtvS7I7USSWkgVcX9wMcUOqjS -U0AWz/lW3YS77ZFWS7W1gCTVHiZnjuACQ/cpwvpypEkFxnDmDSnmYyHcKdL1bZ1oifKUu4peVEkc -dGpdoEo6/LkiQXIl0fHwux6fdc41wj+79ySwZv67aTIhCIwsnUGYYLo6IoaGYLnlbVNFqbmJT46C -/eYrCDYLsHZ6rQbE9WJo1oeQACLxl4Bcqv5Gfv/Ilwtp8fYrtDfEBIl10CYYy1Dq3R1tMv6463ZP -HCIVtjZAKoA78IRVbgoC29KN2xq4Z/ACONw6P4u72vk2xZPnQl+x/ZHO2Q92QR89Oa8sEGjx0AqL -dsFIFFFDEtYzFktR/7OLBKT0cFtJjOQMiX7s/d1L0qusAayv9ckjojBD42H3YCnKpw== - - - Sdc1Z6pxZbplV0U0ksSmjZFkZj6w5kctGPcVEqLIz4vgKt8++Xb4UEfPkS4S8w8KgnxiKhr75lz6 -hNrTZocT5oPY+vB4HQww+PxfD0ZeIMd05jx+P/8cfL/AtsdBUYkCVwPIIakZu3wzJqfD9QPoUNV9 -omSqP96nlRumpj3bfsazEwUAJIzmjItiMocGGSGcnhtOzQMsrSKjM1AxE8qvicJ+gpPvIwXYYcF3 -rUUvMITgMs0HYkixDs12HUYReHgGCgRn8cgKjey65TXExksKCKo0sDGdlPmzYnZHCujPvVtBbBWx -WhjVkz7YnDTjiXNvnuU6H7yuI78I4WR0JiwHC4p+BdW4BdDzd2nl7P7CSKqjeafDtqbvNQ3pOCqF -ZAnoQnPk21JqHPYSy5pJbGTChUiuz68b6epL/hU2SE5NmIhxDqAsCA6VF9zcA28yt2J4QNMtx6ag -dz861UWlvyfAcwqbF+frK83o/YsoOrd0Z5xV7OtYF7OIOPmsa6VmIX744+z9xj5A4ku1vLazv+cP -Ivcib/pRop3FrZRmovWfZx0VupTmJGzgeYpP4IoyHxbmcDkRniBxtgAh3moEfGNBqXwFQ13INAvJ -o7wreisg4g2SsrdWW+9UwTvEHLHIg9mgPcL78DXOVR2Sx29XJ+SKzkeKw/TjY/j/rCR2P/RMrxmE -XPFrfqnzAjqDkv4DbW8qth/QEyWd6W7RbIJMGKR1gd4tRfz/CvsJF5r+RWs8aQuNuGjir0QHb78T -Egc0Jwn1Npofb3SXXBVZOi4hVOmD/5bvjqUjwxhHBAeqVsayoBECfe6QGH4lGQulUu/V5DgUk3xM -2KvMt4nfEiSFgmKjtm1Oj0nCwXIO02LcL4oil0hiYzIj12tBZRhgg/LkCB6C8aCPoaY3RJomxOkR -hMw1GOBNXQY3xnz/vplfHGkyAz9zhwTRxCIaDAIRn2npDWhFwUgsXxEbfiT4Ez7aDXMYxswD5Z84 -xPfnVSi/DGO3Ng6Ilunwgf37lu9SNZVR3EDw2BJjSb0YQXP7swVHDnQONkOnyG/lJQFiYXg3vsSM -t9wh7iJECIlDP6xiGONwAsuEN+ASJAnuWgzeRiUBvJLIcA2LG/u9U0W+GESNJ+WyttBJtC22mc2h -hTbIPHm9dsVoIYk2wg0C9KDKFKzuQnqG6WegpcV+NaUFr9FaEqWmMBR2QjM4yf5OCp4nonEqMM5S -DCQdK8ky7t+7P32WEOHhAQ7Vn/VYcYoSJSgUlcm1Lqvz9D2mvPf3h6z3BOJMqSrPTZ82sYRinCPs -TzT/RDQ8UqRPKI6g0AvXPqkfLXItIeQ+nr+vTAFLOTl08jer59CxCn5OT7CspIQ1feRL8lBSap1Q -8hGxAkmsR0TPmRs3oz9m28CiUYozfjEgbsZCi30hxCBFx0ByMJncTQecTnGk+V1IIeZKA/o6E3TA -2XXYDamaN4DixkjTsD8F/aRriUVrSt0M4y7dWAkDimgPCQaQby4BxHWjqfynaCcCRsKh894D2tOZ -vXWs9nTZdJyjm99wkrfJARrhpZRbmIrqbRQ7dGcmELkj0iDKaHWeQW1HpNx3wLh12Gcnbeue1dBX -Z5ZUpw57l2Mxm07OaNAhKq2RBCwELnRBrShLokJRP8TEI30VVFxjRRF6Y4vplnQHhakAMlGPoe8O -ljcPmuDAQu8w9Iu1Ex8EaRdDVdLULHiqn1PpCOitWklgY4llq6Uhgmo+wRgG7L8ORhIWwhIUQFnm -1/zGVk6AejsajPsfTX8wkSjVxT7vruuqtKSnfQlXB9lB89M/wZk+UV43QuaCHsB5GCFP4EZ6uY19 -2gmOQTIlJ0JiDn9SEc+YB7amEqWXKSo2ilMGCn+gwgMiYnjInIUui8FY1JC1rEkLJkFMHGExSPBx -2T062BPhQZRGur0VDRDVGhoHlTmnaeoNJ3VaFOnZxPxhlJB2x6e1qOGRze+klaYgSZtf0XvVQVzk -3WDGvSTuSQKaIHjEKsWv6ryTmz90hYMGHTjdTKC+Y7+3NIVb/sRXIlGa5Nk/uPmJaj7UIrT0NPra -k/emYiDyNWMTeos9/3tqXLSeD6MR61IsFTAjggFNwJnMmhecYHeEq0UFF6ktAZA33OQ/yBD87Hkh -xyD64J5+otW1HP6weZUIrzqywX2HOCWtKxwhiI/MgJpvskrk0dfVqmOJ3f2xxXgg8c/P3dL4KMoo -dMh7c8/Ei4g891LU0K1UNazui99KJjAC5UStGH4Ukz6Ga6BfBMIDnN+g5AlxS9DhSjkKSCtv9DUW -QKxxiHqwy2alYRPQvMdALCI1pGFDRbWWDrmaekO7d+up869KpLMoCOPGY8806yKXvpkuCeYrk4Xe -36PRhXM0OdiryUBwXK8xZcEY3D7ogYnmp4SwRM+3WibjBcAvUWxweqN9DwnGPI2WcLb+yPrbweP0 -EpntIhE0OALKHIaEse3ipofix7VAWAwgi4m8MkLQQjAwp6QbtryY3YVPGyOJe42JaTNPBaaKluoF -cJs5CAcgntgEuk7pfQirfSqzsIEwU/EarWCZmmIgI7R7kcv5UQ6ofarOnKEItl3cs5jz5FywlfZQ -udbTkopZ8a3RnDorJvDzpC9IGLsRD0U5qHodOlwLHdRpsK5+H+bK6za0HR+k+xhdjAlhHR+CjjT2 -wMfasO7I+2rDkSgAHA/cXZzKGp0ltKU8/nDEiwQGVCxvmqIcD+f2q9h3SChkKKmc3dsn98SAbIy4 -e+oAlbKYgfzYQ7bnGG2zP5ByIv1kdv79CG93laCRY7ubT+HJNKzPlDbzmZBHi0aIjKkE6DbWgkIi -gBo1TFfpGzwvnS8fWcOPM6WsB+luLXGsXxVlecagEBOe+mBEld34aQZ4z2TqHHsUtsrr1umGK3vq -o1xvM6Y8QYHtAJXsoEthcQ9HlkOlvIjWJ5Nr0yARCTwqVWvsv1auA+6OmHkWXPxD/smvzGgNGCxA -UXYEwfTIJTqlQRPkXOOqMBSjQpn9igRKC3d4JNWfmFg3H6tvEQkywtoTxwgkANoKhgJUihgqlfvD -0EEbbA5QQjEGxShL+eeFUhM5iixHvlACB5Pn8seUfs3wrJMPMFhVSFvJbZh6wJ4q9pFJHehkv4vT -lr8HUOhceWukqkfdRuw2hnr5+P2zvBBqIdMKI4rsEkClwqLW7BY3yaoOqjcK9LQ8TOC4jmBVFW8K -4130Ec/UEgAMJDx8HvAIO+m7BtJhfW1XdM5IWgRMFVfZ4+A2DUE9qN1yFSd/8pzIRBl7gCZHqOcd -D5dvTDU8NSJfHWAAOmWkEyywyHQDfEtukQOjdcwiMsnYQ397K3DMUZzbzMxM6f9vtVx5mzDqD/rs -oP+CA0oBQwEpARQWEI+VVhAdOjoQ7TLYrBrjA1PdQDE0XeNjQXotYmSSOzgPjN6hyZmQgPCzYAA+ -YQh5C1KpTGhIDiYDAFhgq+S9XlpsrXDoFV9D4w8Ol8qMaLiQ/tVRAB3iAUPTfR+FiI5JQF9xbCoJ -yqaBhR5GLw0YT4WIUzEQAA74XgHaPQVaqspBSwRxA4zQijLhgJtupXGQoCCgEyyKFluj+pWVg6mW -6KTkS1aXVOqFwUC1PAwRkkVvAUYj81rUoha12IAJtahFGAoWegERSkXIEKEvA5YyLJ8RN7HQk0EE -K3h1ELEqnxOlA5pkJrb3MOH2Espk+wW7PQONLMiE7R0uQBXPBIUTTh4mp+6zp4jN4SWJnPwmnCDu -8s57cZzK9NBEJm/wyBgNvfNe35lo0TM29MZEQkpCuOACXYtUBTpEihQ8oK8sj4MMqMVOooK4F4/x -Jo+ToOpxkgIafbWoHldVf/lRabu86CLjPSzLV87J8g8gy1tUj5OS0PIWK1TG9qS/CGBAAdpeARW6 -lQ31ePbF4OEaYAidd1cRZcWC3b6ietxcUWg6DhPAL0AnTnjy/s+e5ERCZKJ6XMRdJm5CE5l+Uz3u -Mzb03myqx/WCC9xIEbg5yIC+bQg8JER6gEQFkSj3QCK0D+KPCFKrIa5FLXrGhlqEORBIoRYzMKGH -QQwjOABpKloDQvqJARz3i6Vsj8DBcJOhE7MU3SMjZXnOwVy5JJ4WG+Sqz9VFTlyGK8XyFqHFEQEH -xLvDyK92/br4OLwDIqmPW7tWcIesXUNCWBIeN2ppRAEkXTvuinMFBACqx5kMbFjRooAPABbotTIg -BtGkWFwkVggZw4CCdRSIhlhHOUB9G/vpgKHvk8KALBmfZr1VNpuNcdPs0jG9Pym235NS6rhnz9tv -JyZ+llqftD6+7l3l/XjCuOut0369tent6Ve613ebM82NK5ZzRur758ftVlKffr/mnLOkz8mqJ/aq -jDrbfJQtZJYHT0bz6S6VrGMrk22eKURTJuusa5bh9yzfrDNHtS6aFlGty8g9egtgD4pE1xkGnsns -gF2nugUX6JGNCHRuUz3OM5AQ+kMCipzj9eeaRJhqdw+eFiX1up74gNnrh9ph6vbhgNmLQCS1a+4i -YvlHWD0OsoKlWiGsHidHpVSXLhYTLXatPBxCIXH8I8VpaWqjq9YV6wg0ZB5GLSgR08UhoKJTOR2w -LJhQxcepHAAwQyVLY14wNCb1fGN2odRDhjYbjc/AgmSiIAMoBtKDPhupkzH6DGsUEcO5aJqmxZSq -5FKAQQCWpV4YMVjqpcpSqpIrFStlqQQlmCq+UqwCpVdFJJI5WXrf/au8NP+kTZ3mWjPFt9u2XxtZ -1PtaWSnG2XZfp3h+fvm07f1qvTqNrIydxg/jOS3GP2WmOD+uM/9LjCu+Nkv78YQzpX6pZ/vT86WS -euS+X1o7srL8jWnjt9VvlZZ6+7Wy/9psb1btnf/1pdOn895Zsc/vxvjKG1lNa/wkzTLta2dmL812 -9pTZPzduKudXa/HENU/v27W69J7ZZvm2b2fP+N5JP+fIyuj1p57b1pmvzS1n/DKbrzf+Obt9tt/+ -nJs6ttjbccVTZo8nOqvFb2/t/4J+qBJklLQMzcgIQAAIKAACCQKEojiMozjERAhSwT0SQNBZDgQ5 -DGSIMwgBAggAEIhAAAAgAAAwciUAyBHvySPUjy7WRcR4Iwi5AlCNPZAJxXE9a4nCeNU7ilHqdDM6 -T1qV4E8hAXUt9uxBbA5c43cophVraa1iLrGYUDMVwufuNOMLuzOi92NzY0QrM+NnQcZEFwJI+D0I -gQ784p9iDs5loGm1a3d07PwcsKNqas9jDCWUxIP6RLxLFPaJeofDjiPsELvfvYJDakiMyrMRN5WP -4ioTbZdOYV8lSzCUd1VBrkl6oObMGu7DRaBIofClR9g2Vxd/k/TQEtWLLlyYW54hgZD24oTT6/Ur -ANLZ6lGUDubE5jHnapvSScu14Jg3wCcoePMYdDG54mj0T2dpOhk5qL+CHYsBFweghAgCMI0FbvyY -T8ozKOkw0in6oqrplaGM6Mf5yEyHlhm0RKJigiHpDI2U2mB7iN+fmhOnol4krHpEmQ== - - - M2jmo1/8YZAxAhmN3fJwcBUjq57tsRqCSpAVurSOIF65EluPj62AuVfYBz4NEktU37VwwSv4ngpz -6MTcATYNwlaMCUoXJHqDO1nMS2GEvvrTWx2GIcuvpMW0q7tmoPMP4NsPRsiGPA7+u3OB4ayrZODI -8o7EO7GqzEjUgIe15wh5R8PQeFcDWQBzeKE/D/fF8WIp8QMT/KbYAMI6lTIRbv7ic2kQZHGewfLp -q2gqykj/h5GiwDEcxagZUAxQoH1t0gQQi4KPrPaLBlKwzZUnf6RLvPqE0gc+Ope0CiByzmW3HeUK -ughKCmQrkDRlF6P8+ll8K4lmCgUXDNRTn4D8fzmfMJ4qBZE1tZTkF0kSnedAgM7ePvvhiJFN0djN -N6f8iSnRrcPEp5alAmIrFWTJXxJsrepXRP4QLSu3mmAIZE3nLrT1xPCgZtNlVNu2S61uXoIUKlhN -iKuwuNcv+qVpU9YTiL/fsKZ3VTfShNn8nHFEJPoRr3YjJMYkkxSm/TC6ZLvxm9OCa0dxTZGCcWcN -fJHnaF+l3NxmW+sZJBbHLYTh9/m4OtrXcMRoe6A1/jOSkcNmGSzxpBkN/eaDqSR1M/UlCSiAZPgW -+dwJCdDzsMBU4eBNFlEcDODjEJZU8e49XTs9G4VYLehxp9xD4RPHsN5mwqaUaq4/9Vrgpn1BCSRj -0GP3rJVKlWysNKvDAT5uJJQJHMUieYWGBE48CQhEDv9Ii12rS6VzKBJs1EBQQvrmt6OjdLk/MhDz -nX3PlV2FCBE1AVXLmZktUXqn4qAXEOOVopebec8uOSQpVqUmRIwDkDXHmPIS+Aah3RztaB5jUoLu -fVZoc9QQOTBVHe04QzuRx2Jk40hMvwnHHve0O65w8msopkvZcVuPG4AEVL7jJd22yFf+XeH2YUiA -azteHJVB0YsKYSO2eLnjPG6kado6HCABV+54yRKpU2N3O85Bnf7AWGjpAivOaGfH3QhoVer1+LYA -0Bd6xprsuKfHdcgavdvxb1ePm/njJHcc1x1IU4L08JyYeLPjI0xJyqyPHXcjVlN5VgLcoXqcICNV -oO44FVIO+aOF7LitxxXoJlSkU49/f8dnBNEZLEp/Iu94NEAfApF0tTve7gKmfOPOKTve6fGwaxy3 -44JztziN8TeLiM6MaBWBO16d4USPB2769o4LmfbrcQPBWGzHDfRb1OMq6BHpjtswNpxGft1qIdCO -K3v8yJOD0NDjNmTHvT2un/rLjtd7PHAen3XHOTWQ2+NEZ2ZSdrwlubTUT/MD7riJ6Q84TK/17h1v -LhsDOJHRFHvqjTGAICNKPc5pjKH2OKyunl34/mMMcMjo9DhPjSFjDHPI8OhxK0J2ljteOcTyDt30 -bYxhCxmSHjeRcjXGAIKMSI9zCEHFO25K2ZryMIeUFQ+FR2lHrLmb6Z0RFnUL9tWQtCrWQ7UQhEW+ -DKsVWZ8TlPeL1BKfocaQhTYoEXXu7f/5R82Fe+mPIhQhlu8+7KMFKYnBoSSwrljGTS7GhWXa7rSH -suQQSchVZbz4yjCUDMU8ObVbcRiDJYw3pHZICGaHHPBm+eZvVrrqLnmdh6oaM7QSXhkTwZx2pWl4 -pfWVXjNpqzMFr9xvRvDK55OCV2p2ZcKrg6tqpVxQoL54k9o+Xs2aiSWH4NXNrmgPr6oHJtWuyIFX -bDrGff4iu7JxvHqWvtiV+fHqL8aMXQE1Gelw7+4BVTLw7C6tqIRx31VRexWzE2cxlzEP8/l7Bfyt -/l+8BTQWSQCndE5VuZXBa2LphDto9JbiqPs22d/4SQ8L+zFZ3Z9+wMrUaJT0ZJIiFvgdx8df+UmI -+QeEl+B94G5eWIkwJiGcOokrAsMigWBDzGBhl9bPN8MEQHUiYJEwma7C/kOYEoSAtlQZJOVAZwGk -ysG8YVzK+TyYwYicqrI/8g0= - - - diff --git a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index fe1d2df1a2..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n**[Anomali Files (This Page)](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020)** \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **file** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":33,\"i\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87bddc0a-425f-4285-8f79-be027a93a959\":{\"columnOrder\":[\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\"],\"columns\":{\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\",\"layerId\":\"87bddc0a-425f-4285-8f79-be027a93a959\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"title\":\"Active Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\":{\"columnOrder\":[\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\"],\"columns\":{\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\"\"},\"isBucketed\":false,\"label\":\"Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\",\"layerId\":\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"title\":\"Inactive Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\":{\"columnOrder\":[\"35782be6-2bf2-4270-a8d7-4398103dac80\"],\"columns\":{\"35782be6-2bf2-4270-a8d7-4398103dac80\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"35782be6-2bf2-4270-a8d7-4398103dac80\",\"layerId\":\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"w\":7,\"x\":19,\"y\":0},\"panelIndex\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"title\":\"Unique SHA256 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\":{\"columnOrder\":[\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\"],\"columns\":{\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\",\"layerId\":\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"w\":7,\"x\":26,\"y\":0},\"panelIndex\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"title\":\"Unique SHA512 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e11a6974-ae88-479e-9fca-8615b7f454da\":{\"columnOrder\":[\"3475c1c7-964f-44a2-a554-d7ff067446e9\"],\"columns\":{\"3475c1c7-964f-44a2-a554-d7ff067446e9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"3475c1c7-964f-44a2-a554-d7ff067446e9\",\"layerId\":\"e11a6974-ae88-479e-9fca-8615b7f454da\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"w\":7,\"x\":33,\"y\":0},\"panelIndex\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"title\":\"Unique MD5 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"be91741d-d94d-404f-9549-a0b96c92d2d0\":{\"columnOrder\":[\"074c9303-a56e-4db0-bddb-461819a9504c\"],\"columns\":{\"074c9303-a56e-4db0-bddb-461819a9504c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"074c9303-a56e-4db0-bddb-461819a9504c\",\"layerId\":\"be91741d-d94d-404f-9549-a0b96c92d2d0\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"w\":7,\"x\":40,\"y\":0},\"panelIndex\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"title\":\"Unique SHA1 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"08036a92-d500-4966-98ca-feff7f9ecb36\":{\"columnOrder\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\",\"67920793-58db-49b6-aca9-273945fffbce\"],\"columns\":{\"67920793-58db-49b6-aca9-273945fffbce\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"99f24050-c517-46ff-85b1-f3ceea4c9e15\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.confidence\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"67920793-58db-49b6-aca9-273945fffbce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.confidence\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\"],\"layerId\":\"08036a92-d500-4966-98ca-feff7f9ecb36\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"67920793-58db-49b6-aca9-273945fffbce\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"w\":16,\"x\":7,\"y\":8},\"panelIndex\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"title\":\"Confidence Levels [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"014a03d0-3a35-4aad-bd2d-d8380365070b\":{\"columnOrder\":[\"5e92fb09-af89-494a-b0a1-736b4cebc269\",\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"columns\":{\"5731c84c-3f1e-410a-8638-212b04df7d78\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Last Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.last_seen\"},\"5e92fb09-af89-494a-b0a1-736b4cebc269\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}},\"0e4aff17-8462-40ed-a84b-8de853628b96\":{\"columnOrder\":[\"4ff561b6-7ec6-433e-8023-572ef88eab9d\",\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"columns\":{\"2d0d9d07-5f5d-42a0-97ba-03899f504862\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"First Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.first_seen\"},\"4ff561b6-7ec6-433e-8023-572ef88eab9d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"layerId\":\"0e4aff17-8462-40ed-a84b-8de853628b96\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4ff561b6-7ec6-433e-8023-572ef88eab9d\"},{\"accessors\":[\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"layerId\":\"014a03d0-3a35-4aad-bd2d-d8380365070b\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5e92fb09-af89-494a-b0a1-736b4cebc269\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"w\":24,\"x\":23,\"y\":8},\"panelIndex\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"title\":\"Indicators First and Last Seen [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index b16bc08354..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n**[Anomali URLs (This Page)](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020)** \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **URL** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":37,\"i\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c5d7e866-9673-4d61-8420-73f253f3708b\":{\"columnOrder\":[\"e4aa603a-7867-4b27-b806-99152d2fef81\"],\"columns\":{\"e4aa603a-7867-4b27-b806-99152d2fef81\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4aa603a-7867-4b27-b806-99152d2fef81\",\"layerId\":\"c5d7e866-9673-4d61-8420-73f253f3708b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc619527-1f00-4919-a5a3-512d90ac0452\":{\"columnOrder\":[\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\"],\"columns\":{\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\",\"layerId\":\"cc619527-1f00-4919-a5a3-512d90ac0452\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"title\":\"URLs Active [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a37deb72-83d2-485b-8b8c-a3351feba020\":{\"columnOrder\":[\"02535cee-7d24-463b-963b-90c38a8269d8\"],\"columns\":{\"02535cee-7d24-463b-963b-90c38a8269d8\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"02535cee-7d24-463b-963b-90c38a8269d8\",\"layerId\":\"a37deb72-83d2-485b-8b8c-a3351feba020\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"title\":\"URLs Inactive [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\":{\"columnOrder\":[\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\"],\"columns\":{\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Providers\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\",\"layerId\":\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"w\":6,\"x\":25,\"y\":0},\"panelIndex\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"title\":\"Provider Count [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f119e9a6-4546-4496-8a01-4476e87cf3bc\":{\"columnOrder\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\",\"066e1f1c-655e-495e-8cf2-37bf61f81fba\"],\"columns\":{\"066e1f1c-655e-495e-8cf2-37bf61f81fba\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eb218bc5-0828-4ca9-90c8-05de914ecec6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\"],\"layerId\":\"f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"title\":\"Top Countries [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3c97e09-a95d-4baa-8552-2b0c252d995c\":{\"columnOrder\":[\"cfb90886-11d3-471e-97be-01378e9d5105\",\"2486505b-3319-4955-9bd6-d035d9631f7d\"],\"columns\":{\"2486505b-3319-4955-9bd6-d035d9631f7d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cfb90886-11d3-471e-97be-01378e9d5105\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"cfb90886-11d3-471e-97be-01378e9d5105\",\"isTransposed\":false},{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"isTransposed\":false}],\"layerId\":\"a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":29,\"i\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"w\":24,\"x\":7,\"y\":8},\"panelIndex\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\":{\"columnOrder\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\",\"a527fe96-066a-448e-91c8-348993d78b91\"],\"columns\":{\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"},\"a527fe96-066a-448e-91c8-348993d78b91\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\"],\"layerId\":\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"w\":17,\"x\":31,\"y\":23},\"panelIndex\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"title\":\"URL Schemes [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] URL", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index 660c2e9511..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about other types of indicators from the Anomali integration like email and IP", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":true,\"params\":[\"url\",\"file\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"url\"}},{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n**[Anomali Other Indicators (This Page)](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)**\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about all other indicators except file and URL ingested from the Anomali integration, showing statistics and general information about all relevant indicators. This includes email, IP and domain type indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":43,\"i\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfdae375-629d-49ad-b37a-66d77c3f38b7\":{\"columnOrder\":[\"a160b4d5-ef36-4886-844b-159030642324\"],\"columns\":{\"a160b4d5-ef36-4886-844b-159030642324\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IP's\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a160b4d5-ef36-4886-844b-159030642324\",\"layerId\":\"dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"title\":\"Unique IPs [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ae2be882-73dd-463a-9a1d-1660c611d292\":{\"columnOrder\":[\"5773f11c-f2d6-4467-81c2-1be0325c7ace\"],\"columns\":{\"5773f11c-f2d6-4467-81c2-1be0325c7ace\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Emails\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"5773f11c-f2d6-4467-81c2-1be0325c7ace\",\"layerId\":\"ae2be882-73dd-463a-9a1d-1660c611d292\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"title\":\"Unique Emails [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\":{\"columnOrder\":[\"a2682d1f-8a12-4033-8444-185f7bce5d97\"],\"columns\":{\"a2682d1f-8a12-4033-8444-185f7bce5d97\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a2682d1f-8a12-4033-8444-185f7bce5d97\",\"layerId\":\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"w\":7,\"x\":20,\"y\":0},\"panelIndex\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5c8665b-d765-481a-8006-206fa0718a58\":{\"columnOrder\":[\"2ef98406-f729-4988-b927-615a2071b945\",\"f3d622d5-c221-49b4-bf80-33543307c23d\"],\"columns\":{\"2ef98406-f729-4988-b927-615a2071b945\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.marking.tlp\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.marking.tlp\"},\"f3d622d5-c221-49b4-bf80-33543307c23d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"TLP Tags\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"2ef98406-f729-4988-b927-615a2071b945\"],\"layerId\":\"f5c8665b-d765-481a-8006-206fa0718a58\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":28,\"i\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"title\":\"TLP Categorization [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\":{\"columnOrder\":[\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\"],\"columns\":{\"b69cdc62-7d44-4073-a64b-b09d6da41622\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"},\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"isTransposed\":false},{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"isTransposed\":false}],\"layerId\":\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":21,\"i\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"w\":20,\"x\":7,\"y\":7},\"panelIndex\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3209cf18-1f83-44fd-aff3-336fb07d35b1\":{\"columnOrder\":[\"a90ded97-4816-4a10-a653-51bad5dee996\",\"26f57b1d-7680-4439-9a32-ee0c5c441c37\"],\"columns\":{\"26f57b1d-7680-4439-9a32-ee0c5c441c37\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a90ded97-4816-4a10-a653-51bad5dee996\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a90ded97-4816-4a10-a653-51bad5dee996\",\"isTransposed\":false},{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"isTransposed\":false}],\"layerId\":\"3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"w\":20,\"x\":7,\"y\":28},\"panelIndex\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"title\":\"Most Popular IPs [Logs Anomali\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75accf45-7e81-45d7-b901-f488f7634041\":{\"columnOrder\":[\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"abff64f2-5712-4582-aaf8-79f1b9d9d421\"],\"columns\":{\"abff64f2-5712-4582-aaf8-79f1b9d9d421\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Email Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"isTransposed\":false},{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"isTransposed\":false}],\"layerId\":\"75accf45-7e81-45d7-b901-f488f7634041\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"w\":21,\"x\":27,\"y\":28},\"panelIndex\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"title\":\"Unique Email Addresses [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Other Indicators", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json deleted file mode 100755 index 71442c0ccd..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[Anomali Overview (This Page)](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf)** \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Anomali integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Anomali. \\n\\nIt shows how many parts has been enabled (Limo and ThreatStream), the ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from Anomali.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":38,\"i\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1636972155400\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1636972320770\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1636972345166\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":true},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"title\":\"Feed and Indicator Selector [Logs Anomali]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c28e58ec-5377-460f-9d19-81c5b0655d84\":{\"columnOrder\":[\"747a0b3c-a82b-4c1f-823e-3337619e6117\"],\"columns\":{\"747a0b3c-a82b-4c1f-823e-3337619e6117\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"747a0b3c-a82b-4c1f-823e-3337619e6117\",\"layerId\":\"c28e58ec-5377-460f-9d19-81c5b0655d84\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"title\":\"Total Datastreams [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"78c9288e-227b-4cff-979b-d89a75ece8e7\":{\"columnOrder\":[\"ec9f1c6f-2142-4695-af89-30d613260474\",\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"columns\":{\"a8876e88-a694-49b6-8117-6a949ecc994a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ec9f1c6f-2142-4695-af89-30d613260474\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a8876e88-a694-49b6-8117-6a949ecc994a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"layerId\":\"78c9288e-227b-4cff-979b-d89a75ece8e7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"ec9f1c6f-2142-4695-af89-30d613260474\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"title\":\"Total Indicators per Provider [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7fdc4f94-7863-4914-b99d-982d353a54ba\":{\"columnOrder\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\",\"0116942e-4077-43f5-9dc8-297c469d18d3\"],\"columns\":{\"0116942e-4077-43f5-9dc8-297c469d18d3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\"],\"layerId\":\"7fdc4f94-7863-4914-b99d-982d353a54ba\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"title\":\"Total Indicators per Datastream [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a531c764-6567-4a71-8bf7-c30e0f146526\":{\"columnOrder\":[\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\"],\"columns\":{\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\",\"layerId\":\"a531c764-6567-4a71-8bf7-c30e0f146526\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"title\":\"Total Indicators [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8304fb06-3af2-4279-9b88-b3f18324c042\":{\"columnOrder\":[\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"b9f443d8-7811-4d09-9339-135a3a850ca3\",\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"columns\":{\"645fb806-bad6-4c07-b65c-1e5eb559cc06\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b9f443d8-7811-4d09-9339-135a3a850ca3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"layerId\":\"8304fb06-3af2-4279-9b88-b3f18324c042\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"xAccessor\":\"b9f443d8-7811-4d09-9339-135a3a850ca3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json deleted file mode 100755 index 89444d8b1a..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "Anomali" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json deleted file mode 100755 index ef4b8a7fd0..0000000000 --- a/packages/ti_anomali/1.3.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "Threat Intelligence" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.3/manifest.yml b/packages/ti_anomali/1.3.3/manifest.yml deleted file mode 100755 index 19b7a6e02b..0000000000 --- a/packages/ti_anomali/1.3.3/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: ti_anomali -title: Anomali -version: 1.3.3 -release: ga -description: Ingest threat intelligence indicators from Anomali with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/anomali.svg - title: Anomali - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_anomali - title: Anomali - description: Ingest threat intelligence indicators from Anomali with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from the Anomali Limo API." - description: "Ingest threat intelligence indicators from the Anomali Limo API." - - type: http_endpoint - title: "Ingest threat intelligence indicators from Anomali Threatstream." - description: "Ingest threat intelligence indicators from Anomali Threatstream." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_misp/1.4.1/changelog.yml b/packages/ti_misp/1.4.1/changelog.yml deleted file mode 100755 index 5af3b27dcf..0000000000 --- a/packages/ti_misp/1.4.1/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on top -- version: "1.4.1" - changes: - - description: update readme to include link to MISP documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3168 -- version: "1.4.0" - changes: - - description: Fix pagination looping forever - type: enhancement - link: https://github.com/elastic/integrations/pull/3446 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.2" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2448 -- version: "1.1.0" - changes: - - description: Adds dashboards and threat.feed ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2485 -- version: "1.0.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.1" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_misp/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 8172ba39f7..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,75 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "POST" - -{{#if url}} -request.url: {{url}}/events/restSearch -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.body: -{{#if filters}} - {{filters}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.Authorization - value: {{api_token}} -{{/if}} -- set: - target: body.page - value: 1 -- set: - target: body.limit - value: 10 -- set: - target: body.returnFormat - value: json -- set: - target: body.timestamp - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]' - -response.split: - target: body.response - split: - target: body.Event.Attribute - ignore_empty_value: true - keep_parent: true - split: - target: body.Event.Object - keep_parent: true - split: - target: body.Event.Object.Attribute - keep_parent: true -response.request_body_on_pagination: true -response.pagination: -- set: - target: body.page - value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' - fail_on_template_error: true -cursor: - timestamp: - value: '[[.last_event.Event.timestamp]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_misp/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ce9f44b3b4..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,385 +0,0 @@ ---- -description: Pipeline for parsing MISP Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - target_field: "_id" - ignore_missing: true - - rename: - field: json.Event - target_field: misp - ignore_missing: true - - set: - field: threat.indicator.provider - value: misp - if: ctx.misp?.Orgc?.local != 'false' - - set: - field: threat.indicator.provider - value: "{{misp.Orgc.name}}" - if: ctx.misp?.Orgc?.local == 'false' - ignore_empty_value: true - - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.ShadowAttribute - - misp.RelatedEvent - - misp.Galaxy - - misp.Attribute.Galaxy - - misp.Attribute.ShadowAttribute - - misp.EventReport - - misp.Object.Attribute.Galaxy - - misp.Object.Attribute.ShadowAttribute - ignore_missing: true - - remove: - field: - - misp.Attribute - ignore_missing: true - if: ctx.misp?.Attribute.size() == 0 - - remove: - field: - - misp.Object - ignore_missing: true - if: ctx.misp?.Object.size() == 0 - - date: - field: misp.timestamp - formats: - - UNIX - ignore_failure: true - - rename: - field: misp.Attribute - target_field: misp.attribute - ignore_missing: true - - rename: - field: misp.Object - target_field: misp.object - ignore_missing: true - - rename: - field: misp.object.Attribute - target_field: misp.object.attribute - ignore_missing: true - - rename: - field: misp.Orgc - target_field: misp.orgc - ignore_missing: true - - rename: - field: misp.Org - target_field: misp.org - ignore_missing: true - - rename: - field: misp.Tag - target_field: misp.tag - ignore_missing: true - - # # Dance around issue of not being able to split the document into two. - # # Make the Object.Attribute field primary if it exists, but keep the - # # outer Attribute as context. - - rename: - field: misp.attribute - target_field: misp.context.attribute - ignore_missing: true - if: ctx.misp?.object != null - - rename: - field: misp.object.attribute - target_field: misp.attribute - ignore_missing: true - if: ctx.misp?.object != null - - ##################### - # Threat ECS Fields # - ##################### - - set: - field: threat.feed.name - value: "MISP" - - rename: - field: misp.attribute.first_seen - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: misp.attribute.last_seen - target_field: threat.indicator.last_seen - ignore_missing: true - - convert: - field: misp.analysis - type: long - target_field: threat.indicator.scanner_stats - ignore_missing: true - - convert: - field: misp.threat_level_id - type: long - ignore_missing: true - - ## File/Hash indicator operations - - set: - field: threat.indicator.type - value: file - if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - - rename: - field: misp.attribute.value - target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.file.name - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - - grok: - field: misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - set: - field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" - - ## URL/URI indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - - uri_parts: - field: misp.attribute.value - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" - - ## Regkey indicator operations - - set: - field: threat.indicator.type - value: windows-registry-key - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.registry.key - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" - ignore_missing: true - if: "ctx.misp?.attribute?.type == 'regkey|value'" - - ## AS indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - - convert: - field: misp.attribute.value - type: long - target_field: threat.indicator.as.number - ignore_missing: true - if: ctx.threat?.indicator?.type == 'autonomous-system' - - ## Domain/IP/Port indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - - rename: - field: misp.attribute.value - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" - ignore_missing: true - if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - - grok: - field: misp.attribute.value - patterns: - - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - ## Email indicator operations - # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - set: - field: threat.indicator.type - value: email-message - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: misp.event_creator_email - target_field: user.email - ignore_missing: true - - append: - field: user.roles - value: "reporting_user" - if: ctx?.user?.email != null - - ## MAC Address indicator operations - - set: - field: threat.indicator.type - value: mac-addr - if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.mac - ignore_missing: true - if: ctx.threat?.indicator?.type == 'mac-addr' - - ################### - # Tags ECS fields # - ################### - # Stripping special characters from tags - - script: - lang: painless - if: ctx.misp?.tag != null - source: | - def tags = ctx.misp.tag.stream() - .map(t -> t.name.replace('\\', '').replace('"', '')) - .collect(Collectors.toList()); - def tlpTags = tags.stream() - .filter(t -> t.startsWith('tlp:')) - .map(t -> t.replace('tlp:', '')) - .collect(Collectors.toList()); - - ctx.tags = tags; - ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; - - # Setting indicator type to unknown if it does not match anything - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - ################# - # Convert types # - ################# - - convert: - field: misp.attribute.distribution - type: long - ignore_missing: true - - convert: - field: misp.context.attribute.distribution - type: long - ignore_missing: true - - convert: - field: threat.indicator.port - type: long - ignore_missing: true - - convert: - field: misp.attribute_count - type: long - ignore_missing: true - - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.misp != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.attribute.value - ignore_missing: true - if: ctx.threat?.indicator?.type != 'unknown' - - remove: - field: - # This removes a number of fields that may be wanted in the future when - # misp.attribute and misp.object.attribute can - # be separated. At the root of .object are fields that mirror fields at - # the root of misp. - - misp.object - ignore_missing: true - - remove: - field: - - misp.Attribute.timestamp - - misp.timestamp - - misp.tag - - misp.org - - misp.analysis - - _tmp - - json - ignore_missing: true - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_misp/1.4.1/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.4.1/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_misp/1.4.1/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.4.1/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index ad1000cb9b..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_misp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_misp.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: MISP -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_misp/1.4.1/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.4.1/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_misp/1.4.1/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.4.1/data_stream/threat/fields/ecs.yml deleted file mode 100755 index e6dcb70141..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,188 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- name: threat.feed.name - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Count of AV/EDR vendors that successfully detected malicious file or URL. - name: threat.indicator.scanner_stats - type: long -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies a threat indicator as a port number (irrespective of direction). - name: threat.indicator.port - type: long -- description: Hive-relative path of keys. - name: threat.indicator.registry.key - type: keyword -- description: Name of the value written. - name: threat.indicator.registry.value - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword diff --git a/packages/ti_misp/1.4.1/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.4.1/data_stream/threat/fields/fields.yml deleted file mode 100755 index 133826511b..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,291 +0,0 @@ -- name: misp - type: group - description: > - Fields for MISP indicators - - fields: - - name: id - type: keyword - description: > - Attribute ID. - - - name: orgc_id - type: keyword - description: > - Organization Community ID of the event. - - - name: org_id - type: keyword - description: > - Organization ID of the event. - - - name: threat_level_id - type: long - description: > - Threat level from 5 to 1, where 1 is the most critical. - - - name: info - type: keyword - description: > - Additional text or information related to the event. - - - name: published - type: boolean - description: > - When the event was published. - - - name: uuid - type: keyword - description: > - The UUID of the event object. - - - name: date - type: date - description: > - The date of when the event object was created. - - - name: attribute_count - type: long - description: > - How many attributes are included in a single event object. - - - name: timestamp - type: date - description: > - The timestamp of when the event object was created. - - - name: distribution - type: keyword - description: > - Distribution type related to MISP. - - - name: proposal_email_lock - type: boolean - description: > - Settings configured on MISP for email lock on this event object. - - - name: locked - type: boolean - description: > - If the current MISP event object is locked or not. - - - name: publish_timestamp - type: date - description: > - At what time the event object was published - - - name: sharing_group_id - type: keyword - description: > - The ID of the grouped events or sources of the event. - - - name: disable_correlation - type: boolean - description: > - If correlation is disabled on the MISP event object. - - - name: extends_uuid - type: keyword - description: > - The UUID of the event object it might extend. - - - name: org.id - type: keyword - description: > - The organization ID related to the event object. - - - name: org.name - type: keyword - description: > - The organization name related to the event object. - - - name: org.uuid - type: keyword - description: > - The UUID of the organization related to the event object. - - - name: org.local - type: boolean - description: > - If the event object is local or from a remote source. - - - name: orgc.id - type: keyword - description: > - The Organization Community ID in which the event object was reported from. - - - name: orgc.name - type: keyword - description: > - The Organization Community name in which the event object was reported from. - - - name: orgc.uuid - type: keyword - description: > - The Organization Community UUID in which the event object was reported from. - - - name: orgc.local - type: boolean - description: > - If the Organization Community was local or synced from a remote source. - - - name: attribute.id - type: keyword - description: > - The ID of the attribute related to the event object. - - - name: attribute.type - type: keyword - description: > - The type of the attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: attribute.category - type: keyword - description: > - The category of the attribute related to the event object. For example "Network Activity". - - - name: attribute.to_ids - type: boolean - description: > - If the attribute should be automatically synced with an IDS. - - - name: attribute.uuid - type: keyword - description: > - The UUID of the attribute related to the event. - - - name: attribute.event_id - type: keyword - description: > - The local event ID of the attribute related to the event. - - - name: attribute.distribution - type: long - description: > - How the attribute has been distributed, represented by integer numbers. - - - name: attribute.timestamp - type: date - description: > - The timestamp in which the attribute was attached to the event object. - - - name: attribute.comment - type: keyword - description: > - Comments made to the attribute itself. - - - name: attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific attribute. - - - name: attribute.deleted - type: boolean - description: > - If the attribute has been removed from the event object. - - - name: attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the attribute related to the event object. - - - name: attribute.object_id - type: keyword - description: > - The ID of the Object in which the attribute is attached. - - - name: attribute.object_relation - type: keyword - description: > - The type of relation the attribute has with the event object itself. - - - name: attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.id - type: keyword - description: > - The ID of the secondary attribute related to the event object. - - - name: context.attribute.type - type: keyword - description: > - The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: context.attribute.category - type: keyword - description: > - The category of the secondary attribute related to the event object. For example "Network Activity". - - - name: context.attribute.to_ids - type: boolean - description: > - If the secondary attribute should be automatically synced with an IDS. - - - name: context.attribute.uuid - type: keyword - description: > - The UUID of the secondary attribute related to the event. - - - name: context.attribute.event_id - type: keyword - description: > - The local event ID of the secondary attribute related to the event. - - - name: context.attribute.distribution - type: long - description: > - How the secondary attribute has been distributed, represented by integer numbers. - - - name: context.attribute.timestamp - type: date - description: > - The timestamp in which the secondary attribute was attached to the event object. - - - name: context.attribute.comment - type: keyword - description: > - Comments made to the secondary attribute itself. - - - name: context.attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific secondary attribute. - - - name: context.attribute.deleted - type: boolean - description: > - If the secondary attribute has been removed from the event object. - - - name: context.attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the secondary attribute related to the event object. - - - name: context.attribute.object_id - type: keyword - description: > - The ID of the Object in which the secondary attribute is attached. - - - name: context.attribute.object_relation - type: keyword - description: > - The type of relation the secondary attribute has with the event object itself. - - - name: context.attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.first_seen - type: keyword - description: > - The first time the indicator was seen. - - - name: context.attribute.last_seen - type: keyword - description: > - The last time the indicator was seen. - diff --git a/packages/ti_misp/1.4.1/data_stream/threat/manifest.yml b/packages/ti_misp/1.4.1/data_stream/threat/manifest.yml deleted file mode 100755 index 353de39766..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -type: logs -title: MISP -streams: - - input: httpjson - vars: - - name: url - type: text - title: MISP URL - multi: false - required: true - show_user: true - default: https://mispserver.com - description: The URL or hostname of the MISP instance. - - name: api_token - type: password - title: MISP API Token - multi: false - required: true - show_user: true - description: The API token used to access the MISP instance. - - name: initial_interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: filters - type: yaml - title: MISP API Filters - multi: false - required: false - show_user: false - default: | - #type: - # OR: - # - ip-src - # - ip-dst - #tags: - # NOT: - # - tlp-red - description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - misp-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: MISP - description: Collect indicators from the MISP API diff --git a/packages/ti_misp/1.4.1/data_stream/threat/sample_event.json b/packages/ti_misp/1.4.1/data_stream/threat/sample_event.json deleted file mode 100755 index 2f0271242c..0000000000 --- a/packages/ti_misp/1.4.1/data_stream/threat/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:58:54.124Z", - "dataset": "ti_misp.threat", - "ingested": "2022-04-11T08:58:55Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "green" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/docs/README.md b/packages/ti_misp/1.4.1/docs/README.md deleted file mode 100755 index e0d38ac70f..0000000000 --- a/packages/ti_misp/1.4.1/docs/README.md +++ /dev/null @@ -1,259 +0,0 @@ -# MISP Integration - -The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. - -## Logs - -### Threat - -The MISP integration configuration allows to set the polling interval, how far back it -should look initially, and optionally any filters used to filter the results. - -The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | -| misp.attribute.comment | Comments made to the attribute itself. | keyword | -| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | -| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | -| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | -| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | -| misp.attribute.id | The ID of the attribute related to the event object. | keyword | -| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | -| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | -| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | -| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | -| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | -| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | -| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.attribute_count | How many attributes are included in a single event object. | long | -| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | -| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | -| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | -| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | -| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | -| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | -| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | -| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | -| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | -| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | -| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | -| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | -| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | -| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.date | The date of when the event object was created. | date | -| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean | -| misp.distribution | Distribution type related to MISP. | keyword | -| misp.extends_uuid | The UUID of the event object it might extend. | keyword | -| misp.id | Attribute ID. | keyword | -| misp.info | Additional text or information related to the event. | keyword | -| misp.locked | If the current MISP event object is locked or not. | boolean | -| misp.org.id | The organization ID related to the event object. | keyword | -| misp.org.local | If the event object is local or from a remote source. | boolean | -| misp.org.name | The organization name related to the event object. | keyword | -| misp.org.uuid | The UUID of the organization related to the event object. | keyword | -| misp.org_id | Organization ID of the event. | keyword | -| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | -| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | -| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | -| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | -| misp.orgc_id | Organization Community ID of the event. | keyword | -| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | -| misp.publish_timestamp | At what time the event object was published | date | -| misp.published | When the event was published. | boolean | -| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | -| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | -| misp.timestamp | The timestamp of when the event object was created. | date | -| misp.uuid | The UUID of the event object. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.email | User email address. | keyword | -| user.roles | Array of user roles at the time of the event. | keyword | - - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:58:54.124Z", - "dataset": "ti_misp.threat", - "ingested": "2022-04-11T08:58:55Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "green" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} -``` \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/img/misp.svg b/packages/ti_misp/1.4.1/img/misp.svg deleted file mode 100755 index 076530aa25..0000000000 --- a/packages/ti_misp/1.4.1/img/misp.svg +++ /dev/null @@ -1,158 +0,0 @@ - - - - diff --git a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json deleted file mode 100755 index bd8d5dbf01..0000000000 --- a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json deleted file mode 100755 index a9987e5bf9..0000000000 --- a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index e60f8f871b..0000000000 --- a/packages/ti_misp/1.4.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.4.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index b202c82473..0000000000 --- a/packages/ti_misp/1.4.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "MISP" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.1/manifest.yml b/packages/ti_misp/1.4.1/manifest.yml deleted file mode 100755 index e1d4f3c01c..0000000000 --- a/packages/ti_misp/1.4.1/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_misp -title: MISP -version: 1.4.1 -release: ga -description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/misp.svg - title: MISP - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_misp - title: MISP - description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." - description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_otx/1.3.2/changelog.yml b/packages/ti_otx/1.3.2/changelog.yml deleted file mode 100755 index a7b3ce1610..0000000000 --- a/packages/ti_otx/1.3.2/changelog.yml +++ /dev/null @@ -1,56 +0,0 @@ -# newer versions go on top -- version: "1.3.2" - changes: - - description: Update readme file to add documentation link - type: enhancement - link: https://github.com/elastic/integrations/pull/3171 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.2" - changes: - - description: Add field mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2449 -- version: "1.1.0" - changes: - - description: Adding threat.feed fields and dashboards - type: enhancement - link: https://github.com/elastic/integrations/pull/2540 -- version: "1.0.3" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.2" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.1" - changes: - - description: Update title and description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1873 diff --git a/packages/ti_otx/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_otx/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index cc8d4550c6..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -request.transforms: -- set: - target: header.Content-Type - value: application/json -{{#if api_token }} -- set: - target: header.X-OTX-API-KEY - value: {{ api_token }} -{{/if}} -{{#if types}} -- set: - target: url.params.types - value: {{ types }} -{{/if}} -- set: - target: url.params.modified_since - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "RFC3339" ]]' - -response.split: - target: body.results - -response.pagination: -- set: - target: url.value - value: '[[ .last_response.body.next ]]' -cursor: - timestamp: - value: '[[ formatDate (now (parseDuration "-{{ lookback_range }}")) "RFC3339" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_otx/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8ce807b239..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -description: Pipeline for parsing Abuse.ch URL Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: otx - - fingerprint: - fields: - - otx.id - target_field: "_id" - - ##################### - # Threat ECS Fields # - ##################### - ## File indicator operations - - set: - field: threat.indicator.type - value: file - if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'" - - rename: - field: otx.indicator - target_field: threat.indicator.file.hash.md5 - ignore_missing: true - if: "ctx.otx?.type == 'FileHash-MD5'" - - rename: - field: otx.indicator - target_field: threat.indicator.file.hash.sha1 - ignore_missing: true - if: "ctx.otx?.type == 'FileHash-SHA1'" - - rename: - field: otx.indicator - target_field: threat.indicator.file.hash.sha256 - ignore_missing: true - if: "ctx.otx?.type == 'FileHash-SHA256'" - - rename: - field: otx.indicator - target_field: threat.indicator.file.hash.pehash - ignore_missing: true - if: "ctx.otx?.type == 'FileHash-PEHASH'" - - rename: - field: otx.indicator - target_field: threat.indicator.file.hash.imphash - ignore_missing: true - if: "ctx.otx?.type == 'FileHash-IMPHASH'" - - ## IP indicator operations - - set: - field: threat.indicator.type - value: ipv4-addr - if: ctx.otx?.type == 'IPv4' - - set: - field: threat.indicator.type - value: ipv6-addr - if: ctx.otx?.type == 'IPv6' - - rename: - field: otx.indicator - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - - ## URL indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)" - - uri_parts: - field: otx.indicator - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.otx?.type == 'URL'" - - ## Email indicator operations - - set: - field: threat.indicator.type - value: email-addr - if: ctx.otx?.type == 'email' - - rename: - field: otx.indicator - target_field: threat.indicator.email.address - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'email-addr'" - - ## Domain indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)" - - rename: - field: otx.indicator - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null" - - ###################### - # Cleanup processors # - ###################### - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - script: - lang: painless - if: ctx.otx != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: - - otx.content - ignore_missing: true - if: ctx.otx?.content == "" - - remove: - field: - - otx.type - - otx.id - - message - ignore_missing: true - if: ctx.threat?.indicator?.type != null -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_otx/1.3.2/data_stream/threat/fields/agent.yml b/packages/ti_otx/1.3.2/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_otx/1.3.2/data_stream/threat/fields/base-fields.yml b/packages/ti_otx/1.3.2/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 5b27b27cf8..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_otx -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Alienvault OTX -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_otx.threat -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_otx/1.3.2/data_stream/threat/fields/beats.yml b/packages/ti_otx/1.3.2/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_otx/1.3.2/data_stream/threat/fields/ecs.yml b/packages/ti_otx/1.3.2/data_stream/threat/fields/ecs.yml deleted file mode 100755 index b1e87e820e..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,153 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Error message. - name: error.message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. - name: threat.indicator.file.pe.imphash - type: keyword -- description: The file's pehash, if available. - name: threat.indicator.file.hash.pehash - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword diff --git a/packages/ti_otx/1.3.2/data_stream/threat/fields/fields.yml b/packages/ti_otx/1.3.2/data_stream/threat/fields/fields.yml deleted file mode 100755 index ee3a603aad..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: otx - type: group - description: > - Fields for OTX Threat Intel - - fields: - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is domain, this would be the value. - - - name: description - type: keyword - description: > - A description of the indicator. - - - name: title - type: keyword - description: > - Title describing the indicator. - - - name: content - type: keyword - description: > - Extra text or descriptive content related to the indicator. - - - name: type - type: keyword - description: > - The indicator type, can for example be "domain, email, FileHash-SHA256". - diff --git a/packages/ti_otx/1.3.2/data_stream/threat/manifest.yml b/packages/ti_otx/1.3.2/data_stream/threat/manifest.yml deleted file mode 100755 index 4bfd942d44..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/manifest.yml +++ /dev/null @@ -1,98 +0,0 @@ -type: logs -title: Alienvault OTX logs -streams: - - input: httpjson - vars: - - name: url - type: text - title: Alienvault OTX API endpoint - multi: false - required: true - show_user: false - default: https://otx.alienvault.com/api/v1/indicators/export - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 5m - - name: api_token - type: text - title: API Token - multi: false - required: true - show_user: true - description: The Alienvault OTX API token - - name: first_interval - type: text - title: First Interval - multi: false - required: true - show_user: false - description: Configures how far back in time the agent should retrieve data from the API in hours. - default: 400h - - name: lookback_range - type: text - title: Lookback Range - multi: false - required: true - show_user: false - description: How many hours to look back for each request, should not be smaller than the interval (default 5m). - default: 1h - - name: types - type: text - title: Filter on indicator types - multi: false - required: false - show_user: false - description: "A comma separated list of indicator types to retrieve, example: 'domain,IPv4,hostname,url,FileHash-SHA256'" - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - otx-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Alienvault OTX logs - description: Collect Alienvault OTX logs diff --git a/packages/ti_otx/1.3.2/data_stream/threat/sample_event.json b/packages/ti_otx/1.3.2/data_stream/threat/sample_event.json deleted file mode 100755 index 131bc083ed..0000000000 --- a/packages/ti_otx/1.3.2/data_stream/threat/sample_event.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "@timestamp": "2022-04-11T09:14:18.594Z", - "agent": { - "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee", - "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_otx.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T09:14:18.594Z", - "dataset": "ti_otx.threat", - "ingested": "2022-04-11T09:14:19Z", - "kind": "enrichment", - "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "otx": {}, - "tags": [ - "preserve_original_event", - "forwarded", - "otx-threat" - ], - "threat": { - "indicator": { - "type": "domain-name", - "url": { - "domain": "info.3000uc.com" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/docs/README.md b/packages/ti_otx/1.3.2/docs/README.md deleted file mode 100755 index 1b6e88b3ab..0000000000 --- a/packages/ti_otx/1.3.2/docs/README.md +++ /dev/null @@ -1,153 +0,0 @@ -# Alienvault OTX Integration - -This integration is for [Alienvault OTX](https://otx.alienvault.com/api). It retrieves indicators for all pulses subscribed to a specific user account on OTX - -## Configuration - -To use this package, it is required to have an account on [Alienvault OTX](https://otx.alienvault.com/). Once an account has been created, and at least 1 pulse has been subscribed to, the API key can be retrieved from your [user profile dashboard](https://otx.alienvault.com/api). In the top right corner there should be an OTX KEY. - -## Logs - -### Threat - -Retrieves all the related indicators over time, related to your pulse subscriptions on OTX. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| otx.content | Extra text or descriptive content related to the indicator. | keyword | -| otx.description | A description of the indicator. | keyword | -| otx.id | The ID of the indicator. | keyword | -| otx.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword | -| otx.title | Title describing the indicator. | keyword | -| otx.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2022-04-11T09:14:18.594Z", - "agent": { - "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee", - "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_otx.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T09:14:18.594Z", - "dataset": "ti_otx.threat", - "ingested": "2022-04-11T09:14:19Z", - "kind": "enrichment", - "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "otx": {}, - "tags": [ - "preserve_original_event", - "forwarded", - "otx-threat" - ], - "threat": { - "indicator": { - "type": "domain-name", - "url": { - "domain": "info.3000uc.com" - } - } - } -} -``` diff --git a/packages/ti_otx/1.3.2/img/otx.svg b/packages/ti_otx/1.3.2/img/otx.svg deleted file mode 100755 index ac96edd1d8..0000000000 --- a/packages/ti_otx/1.3.2/img/otx.svg +++ /dev/null @@ -1 +0,0 @@ -AV-Corporate-Logo \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json deleted file mode 100755 index 57b0284421..0000000000 --- a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Alienvault OTX integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[OTX Overview (This Page)](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Alienvault OTX integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Alienvault OTX. \\n\\nThe ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from Alienvault OTX.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":7},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":23},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":13,\"y\":23},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs OTX] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json deleted file mode 100755 index 07df8ecd9e..0000000000 --- a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the Alienvault OTX integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX Files (This Page)](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":22,\"y\":0},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":16},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":16},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs OTX] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json deleted file mode 100755 index d6094d2b40..0000000000 --- a/packages/ti_otx/1.3.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Alienvault OTX integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX URLs (This Page)](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b)** \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs OTX] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.3.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json deleted file mode 100755 index 31f9238c67..0000000000 --- a/packages/ti_otx/1.3.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "OTX" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_otx/1.3.2/manifest.yml b/packages/ti_otx/1.3.2/manifest.yml deleted file mode 100755 index 112cdbecbe..0000000000 --- a/packages/ti_otx/1.3.2/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_otx -title: AlienVault OTX -version: 1.3.2 -release: ga -description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/otx.svg - title: Alienvault OTX - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_otx - title: Alienvault OTX - description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from Alienvault OTX via API" - description: "Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_recordedfuture/1.0.1/changelog.yml b/packages/ti_recordedfuture/1.0.1/changelog.yml deleted file mode 100755 index ab79eef5cb..0000000000 --- a/packages/ti_recordedfuture/1.0.1/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: update readme added link to recorded future API documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3172 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.3" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "0.1.2" - changes: - - description: Add field mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/2757 diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 1e7156ac8c..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,33 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if custom_url}} -request.url: "{{ custom_url }}" -{{else}} -request.url: "{{ endpoint }}/{{ entity }}/risklist?format=csv/splunk&gzip=false&list={{ list }}" -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.X-RFToken - value: {{ api_token }} -{{/if}} -response.decode_as: text/csv -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/logfile.yml.hbs b/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/logfile.yml.hbs deleted file mode 100755 index f2c693bdde..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} - - add_locale: ~ \ No newline at end of file diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml deleted file mode 100755 index 86c06b7a1d..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -description: Pipeline to decode CSV risklists from Recorded Future threat intel. -processors: - - csv: - field: event.original - target_fields: - - _tmp_.col0 - - _tmp_.col1 - - _tmp_.col2 - - _tmp_.col3 - - _tmp_.col4 - - drop: - description: 'Drops the CSV header line.' - if: 'ctx._tmp_.col0 == "Name"' - -# This supports the default CSV risklists: -# 4-column for url, domain and IPs. -# 5-column for hash. - - script: - description: Maps the CSV entries to fields. - lang: painless - params: - default: - col0: Name - col1: Risk - col2: RiskString - col3: EvidenceDetails - hash: - col0: Name - col1: Algorithm - col2: Risk - col3: RiskString - col4: EvidenceDetails - source: > - def cols = params[ ctx._tmp_.col4 == null? "default" : "hash" ]; - def src = ctx._tmp_; - def dst = new HashMap(); - for (entry in cols.entrySet()) { - dst[entry.getValue()] = src[entry.getKey()]; - } - ctx['json'] = dst; - - remove: - field: _tmp_ diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2c2ec01047..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,212 +0,0 @@ ---- -description: Pipeline for parsing Recorded Future threat intel. -processors: -# -# Set basic ECS fields. -# - - set: - field: ecs.version - value: "8.0" - - set: - field: event.dataset - value: "ti_recordedfuture.threat" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - set: - field: threat.feed.name - value: "Recorded Future" -# -# TODO: Add dashboard -# -# - set: -# field: threat.feed.dashboard_id -# value: "recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf" - - - rename: - field: message - target_field: event.original - ignore_missing: true - -# -# Decode event.original as JSON if it starts with the "{" character. -# This is the common case when events are ingested from the API, as httpjson -# transforms the CSV to a JSON message. -# - - json: - field: event.original - target_field: json - if: 'ctx.event?.original != null && ctx.event.original.startsWith("{")' - on_failure: - - fail: - message: "Failed decoding message field as JSON: {{{ _ingest.on_failure_message }}}" - -# -# Decode event.original as CSV when the above processor didn't execute. -# This is used when ingesting CSV lines from a file. -# - - pipeline: - name: '{{ IngestPipeline "decode_csv" }}' - if: 'ctx.json == null' - on_failure: - - fail: - message: "Failed decoding message field as CSV: {{{ _ingest.on_failure_message }}}" - -# -# Decode EvidenceDetails column as JSON. -# - - json: - field: json.EvidenceDetails - target_field: _temp_.EvidenceDetails - ignore_failure: true - - - rename: - field: _temp_.EvidenceDetails.EvidenceDetails - target_field: json.evidence_details - ignore_missing: true - -# -# Hash indicators (threat.indicator.type=file) -# As risklist indicators don't have a "type" field, it's necessary -# to detect the kind of indicator in the Name field. -# -# An indicator is of type `hash` when the Algorithm field is present. -# - - set: - field: threat.indicator.type - value: file - if: 'ctx.json.Algorithm != null' - - script: - lang: painless - description: > - Map file hashes. - if: "ctx.json.Algorithm != null" - params: - MD5: md5 - SHA-1: sha1 - SHA-256: sha256 - SHA-384: sha384 - SHA-512: sha512 - source: >- - def key = params[ctx.json.Algorithm]; - if (key == null) { - throw new Exception("Unsupported hash algorithm '" + ctx.json.Algorithm + "'"); - } - def hashes = [key:ctx.json.Name]; - ctx["_hashes"] = hashes; - on_failure: - - append: - field: error.message - value: "Failed to map fileHashes field: {{{ _ingest.on_failure_message }}}" - - rename: - field: _hashes - target_field: threat.indicator.file.hash - ignore_missing: true - -# -# IP indicators (threat.indicator.type=ipvN-addr) -# -# An indicator is of type `ip` if Name is a valid IP address. -# - - convert: - field: json.Name - target_field: threat.indicator.ip - type: ip - ignore_failure: true - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.type - value: ipv4-addr - if: 'ctx.threat?.indicator?.ip != null && !ctx.threat.indicator.ip.contains(":")' - - set: - field: threat.indicator.type - value: ipv6-addr - if: 'ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(":")' - -# -# URL indicators (threat.indicator.type=url) -# An indicator is of type `url` if Name contains a slash character. -# - - set: - field: threat.indicator.type - value: url - if: 'ctx.threat?.indicator?.type == null && ctx.json.Name.contains("/")' - - uri_parts: - field: json.Name - target_field: threat.indicator.url - keep_original: true - if: 'ctx.threat?.indicator?.type == "url"' -# -# Domain indicators (threat.indicator.type=domain) -# This is a catch-all type. -# - - set: - field: threat.indicator.type - value: domain-name - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.url.domain - value: '{{{ json.Name }}}' - ignore_empty_value: true - if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - -# -# Normalize Risk -# - - convert: - field: json.Risk - target_field: event.risk_score - ignore_missing: true - type: float - on_failure: - - append: - field: error.message - value: "Risk score `{{{ json.Risk }}}` cannot be converted to float: {{{ _ingest.on_failure_message }}}" - -# -# Fingerprint event: _id = hash(dataset + indicator type + indicator value) -# - - fingerprint: - fields: - - event.dataset - - threat.indicator.type - - json.Name - target_field: "_id" - -# -# Save fields without an ECS mapping under `recordedfuture`. -# - - rename: - field: json.RiskString - target_field: json.risk_string - ignore_missing: true - - rename: - field: json - target_field: recordedfuture - -# -# Cleanup -# - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - recordedfuture.Algorithm - - recordedfuture.EvidenceDetails - - recordedfuture.Name - - recordedfuture.Risk - - _temp_ - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/agent.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/base-fields.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 1fbc652b8a..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_recordedfuture -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_recordedfuture.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Recorded Future -# -# TODO: Add dashboard -# -#- name: threat.feed.dashboard_id -# type: constant_keyword -# description: Dashboard ID used for Kibana CTI UI -# value: recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/beats.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/ecs.yml deleted file mode 100755 index 1a807ca505..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,191 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: |- - Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - Expected values are: - * Not Specified - * None - * Low - * Medium - * High - name: threat.indicator.confidence - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/fields.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/fields.yml deleted file mode 100755 index a81fd75d00..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: recordedfuture - type: group - description: > - Fields for Recorded Future Threat Intel - - fields: - - name: evidence_details - type: flattened - description: > - List of sightings used as evidence for this indicator. - - - name: name - type: keyword - description: > - Indicator value. - - - name: risk_string - type: keyword - description: > - Details of risk rules observed. - diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/manifest.yml b/packages/ti_recordedfuture/1.0.1/data_stream/threat/manifest.yml deleted file mode 100755 index dfc711d668..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/manifest.yml +++ /dev/null @@ -1,125 +0,0 @@ -type: logs -title: Recorded Future -streams: - - input: logfile - enabled: false - template_path: logfile.yml.hbs - title: Recorded Future CSV file - description: Reads indicators from a Recorded Future CSV file. - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - recordedfuture - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - template_path: httpjson.yml.hbs - title: Recorded Future risklist - description: Receives indicators from Recorded Future risklist endpoints. - vars: - - name: entity - type: text - title: Entity - description: The type of entity to fetch. One of domain, hash, ip or url. - multi: false - required: true - show_user: true - default: domain - - name: list - type: text - title: List - description: List to fetch for the given entity. - default: default - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval between risklist downloads. - description: Use Go Duration syntax (eg. 1h) - default: "1h" - multi: false - required: true - show_user: true - - name: api_token - type: text - title: API Token - description: Recorded Future API Token (RF_TOKEN). - multi: false - required: true - show_user: true - - name: custom_url - type: url - title: Custom URL - description: URL to download a custom Fusion File. - multi: false - required: false - show_user: false - - name: endpoint - type: url - title: API Endpoint - description: Base API URL. - multi: false - required: true - show_user: false - default: https://api.recordedfuture.com/v2 - - name: proxy_url - type: url - title: Proxy URL - description: Optional proxy server to use. - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - recordedfuture - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/ti_recordedfuture/1.0.1/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/1.0.1/data_stream/threat/sample_event.json deleted file mode 100755 index b26841f9b8..0000000000 --- a/packages/ti_recordedfuture/1.0.1/data_stream/threat/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-04-11T09:21:48.260Z", - "agent": { - "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_recordedfuture.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0" - }, - "elastic_agent": { - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_recordedfuture.threat", - "ingested": "2022-04-11T09:21:49Z", - "kind": "enrichment", - "risk_score": 87, - "timezone": "+00:00", - "type": "indicator" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_url_default.csv" - }, - "offset": 45 - }, - "recordedfuture": { - "evidence_details": [ - { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "risk_string": "2/24" - }, - "tags": [ - "forwarded", - "recordedfuture" - ], - "threat": { - "feed": { - "name": "Recorded Future" - }, - "indicator": { - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_recordedfuture/1.0.1/docs/README.md b/packages/ti_recordedfuture/1.0.1/docs/README.md deleted file mode 100755 index 9bb11ff6fd..0000000000 --- a/packages/ti_recordedfuture/1.0.1/docs/README.md +++ /dev/null @@ -1,215 +0,0 @@ -# Recorded Future Integration - -The Recorded Future integration fetches _risklists_ from the [Recorded Future API](https://api.recordedfuture.com/index.html). -It supports `domain`, `hash`, `ip` and `url` entities. - -In order to use it you need to define the `entity` and `list` to fetch. Check with -Recorded Future for the available lists for each entity. To fetch indicators -from multiple entities, it's necessary to define one integration for each. - -Alternatively, it's also possible to use the integration to fetch custom Fusion files -by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option. - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2022-04-11T09:21:48.260Z", - "agent": { - "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_recordedfuture.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0" - }, - "elastic_agent": { - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_recordedfuture.threat", - "ingested": "2022-04-11T09:21:49Z", - "kind": "enrichment", - "risk_score": 87, - "timezone": "+00:00", - "type": "indicator" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_url_default.csv" - }, - "offset": 45 - }, - "recordedfuture": { - "evidence_details": [ - { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "risk_string": "2/24" - }, - "tags": [ - "forwarded", - "recordedfuture" - ], - "threat": { - "feed": { - "name": "Recorded Future" - }, - "indicator": { - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| recordedfuture.evidence_details | List of sightings used as evidence for this indicator. | flattened | -| recordedfuture.name | Indicator value. | keyword | -| recordedfuture.risk_string | Details of risk rules observed. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - diff --git a/packages/ti_recordedfuture/1.0.1/img/logo.svg b/packages/ti_recordedfuture/1.0.1/img/logo.svg deleted file mode 100755 index 9bb0517562..0000000000 --- a/packages/ti_recordedfuture/1.0.1/img/logo.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - - - - - - diff --git a/packages/ti_recordedfuture/1.0.1/manifest.yml b/packages/ti_recordedfuture/1.0.1/manifest.yml deleted file mode 100755 index 8be12cdaf1..0000000000 --- a/packages/ti_recordedfuture/1.0.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: ti_recordedfuture -title: Recorded Future -version: 1.0.1 -release: ga -description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/logo.svg - title: Recorded Future - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_recordedfuture - title: Recorded Future - description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. - inputs: - - type: httpjson - title: "Collect threat intelligence from Recorded Future risklists API." - description: "Use RecordedFuture API to fetch a risklist" - - type: logfile - title: "Collect threat intelligence from CSV file." - description: "Load indicators from a CSV file" -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_threatq/1.3.2/changelog.yml b/packages/ti_threatq/1.3.2/changelog.yml deleted file mode 100755 index 3c1f51c5a1..0000000000 --- a/packages/ti_threatq/1.3.2/changelog.yml +++ /dev/null @@ -1,51 +0,0 @@ -# newer versions go on top -- version: "1.3.2" - changes: - - description: update readme to include link to threatQ documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3173 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.2" - changes: - - description: Add event.created field mapping - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2450 -- version: "1.1.0" - changes: - - description: Add threat.feed ECS fields and dashboard - type: enhancement - link: https://github.com/elastic/integrations/pull/2543 -- version: "1.0.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.1" - changes: - - description: Bumping minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_threatq/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index f03799a9c9..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,56 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -auth.oauth2: - client.id: {{client_id}} - client.secret: {{client_secret}} - token_url: {{token_url}} - -request.url: {{host}}/api/indicators/query/hash/{{data_collection_id}} - -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} - -request.transforms: -- set: - target: url.params.sort - value: updated_at -- set: - target: url.params.limit - value: 100 -- set: - target: url.params.cursorMark - value: '[[.cursor.cursor_mark]]' - default: "*" -cursor: - cursor_mark: - ignore_empty_value: true - value: '[[.last_response.body.nextCursorMark]]' -response.request_body_on_pagination: true - -response.split: - target: body.data - fail_on_template_error: true - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_threatq/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7b3718fcaa..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,341 +0,0 @@ ---- -description: Pipeline for parsing ThreatQ Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ############### - # Parse dates # - ############### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.id - - json.indicator_id - target_field: "_id" - ignore_missing: true - - date: - target_field: "@timestamp" - field: "json.updated_at" - formats: - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.json.updated_at != null" - ignore_failure: true - - date: - target_field: "threatq.created_at" - field: "json.created_at" - formats: - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.json.created_at != null" - ignore_failure: true - - date: - target_field: "threatq.expires_at" - field: "json.expires_at" - formats: - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.json.expires_at != null" - ignore_failure: true - - date: - target_field: "threatq.expires_calculated_at" - field: "json.expires_calculated_at" - formats: - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.json.expires_calculated_at != null" - ignore_failure: true - - date: - target_field: "threatq.published_at" - field: "json.published_at" - formats: - - "yyyy-MM-dd HH:mm:ss" - if: "ctx.json.published_at != null" - ignore_failure: true - - ##################### - # Threat ECS Fields # - ##################### - - rename: - field: json.type.name - target_field: threat.indicator.type - ignore_missing: true - - rename: - field: json.description - target_field: threat.indicator.description - ignore_missing: true - - script: - lang: painless - if: ctx.json?.score != null - description: > - Normalize confidence level. - source: > - def value = ctx.json.score; - if (value <= 0.0 || value > 100.0) { - ctx.threat.indicator.confidence = "None"; - return; - } - if (value >= 1.0 && value <= 29.0) { - ctx.threat.indicator.confidence = "Low"; - return; - } - if (value >= 30.0 && value <= 69.0) { - ctx.threat.indicator.confidence = "Med"; - return; - } - if (value >= 70 && value <= 100) { - ctx.threat.indicator.confidence = "High"; - return; - } - - rename: - field: json.status.name - target_field: threatq.status - ignore_missing: true - - rename: - field: json.value - target_field: threatq.indicator_value - ignore_missing: true - - ######################################### - # Map indicator types and values to ECS # - ######################################### - - # Indicator type: Email Address - - set: - field: threat.indicator.email.address - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'" - - # Indicator type: FQDN - - set: - field: threat.indicator.domain - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'" - - # Indicator type: IP Address - - set: - field: threat.indicator.ip - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" - ignore_empty_value: true - - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'" - - # Indicator type: IPv6 Address - - set: - field: threat.indicator.domain - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: ipv6-addr - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'" - - # Indicator type: MD5 - - set: - field: threat.indicator.file.hash.md5 - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: file - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'" - - # Indicator type: SHA-1 - - set: - field: threat.indicator.file.hash.sha1 - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: file - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'" - - # Indicator type: SHA-256 - - set: - field: threat.indicator.file.hash.sha256 - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: file - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'" - - # Indicator type: SHA-512 - - set: - field: threat.indicator.file.hash.sha512 - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" - ignore_empty_value: true - - set: - field: threat.indicator.type - value: file - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'" - - # Indicator type: URL - - uri_parts: - field: threatq.indicator_value - target_field: threat.indicator.url - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null" - remove_if_successful: true - - set: - field: threat.indicator.type - value: url - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'" - - # Indicator type: x509 Serial - - set: - field: threat.indicator.x509.serial_number - copy_from: threatq.indicator_value - if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'" - ignore_empty_value: true - - ################################### - # Map indicator providers and TLP # - ################################### - - script: - if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0" - lang: painless - description: "Extract TLP and providers from source" - source: |- - def providers = new ArrayList(); - def tlps = new ArrayList(); - for (source in ctx.json.sources) { - if (source == null) { - return; - } - if (source.containsKey("provider") && source["provider"] != null) { - providers.add(source["provider"]); - } - if (source.containsKey("tlp_name") && source["tlp_name"] != null) { - tlps.add(source["tlp_name"]); - } - } - if (tlps.size() > 0) { - if (ctx.threat.indicator.marking == null) { - ctx.threat.indicator.marking = new HashMap(); - } - ctx.threat.indicator.marking.tlp = tlps; - } - if (providers.size() > 0) { - if (ctx.threat.indicator.provider == null) { - ctx.threat.indicator.provider = new HashMap(); - } - ctx.threat.indicator.provider = providers; - } - - ############################ - # Map indicator attributes # - ############################ - - foreach: - description: Change attribute names to lowercase - field: json.attributes - ignore_missing: true - processor: - lowercase: - field: "_ingest._value.name" - - foreach: - description: Replaces spaces with underscore in attribute names - field: json.attributes - ignore_missing: true - processor: - gsub: - field: "_ingest._value.name" - pattern: " " - replacement: "_" - - foreach: - description: Append attributes - field: json.attributes - ignore_missing: true - processor: - append: - field: threatq.attributes.{{{ _ingest._value.name }}} - value: "{{{ _ingest._value.value }}}" - - ############################# - # Map indicator adversaries # - ############################# - - foreach: - field: json.adversaries - ignore_missing: true - processor: - append: - field: threatq.adversaries - value: "{{{ _ingest._value.name }}}" - - ###################### - # Cleanup processors # - ###################### - # Setting indicator type to unknown if it does not match anything - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - script: - lang: painless - if: ctx.threat != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - json - - message - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/fields/agent.yml b/packages/ti_threatq/1.3.2/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/1.3.2/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 701a58f151..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_threatq -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: ThreatQuotient -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848 -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_threatq.threat -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/fields/beats.yml b/packages/ti_threatq/1.3.2/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/fields/ecs.yml b/packages/ti_threatq/1.3.2/data_stream/threat/fields/ecs.yml deleted file mode 100755 index fc1ccd5f4a..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,172 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- name: threat.feed.name - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Describes the type of action conducted by the threat. - name: threat.indicator.description - type: keyword -- description: |- - Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - Expected values are: - * Not Specified - * None - * Low - * Medium - * High - name: threat.indicator.confidence - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/fields/fields.yml b/packages/ti_threatq/1.3.2/data_stream/threat/fields/fields.yml deleted file mode 100755 index d22e23df8b..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,51 +0,0 @@ -- name: threatq - type: group - description: > - Fields for ThreatQ indicators - - fields: - - name: updated_at - type: date - description: > - Last modification time - - - name: created_at - type: date - description: > - Object creation time - - - name: expires_at - type: date - description: > - Expiration time - - - name: expires_calculated_at - type: date - description: > - Expiration calculation time - - - name: published_at - type: date - description: > - Object publication time - - - name: status - type: keyword - description: > - Object status within the Threat Library - - - name: indicator_value - type: keyword - description: > - Original indicator value - - - name: adversaries - type: keyword - description: > - Adversaries that are linked to the object - - - name: attributes - type: flattened - description: > - These provide additional context about an object - diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/manifest.yml b/packages/ti_threatq/1.3.2/data_stream/threat/manifest.yml deleted file mode 100755 index 060ab47162..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/manifest.yml +++ /dev/null @@ -1,100 +0,0 @@ -type: logs -title: ThreatQ -streams: - - input: httpjson - vars: - - name: host - type: text - title: ThreatQ hostname - multi: false - required: true - show_user: true - default: https://threatqexample.com - description: The hostname of the ThreatQ instance. - - name: client_id - type: text - title: ThreatQ Oauth2 Client ID - multi: false - required: true - show_user: true - description: The Client ID used to access the ThreatQ instance. - - name: client_secret - type: password - title: ThreatQ Oauth2 Client Secret - multi: false - required: true - show_user: true - description: The Client ID used to access the ThreatQ instance. - - name: token_url - type: text - title: ThreatQ Oauth2 Token URL - multi: false - required: true - show_user: true - description: The Token URL used for Oauth2 Authentication. - default: https://threatqexample.com/api/token - - name: data_collection_id - type: text - title: ThreatQ Collection ID - multi: false - required: true - show_user: true - description: The ID of the collection to retrieve data from. - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - threatq-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: ThreatQuotient - description: Collect indicators from the ThreatQuotient API diff --git a/packages/ti_threatq/1.3.2/data_stream/threat/sample_event.json b/packages/ti_threatq/1.3.2/data_stream/threat/sample_event.json deleted file mode 100755 index b55645b939..0000000000 --- a/packages/ti_threatq/1.3.2/data_stream/threat/sample_event.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "@timestamp": "2021-10-01T18:36:03.000Z", - "agent": { - "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8", - "id": "394964aa-5974-455c-bea7-5c0b89b470bd", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_threatq.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "394964aa-5974-455c-bea7-5c0b89b470bd", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T09:27:35.244Z", - "dataset": "ti_threatq.threat", - "ingested": "2022-04-11T09:27:36Z", - "kind": "enrichment", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "threatq-threat" - ], - "threat": { - "indicator": { - "confidence": "None", - "ip": "107.189.1.90", - "type": "ipv4-addr" - } - }, - "threatq": { - "attributes": { - "contact": [ - "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca" - ], - "flags": [ - "ERDV" - ], - "router_port": [ - "9000" - ] - }, - "created_at": "2021-10-01T18:36:03.000Z", - "expires_calculated_at": "2021-10-23T18:40:17.000Z", - "indicator_value": "107.189.1.90", - "published_at": "2021-10-01T18:36:03.000Z", - "status": "Active" - } -} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/docs/README.md b/packages/ti_threatq/1.3.2/docs/README.md deleted file mode 100755 index 9b1b660c60..0000000000 --- a/packages/ti_threatq/1.3.2/docs/README.md +++ /dev/null @@ -1,172 +0,0 @@ -# ThreatQuotient Integration - -The ThreatQuotient integration uses the available [ThreatQuotient](https://www.threatq.com/integrations/) REST API to retrieve indicators and Threat Intelligence. - -## Logs - -### Threat - -The ThreatQ integration requires you to set a valid URL, combination of Oauth2 credentials and the ID of the collection to retrieve -indicators from. -By default the indicators will be collected every 1 minute, and deduplication is handled by the API itself. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | | keyword | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| threatq.adversaries | Adversaries that are linked to the object | keyword | -| threatq.attributes | These provide additional context about an object | flattened | -| threatq.created_at | Object creation time | date | -| threatq.expires_at | Expiration time | date | -| threatq.expires_calculated_at | Expiration calculation time | date | -| threatq.indicator_value | Original indicator value | keyword | -| threatq.published_at | Object publication time | date | -| threatq.status | Object status within the Threat Library | keyword | -| threatq.updated_at | Last modification time | date | - - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2021-10-01T18:36:03.000Z", - "agent": { - "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8", - "id": "394964aa-5974-455c-bea7-5c0b89b470bd", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_threatq.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "394964aa-5974-455c-bea7-5c0b89b470bd", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T09:27:35.244Z", - "dataset": "ti_threatq.threat", - "ingested": "2022-04-11T09:27:36Z", - "kind": "enrichment", - "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "threatq-threat" - ], - "threat": { - "indicator": { - "confidence": "None", - "ip": "107.189.1.90", - "type": "ipv4-addr" - } - }, - "threatq": { - "attributes": { - "contact": [ - "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca" - ], - "flags": [ - "ERDV" - ], - "router_port": [ - "9000" - ] - }, - "created_at": "2021-10-01T18:36:03.000Z", - "expires_calculated_at": "2021-10-23T18:40:17.000Z", - "indicator_value": "107.189.1.90", - "published_at": "2021-10-01T18:36:03.000Z", - "status": "Active" - } -} -``` \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/img/threatq.svg b/packages/ti_threatq/1.3.2/img/threatq.svg deleted file mode 100755 index 0da7d32522..0000000000 --- a/packages/ti_threatq/1.3.2/img/threatq.svg +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json deleted file mode 100755 index f4adcae2b5..0000000000 --- a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the ThreatQ integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[ThreatQ Overview (This Page)](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the ThreatQ integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from ThreatQ. \\n\\nIt shows the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from ThreatQ.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"data_stream.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs ThreatQ] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json deleted file mode 100755 index 0fa3fc0ee3..0000000000 --- a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the ThreatQ integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ Files (This Page)](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":26,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":32,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":19,\"x\":7,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":26,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs ThreatQ] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json deleted file mode 100755 index 1b50c92265..0000000000 --- a/packages/ti_threatq/1.3.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the ThreatQ integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview ](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ URLs (This Page)](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848)** \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs ThreatQ] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.3.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json deleted file mode 100755 index be8a15d6e9..0000000000 --- a/packages/ti_threatq/1.3.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "ThreatQ" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_threatq/1.3.2/manifest.yml b/packages/ti_threatq/1.3.2/manifest.yml deleted file mode 100755 index f54be7abeb..0000000000 --- a/packages/ti_threatq/1.3.2/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_threatq -title: ThreatQuotient -version: 1.3.2 -release: ga -description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/threatq.svg - title: ThreatQuotient - size: 600x600 - type: image/svg+xml -policy_templates: - - name: ti_threatq - title: ThreatQuotient - description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent." - description: "Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/zeek/2.1.0/changelog.yml b/packages/zeek/2.1.0/changelog.yml deleted file mode 100755 index fde5da0043..0000000000 --- a/packages/zeek/2.1.0/changelog.yml +++ /dev/null @@ -1,177 +0,0 @@ -# newer versions go on top -- version: "2.1.0" - changes: - - description: Add JA3/JA3S parsing & fix certificate data parsing; hash, not valid before/after timestamps - type: enhancement - link: https://github.com/elastic/integrations/pull/3440 -- version: "2.0.0" - changes: - - description: Migrate map visualisation from tile_map to map object - type: bugfix - link: https://github.com/elastic/integrations/pull/3263 -- version: "1.9.0" - changes: - - description: Add `message` field to `zeek.syslog` datastream - type: enhancement - link: https://github.com/elastic/integrations/pull/3264 - - description: Fix field definition for `zeek.syslog.msg` - type: bugfix - link: https://github.com/elastic/integrations/pull/3264 -- version: "1.8.0" - changes: - - description: Make sure field values are valid for ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3243 -- version: "1.7.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.6.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2452 -- version: "1.5.4" - changes: - - description: Remove redundant event.ingested from Zeek pipelines. - type: bugfix - link: https://github.com/elastic/integrations/pull/2503 -- version: "1.5.3" - changes: - - description: Ignore URI parse failures in zeek.http data. - type: bugfix - link: https://github.com/elastic/integrations/pull/2501 -- version: "1.5.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.5.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2263 -- version: "1.4.3" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2078 -- version: "1.4.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1992 -- version: "1.4.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1861 -- version: "1.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1682 -- version: "1.3.0" - changes: - - description: Add Sigature and NTP data streams - type: enhancement - link: https://github.com/elastic/integrations/pull/1515 -- version: "1.2.2" - changes: - - description: Convert to generated ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/1512 -- version: '1.2.1' - changes: - - description: update to ECS 1.11.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1426 -- version: "1.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "1.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "1.0.0" - changes: - - description: make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/1217 - - description: Set "event.module" and "event.dataset" - type: enhancement - link: https://github.com/elastic/integrations/pull/1217 -- version: "0.8.4" - changes: - - description: Add support for Splunk authorization tokens - type: enhancement - link: https://github.com/elastic/integrations/pull/1147 -- version: "0.8.3" - changes: - - description: Fix Third Party Api ingest pipeline - type: bugfix - link: https://github.com/elastic/integrations/pull/1201 -- version: "0.8.2" - changes: - - description: Use `wildcard` field type. - type: enhancement - link: https://github.com/elastic/integrations/pull/1164 -- version: "0.8.1" - changes: - - description: Add support for ISO8601 timestamps - type: enhancement - link: https://github.com/elastic/integrations/pull/1118 -- version: "0.8.0" - changes: - - description: Update to ECS 1.10.0, adding processor fields and replacing default tags from . to - between words. - type: enhancement - link: https://github.com/elastic/integrations/pull/1109 -- version: "0.7.4" - changes: - - description: Add system test for httpjson Splunk input. - type: enhancement - link: https://github.com/elastic/integrations/pull/1108 -- version: "0.7.3" - changes: - - description: Make event.original optional - type: enhancement - link: https://github.com/elastic/integrations/pull/992 -- version: "0.7.2" - changes: - - description: adding back 0.7.0 changes - type: bugfix - link: https://github.com/elastic/integrations/pull/986 -- version: "0.7.1" - changes: - - description: rolling back to 0.6.0 changes for compatibility with 7.12 - type: bugfix - link: https://github.com/elastic/package-storage/pull/1273 -- version: "0.7.0" - changes: - - description: moving edge processing to ingest pipeline - type: enhancement - link: https://github.com/elastic/integrations/pull/895 -- version: "0.6.1" - changes: - - description: update to ECS 1.9.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/831 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/245 diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 64ee568df7..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for normalizing Zeek capture_loss.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - target_field: zeek.capture_loss - field: _temp_ - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.2.0' - - date: - field: zeek.capture_loss.ts - formats: - - UNIX - - ISO8601 - - set: - field: event.kind - value: metric - - set: - field: event.type - value: info - - convert: - field: zeek.percent_lost - type: long - ignore_missing: true - - remove: - field: - - zeek.capture_loss.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/agent.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/base-fields.yml deleted file mode 100755 index 9c7832bd78..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.capture_loss -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/beats.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/ecs.yml deleted file mode 100755 index 8c599c7649..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/ecs.yml +++ /dev/null @@ -1,36 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/fields.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/fields.yml deleted file mode 100755 index 54671c4d12..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.capture_loss - type: group - fields: - - name: ts_delta - type: integer - description: | - The time delay between this measurement and the last. - - name: peer - type: keyword - description: | - In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - - name: gaps - type: integer - description: | - Number of missed ACKs from the previous measurement interval. - - name: acks - type: integer - description: | - Total number of ACKs seen in the previous measurement interval. - - name: percent_lost - type: double - description: | - Percentage of ACKs seen where the data being ACKed wasn't seen. diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/capture_loss/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/capture_loss/manifest.yml b/packages/zeek/2.1.0/data_stream/capture_loss/manifest.yml deleted file mode 100755 index 5f66ef81d2..0000000000 --- a/packages/zeek/2.1.0/data_stream/capture_loss/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek capture_loss logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of capture loss log file - multi: true - required: true - show_user: true - default: - - capture_loss.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-capture-loss - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek capture_loss.log - description: Collect Zeek capture_loss logs - - input: httpjson - title: Zeek capture_loss logs via Splunk Enterprise REST API - description: Collect Zeek capture_loss logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"capture_loss-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-capture-loss - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/connection/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/connection/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/connection/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/connection/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bba287f088..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,339 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.connection - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - dot_expander: - path: zeek.connection - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.connection - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.connection.duration - target_field: temp.duration - ignore_missing: true - - rename: - field: zeek.connection.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.connection.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.connection.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.connection.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.connection.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.connection.service - target_field: network.protocol - ignore_missing: true - - rename: - field: zeek.connection.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.connection.orig_ip_bytes - target_field: source.bytes - ignore_missing: true - - rename: - field: zeek.connection.resp_ip_bytes - target_field: destination.bytes - ignore_missing: true - - rename: - field: zeek.connection.orig_pkts - target_field: source.packets - ignore_missing: true - - rename: - field: zeek.connection.resp_pkts - target_field: destination.packets - ignore_missing: true - - rename: - field: zeek.connection.conn_state - target_field: zeek.connection.state - ignore_missing: true - - rename: - field: zeek.connection.orig_l2_addr - target_field: source.mac - ignore_missing: true - - rename: - field: zeek.connection.resp_l2_addr - target_field: destination.mac - ignore_missing: true - - rename: - field: source.port - target_field: zeek.connection.icmp.type - ignore_missing: true - if: 'ctx?.network?.transport == "icmp"' - - rename: - field: destination.port - target_field: zeek.connection.icmp.code - ignore_missing: true - if: 'ctx?.network?.transport == "icmp"' - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - community_id: - if: 'ctx?.network?.transport != "icmp"' - - community_id: - icmp_type: zeek.connection.icmp.type - icmp_code: zeek.connection.icmp.code - if: 'ctx?.network?.transport == "icmp"' - - date: - field: zeek.connection.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.connection.ts - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - script: - source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) - params: - scale: 1000000000 - if: ctx.temp?.duration != null - - append: - field: tags - value: - - local_orig - if: ctx?.zeek?.connection?.local_orig != null - allow_duplicates: false - - append: - field: tags - value: - - local_resp - if: ctx?.zeek?.connection?.local_resp != null - allow_duplicates: false - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - script: - source: ctx.network.packets = ctx.source.packets + ctx.destination.packets - ignore_failure: true - - script: - source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes - ignore_failure: true - - script: - source: |- - if (ctx?.zeek?.connection?.local_orig == null || - ctx?.zeek?.connection?.local_resp == null) { - return; - } - if (ctx.zeek.connection.local_orig == true && - ctx.zeek.connection.local_resp == true) { - ctx.network.direction = "internal"; - return; - } - if (ctx.zeek.connection.local_orig == true && - ctx.zeek.connection.local_resp == false) { - ctx.network.direction = "outbound"; - return; - } - if (ctx.zeek.connection.local_orig == false && - ctx.zeek.connection.local_resp == true) { - ctx.network.direction = "inbound"; - return; - } - if (ctx.zeek.connection.local_orig == false && - ctx.zeek.connection.local_resp == false) { - ctx.network.direction = "external"; - return; - } - - geoip: - field: destination.ip - target_field: destination.geo - if: ctx?.destination?.ip != null - - geoip: - field: source.ip - target_field: source.geo - if: ctx?.source?.ip != null - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - script: - params: - S0: - conn_str: "Connection attempt seen, no reply." - types: - - connection - - start - S1: - conn_str: "Connection established, not terminated." - types: - - connection - - start - SF: - conn_str: "Normal establishment and termination." - types: - - connection - - start - - end - REJ: - conn_str: "Connection attempt rejected." - types: - - connection - - start - - denied - S2: - conn_str: "Connection established and close attempt by originator seen (but no reply from responder)." - types: - - connection - - info - S3: - conn_str: "Connection established and close attempt by responder seen (but no reply from originator)." - types: - - connection - - info - RSTO: - conn_str: "Connection established, originator aborted (sent a RST)." - types: - - connection - - info - RSTR: - conn_str: "Responder sent a RST." - types: - - connection - - info - RSTOS0: - conn_str: "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder." - types: - - connection - - info - RSTRH: - conn_str: "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator." - types: - - connection - - info - SH: - conn_str: "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)." - types: - - connection - - info - SHR: - conn_str: "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator." - types: - - connection - - info - OTH: - conn_str: "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)." - types: - - connection - - info - source: >- - if (ctx?.zeek?.connection?.state == null) { - return; - } - if (params.containsKey(ctx.zeek.connection.state)) { - ctx.zeek.connection.state_message = params[ctx.zeek.connection.state]["conn_str"]; - ctx.event.type = params[ctx.zeek.connection.state]["types"]; - } - - remove: - field: - - zeek.connection.id - - zeek.connection.orig_bytes - - zeek.connection.resp_bytes - - zeek.connection.tunnel_parents - - message - - json - - temp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/agent.yml b/packages/zeek/2.1.0/data_stream/connection/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/connection/fields/base-fields.yml deleted file mode 100755 index 9790a9113a..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.connection -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/beats.yml b/packages/zeek/2.1.0/data_stream/connection/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/connection/fields/ecs.yml deleted file mode 100755 index 23a0cc73e2..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/ecs.yml +++ /dev/null @@ -1,212 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/fields.yml b/packages/zeek/2.1.0/data_stream/connection/fields/fields.yml deleted file mode 100755 index 648f871d9d..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/fields.yml +++ /dev/null @@ -1,46 +0,0 @@ -- name: zeek.connection - type: group - fields: - - name: local_orig - type: boolean - description: | - Indicates whether the session is originated locally. - - name: local_resp - type: boolean - description: | - Indicates whether the session is responded locally. - - name: missed_bytes - type: long - description: | - Missed bytes for the session. - - name: state - type: keyword - description: | - Code indicating the state of the session. - - name: state_message - type: keyword - description: | - The state of the session. - - name: icmp - type: group - fields: - - name: type - type: integer - description: | - ICMP message type. - - name: code - type: integer - description: | - ICMP message code. - - name: history - type: keyword - description: | - Flags indicating the history of the session. - - name: vlan - type: integer - description: | - VLAN identifier. - - name: inner_vlan - type: integer - description: | - VLAN identifier. diff --git a/packages/zeek/2.1.0/data_stream/connection/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/connection/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/connection/manifest.yml b/packages/zeek/2.1.0/data_stream/connection/manifest.yml deleted file mode 100755 index 05f23885b6..0000000000 --- a/packages/zeek/2.1.0/data_stream/connection/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek connection logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek conn.log - description: Collect Zeek connection logs - vars: - - name: filenames - type: text - title: Filename of connection log - multi: true - required: true - show_user: true - default: - - conn.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-connection - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek connection logs via Splunk Enterprise REST API - description: Collect Zeek connection logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"conn-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-connection - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23954cb743..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dce_rpc.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dce_rpc - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: dce_rpc - - dot_expander: - path: zeek.dce_rpc - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dce_rpc - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dce_rpc.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dce_rpc.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dce_rpc.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.dce_rpc.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dce_rpc.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - set: - field: event.action - copy_from: zeek.dce_rpc.operation - if: "ctx?.zeek?.dce_rpc?.operation != null" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dce_rpc.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/agent.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/base-fields.yml deleted file mode 100755 index 3a568c3f53..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dce_rpc -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/beats.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/ecs.yml deleted file mode 100755 index c76a44ad66..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/ecs.yml +++ /dev/null @@ -1,170 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/fields.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/fields.yml deleted file mode 100755 index e0741e5456..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: zeek.dce_rpc - type: group - fields: - - name: rtt - type: integer - description: | - Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. - - name: named_pipe - type: keyword - description: | - Remote pipe name. - - name: endpoint - type: keyword - description: | - Endpoint name looked up from the uuid. - - name: operation - type: keyword - description: | - Operation seen in the call. diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/dce_rpc/manifest.yml b/packages/zeek/2.1.0/data_stream/dce_rpc/manifest.yml deleted file mode 100755 index 557f87bc91..0000000000 --- a/packages/zeek/2.1.0/data_stream/dce_rpc/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek dce_rpc logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dce_rpc log file - multi: true - required: true - show_user: true - default: - - dce_rpc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dce-rpc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dce_rpc.log - description: Collect Zeek dce_rpc logs - - input: httpjson - title: Zeek dce_rpc logs via Splunk Enterprise REST API - description: Collect Zeek dce_rpc logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dce_rpc-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dce-rpc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index a12f9a5875..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} - diff --git a/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ab1f20f072..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dhcp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dhcp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: event.kind - value: event - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: dhcp - - rename: - field: zeek.dhcp.uids - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.dhcp.assigned_addr - target_field: zeek.dhcp.address.assigned - ignore_missing: true - - rename: - field: zeek.dhcp.client_addr - target_field: zeek.dhcp.address.client - ignore_missing: true - - rename: - field: zeek.dhcp.mac - target_field: zeek.dhcp.address.mac - ignore_missing: true - - rename: - field: zeek.dhcp.requested_addr - target_field: zeek.dhcp.address.requested - ignore_missing: true - - rename: - field: zeek.dhcp.server_addr - target_field: zeek.dhcp.address.server - ignore_missing: true - - rename: - field: zeek.dhcp.host_name - target_field: zeek.dhcp.hostname - ignore_missing: true - - rename: - field: zeek.dhcp.client_message - target_field: zeek.dhcp.msg.client - ignore_missing: true - - rename: - field: zeek.dhcp.server_message - target_field: zeek.dhcp.msg.server - ignore_missing: true - - rename: - field: zeek.dhcp.msg_types - target_field: zeek.dhcp.msg.types - ignore_missing: true - - rename: - field: zeek.dhcp.msg_orig - target_field: zeek.dhcp.msg.origin - ignore_missing: true - - rename: - field: zeek.dhcp.client_software - target_field: zeek.dhcp.software.client - ignore_missing: true - - rename: - field: zeek.dhcp.server_software - target_field: zeek.dhcp.software.server - ignore_missing: true - - rename: - field: zeek.dhcp.circuit_id - target_field: zeek.dhcp.id.circuit - ignore_missing: true - - rename: - field: zeek.dhcp.agent_remote_id - target_field: zeek.dhcp.id.remote_agent - ignore_missing: true - - rename: - field: zeek.dhcp.subscriber_id - target_field: zeek.dhcp.id.subscriber - ignore_missing: true - - rename: - field: zeek.dhcp.client_port - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dhcp.server_port - target_field: destination.port - ignore_missing: true - - set: - field: network.name - copy_from: zeek.dhcp.domain - if: ctx?.zeek?.dhcp?.domain != null - - set: - field: source.port - value: 68 - if: ctx?.source?.port == null - - set: - field: destination.port - value: 67 - if: ctx?.destination?.port == null - - set: - field: source.address - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: client.address - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: source.ip - copy_from: zeek.dhcp.address.client - ignore_empty_value: true - - set: - field: destination.address - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - set: - field: destination.ip - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - set: - field: server.address - copy_from: zeek.dhcp.address.server - ignore_empty_value: true - - date: - field: zeek.dhcp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dhcp.ts - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/base-fields.yml deleted file mode 100755 index 82a42a99d3..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dhcp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/ecs.yml deleted file mode 100755 index c3f6ced865..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/ecs.yml +++ /dev/null @@ -1,98 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: Name given by operators to sections of their network. - name: network.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/fields.yml deleted file mode 100755 index f095974165..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/fields.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: zeek.dhcp - type: group - fields: - - name: domain - type: keyword - description: | - Domain given by the server in option 15. - - name: duration - type: double - description: | - Duration of the DHCP session representing the time from the first - message to the last, in seconds. - - name: hostname - type: keyword - description: | - Name given by client in Hostname option 12. - - name: client_fqdn - type: keyword - description: | - FQDN given by client in Client FQDN option 81. - - name: lease_time - type: integer - description: | - IP address lease interval in seconds. - - name: address - type: group - fields: - - name: assigned - type: ip - description: | - IP address assigned by the server. - - name: client - type: ip - description: | - IP address of the client. If a transaction is only a client sending - INFORM messages then there is no lease information exchanged so this - is helpful to know who sent the messages. Getting an address in this - field does require that the client sources at least one DHCP message - using a non-broadcast address. - - name: mac - type: keyword - description: | - Client's hardware address. - - name: requested - type: ip - description: | - IP address requested by the client. - - name: server - type: ip - description: | - IP address of the DHCP server. - - name: msg - type: group - fields: - - name: types - type: keyword - description: | - List of DHCP message types seen in this exchange. - - name: origin - type: ip - description: | - (present if policy/protocols/dhcp/msg-orig.bro is loaded) - The address that originated each message from the msg.types field. - - name: client - type: keyword - description: | - Message typically accompanied with a DHCP_DECLINE so the client can - tell the server why it rejected an address. - - name: server - type: keyword - description: | - Message typically accompanied with a DHCP_NAK to let the client know - why it rejected the request. - - name: software - type: group - fields: - - name: client - type: keyword - description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: server - type: keyword - description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: id - type: group - fields: - - name: circuit - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - Added by DHCP relay agents which terminate switched or permanent - circuits. It encodes an agent-local identifier of the circuit from - which a DHCP client-to-server packet was received. Typically it - should represent a router or switch interface number. - - name: remote_agent - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - A globally unique identifier added by relay agents to identify the - remote host end of the circuit. - - name: subscriber - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - The subscriber ID is a value independent of the physical network - configuration so that a customer's DHCP configuration can be given - to them correctly no matter where they are physically connected. diff --git a/packages/zeek/2.1.0/data_stream/dhcp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/dhcp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/dhcp/manifest.yml b/packages/zeek/2.1.0/data_stream/dhcp/manifest.yml deleted file mode 100755 index f99de0f155..0000000000 --- a/packages/zeek/2.1.0/data_stream/dhcp/manifest.yml +++ /dev/null @@ -1,51 +0,0 @@ -type: logs -title: Zeek dhcp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dhcp log file - multi: true - required: true - show_user: true - default: - - dhcp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dhcp - template_path: log.yml.hbs - title: Zeek dhcp.log - description: Collect Zeek dhcp logs - - input: httpjson - title: Zeek dhcp logs via Splunk Enterprise REST API - description: Collect Zeek dhcp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dhcp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dhcp diff --git a/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cee9af148c..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dnp3.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dnp3 - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: dnp3 - - dot_expander: - path: zeek.dnp3 - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dnp3 - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dnp3.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dnp3.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dnp3.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dnp3.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dnp3.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.dnp3.fc_request - target_field: zeek.dnp3.function.request - ignore_missing: true - - rename: - field: zeek.dnp3.fc_reply - target_field: zeek.dnp3.function.reply - ignore_missing: true - - rename: - field: zeek.dnp3.iin - target_field: zeek.dnp3.id - ignore_missing: true - - date: - field: zeek.dnp3.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dnp3.ts - - set: - field: event.action - copy_from: zeek.dnp3.function.request - if: "ctx?.zeek?.dnp3?.function?.request != null" - - set: - field: event.action - copy_from: zeek.dnp3.function.reply - if: "ctx?.zeek?.dnp3?.function?.reply != null" - - lowercase: - field: event.action - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dnp3.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/agent.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/base-fields.yml deleted file mode 100755 index 5b952e8fd0..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dnp3 -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/beats.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/ecs.yml deleted file mode 100755 index c76a44ad66..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/ecs.yml +++ /dev/null @@ -1,170 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/fields.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/fields.yml deleted file mode 100755 index bddbd099d0..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: zeek.dnp3 - type: group - fields: - - name: function - type: group - fields: - - name: request - type: keyword - description: | - The name of the function message in the request. - - name: reply - type: keyword - description: | - The name of the function message in the reply. - - name: id - type: integer - description: | - The response's internal indication number. diff --git a/packages/zeek/2.1.0/data_stream/dnp3/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/dnp3/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/dnp3/manifest.yml b/packages/zeek/2.1.0/data_stream/dnp3/manifest.yml deleted file mode 100755 index 58fc30a926..0000000000 --- a/packages/zeek/2.1.0/data_stream/dnp3/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek dnp3 logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dnp3 log file - multi: true - required: true - show_user: true - default: - - dnp3.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dnp3 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dnp3.log - description: Collect Zeek dnp3 logs - - input: httpjson - title: Zeek dnp3 logs via Splunk Enterprise REST API - description: Collect Zeek dnp3 logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dnp3-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dnp3 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/dns/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/dns/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dns/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/dns/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b644e01321..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,304 +0,0 @@ ---- -description: Pipeline for Filebeat Zeek dns.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dns - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.protocol - value: dns - - dot_expander: - path: zeek.dns - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dns - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dns.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dns.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dns.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dns.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dns.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.dns.proto - target_field: network.transport - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - ignore_empty_value: true - - set: - field: source.ip - copy_from: source.address - ignore_empty_value: true - - set: - field: destination.ip - copy_from: destination.address - ignore_empty_value: true - - append: - field: dns.header_flags - value: AA - if: ctx?.zeek?.dns?.AA == true - - append: - field: dns.header_flags - value: TC - if: ctx?.zeek?.dns?.TC == true - - append: - field: dns.header_flags - value: RD - if: ctx?.zeek?.dns?.RD == true - - append: - field: dns.header_flags - value: RA - if: ctx?.zeek?.dns?.RA == true - - set: - field: dns.question.class - value: IN - if: ctx?.zeek?.dns?.qclass == 1 - - set: - field: dns.question.class - value: CH - if: ctx?.zeek?.dns?.qclass == 3 - - set: - field: dns.question.class - value: HS - if: ctx?.zeek?.dns?.qclass == 4 - - set: - field: dns.question.class - value: NONE - if: ctx?.zeek?.dns?.qclass == 254 - - set: - field: dns.question.class - value: ANY - if: ctx?.zeek?.dns?.qclass == 255 - - set: - field: dns.type - value: answer - if: ctx?.zeek?.dns?.rcode_name != null - - set: - field: dns.type - value: query - if: ctx?.dns?.type == null - - script: - lang: painless - source: >- - ctx.event.duration = ctx.zeek.dns.rtt * 1000000000L; - if: "ctx?.zeek?.dns?.rtt != null" - - script: - lang: painless - source: >- - def answers = ctx.zeek.dns.answers; - def ttls = ctx.zeek.dns.TTLs; - if (answers.isEmpty() || ttls.isEmpty() || answers.length != ttls.length) { - return; - } - def lst = new ArrayList(); - for (def i = 0; i < answers.length; i++) { - lst.add([ - "data": answers[i], - "ttl": (int)ttls[i] - ]) - } - if (ctx?.dns == null) { - ctx.dns = new HashMap(); - } - ctx.dns.answers = lst; - if: "ctx?.zeek?.dns?.answers != null && ctx?.zeek?.dns?.TTLs != null" - - foreach: - field: dns.answers - processor: - convert: - field: _ingest._value.data - target_field: _ingest._value.tmpip - type: ip - ignore_failure: true - ignore_missing: true - if: 'ctx?.dns?.answers != null && !ctx?.dns?.answers.isEmpty()' - - script: - lang: painless - source: >- - def answers = ctx.dns.answers; - def iplist = new ArrayList(); - for (def i = 0; i < ctx.dns.answers.length; i++) { - if (answers[i].containsKey("tmpip")) { - iplist.add(answers[i].tmpip); - answers[i].remove("tmpip"); - } - } - ctx.dns.resolved_ip = iplist; - if: 'ctx?.dns?.answers != null && !ctx?.dns?.answers.isEmpty()' - - set: - field: event.outcome - value: success - if: ctx?.dns?.rcode == 0 - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - convert: - field: zeek.dns.trans_id - type: string - ignore_missing: true - - set: - field: dns.id - copy_from: zeek.dns.trans_id - ignore_empty_value: true - - set: - field: dns.question.type - copy_from: zeek.dns.qtype_name - ignore_empty_value: true - - set: - field: dns.response_code - copy_from: zeek.dns.rcode_name - ignore_empty_value: true - - registered_domain: - field: zeek.dns.query - target_field: dns.question - ignore_missing: true - - rename: - field: dns.question.domain - target_field: dns.question.name - ignore_missing: true - - date: - field: zeek.dns.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dns.ts - - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.address != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - rename: - field: message - target_field: event.original - ignore_missing: true - if: ctx?.event?.original == null - - remove: - field: - - zeek.dns.Z - - zeek.dns.auth - - zeek.dns.addl - - zeek.dns.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/agent.yml b/packages/zeek/2.1.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index 6997ee2f12..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dns -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/beats.yml b/packages/zeek/2.1.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index 250b086104..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,253 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/fields.yml b/packages/zeek/2.1.0/data_stream/dns/fields/fields.yml deleted file mode 100755 index 18bc9c08d0..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: zeek.dns - type: group - fields: - - name: trans_id - type: keyword - description: | - DNS transaction identifier. - - name: rtt - type: double - description: | - Round trip time for the query and response. - - name: query - type: keyword - description: | - The domain name that is the subject of the DNS query. - - name: qclass - type: long - description: | - The QCLASS value specifying the class of the query. - - name: qclass_name - type: keyword - description: | - A descriptive name for the class of the query. - - name: qtype - type: long - description: | - A QTYPE value specifying the type of the query. - - name: qtype_name - type: keyword - description: | - A descriptive name for the type of the query. - - name: rcode - type: long - description: | - The response code value in DNS response messages. - - name: rcode_name - type: keyword - description: | - A descriptive name for the response code value. - - name: AA - type: boolean - description: | - The Authoritative Answer bit for response messages specifies that the responding - name server is an authority for the domain name in the question section. - - name: TC - type: boolean - description: | - The Truncation bit specifies that the message was truncated. - - name: RD - type: boolean - description: | - The Recursion Desired bit in a request message indicates that the client - wants recursive service for this query. - - name: RA - type: boolean - description: | - The Recursion Available bit in a response message indicates that the name - server supports recursive queries. - - name: answers - type: keyword - description: | - The set of resource descriptions in the query answer. - - name: TTLs - type: double - description: | - The caching intervals of the associated RRs described by the answers field. - - name: rejected - type: boolean - description: | - Indicates whether the DNS query was rejected by the server. - - name: total_answers - type: integer - description: | - The total number of resource records in the reply. - - name: total_replies - type: integer - description: | - The total number of resource records in the reply message. - - name: saw_query - type: boolean - description: | - Whether the full DNS query has been seen. - - name: saw_reply - type: boolean - description: | - Whether the full DNS reply has been seen. diff --git a/packages/zeek/2.1.0/data_stream/dns/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/dns/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/dns/manifest.yml b/packages/zeek/2.1.0/data_stream/dns/manifest.yml deleted file mode 100755 index cfb0e18a57..0000000000 --- a/packages/zeek/2.1.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek dns logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of dns log file - multi: true - required: true - show_user: true - default: - - dns.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dns.log - description: Collect Zeek dns logs - - input: httpjson - title: Zeek dns logs via Splunk Enterprise REST API - description: Collect Zeek dns logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dns-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/dpd/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/dpd/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/dpd/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/dpd/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7b6b01f0cf..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,162 +0,0 @@ ---- -description: Pipeline for normalizing Zeek dpd.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.dpd - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - dot_expander: - path: zeek.dpd - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.dpd - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.dpd.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.dpd.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.dpd.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.dpd.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.dpd.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.dpd.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.dpd.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.dpd.ts - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.dpd.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/agent.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/base-fields.yml deleted file mode 100755 index a1358e73f5..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.dpd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/beats.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/ecs.yml deleted file mode 100755 index 0820676083..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/ecs.yml +++ /dev/null @@ -1,154 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/fields.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/fields.yml deleted file mode 100755 index 7365fbb1cc..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/fields.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: zeek.dpd - type: group - fields: - - name: analyzer - type: keyword - description: | - The analyzer that generated the violation. - - name: failure_reason - type: keyword - description: | - The textual reason for the analysis failure. - - name: packet_segment - type: keyword - description: | - (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) - A chunk of the payload that most likely resulted in the protocol violation. diff --git a/packages/zeek/2.1.0/data_stream/dpd/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/dpd/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/dpd/manifest.yml b/packages/zeek/2.1.0/data_stream/dpd/manifest.yml deleted file mode 100755 index 7f39a5fbc1..0000000000 --- a/packages/zeek/2.1.0/data_stream/dpd/manifest.yml +++ /dev/null @@ -1,68 +0,0 @@ -type: logs -title: Zeek dpd logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of the dpd log file - multi: true - required: true - show_user: true - default: - - dpd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-dpd - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek dpd.log - description: Collect Zeek dpd logs - - input: httpjson - title: Zeek dpd logs via Splunk Enterprise REST API - description: Collect Zeek dpd logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"dpd-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-dpd - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/files/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/files/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/files/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/files/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ab428a1072..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- -description: Pipeline for normalizing Zeek files.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.files - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: file - - append: - field: event.type - value: info - - rename: - field: zeek.files.conn_uids - target_field: zeek.files.session_ids - ignore_missing: true - - set: - field: file.mime_type - copy_from: zeek.files.mime_type - if: ctx?.zeek?.files?.mime_type != null - - rename: - field: zeek.files.filename - target_field: file.name - ignore_missing: true - - rename: - field: zeek.files.total_bytes - target_field: file.size - ignore_missing: true - - set: - field: file.hash.md5 - copy_from: zeek.files.md5 - if: ctx?.zeek?.files?.md5 != null - - set: - field: file.hash.sha1 - copy_from: zeek.files.sha1 - if: ctx?.zeek?.files?.sha1 != null - - set: - field: file.hash.sha256 - copy_from: zeek.files.sha256 - if: ctx?.zeek?.files?.sha256 != null - - date: - field: zeek.files.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.files.ts - - script: - lang: painless - source: ctx.zeek.session_id = ctx.zeek.files.session_ids[0]; - if: ctx.zeek.files.session_ids != null - ignore_failure: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - foreach: - field: zeek.files.tx_hosts - processor: - append: - field: related.ip - value: "{{_ingest._value}}" - ignore_missing: true - - script: - lang: painless - source: ctx.zeek.files.tx_host = ctx.zeek.files.tx_hosts[0]; ctx.zeek.files.remove('tx_hosts'); - ignore_failure: true - - set: - field: server.ip - copy_from: zeek.files.tx_host - if: "ctx?.zeek?.files?.tx_host != null" - - foreach: - field: zeek.files.rx_hosts - processor: - append: - field: related.ip - value: "{{_ingest._value}}" - ignore_missing: true - - script: - lang: painless - source: ctx.zeek.files.rx_host = ctx.zeek.files.rx_hosts[0]; ctx.zeek.files.remove('rx_hosts'); - ignore_failure: true - - set: - field: client.ip - value: "{{zeek.files.rx_host}}" - if: "ctx?.zeek?.files?.rx_host != null" - - append: - field: related.hash - value: "{{file.hash.md5}}" - if: "ctx?.file?.hash?.md5 != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha1}}" - if: "ctx?.file?.hash?.sha1 != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{file.hash.sha256}}" - if: "ctx?.file?.hash?.sha256 != null" - allow_duplicates: false - - remove: - field: - - zeek.files.x509 - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/files/fields/agent.yml b/packages/zeek/2.1.0/data_stream/files/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/files/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/files/fields/base-fields.yml deleted file mode 100755 index 48206e9d51..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.files -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/files/fields/beats.yml b/packages/zeek/2.1.0/data_stream/files/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/files/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/files/fields/ecs.yml deleted file mode 100755 index 87f2fe9e79..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/ecs.yml +++ /dev/null @@ -1,77 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/files/fields/fields.yml b/packages/zeek/2.1.0/data_stream/files/fields/fields.yml deleted file mode 100755 index e7d400751c..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/fields.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: zeek.files - type: group - fields: - - name: fuid - type: keyword - description: | - A file unique identifier. - - name: tx_host - type: ip - description: | - The host that transferred the file. - - name: rx_host - type: ip - description: | - The host that received the file. - - name: session_ids - type: keyword - description: | - The sessions that have this file. - - name: source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: depth - type: long - description: | - A value to represent the depth of this file in relation to its source. In SMTP, it - is the depth of the MIME attachment on the message. In HTTP, it is the depth of the - request within the TCP connection. - - name: analyzers - type: keyword - description: | - A set of analysis types done during the file analysis. - - name: mime_type - type: keyword - description: | - Mime type of the file. - - name: filename - type: keyword - description: | - Name of the file if available. - - name: local_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the data - originated from the local network or not. - - name: is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: duration - type: double - description: | - The duration the file was analyzed for. Not the duration of the session. - - name: seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: timedout - type: boolean - description: | - Whether the file analysis timed out at least once for the file. - - name: parent_fuid - type: keyword - description: | - Identifier associated with a container file from which this one was extracted as part of - the file analysis. - - name: md5 - type: keyword - description: | - An MD5 digest of the file contents. - - name: sha1 - type: keyword - description: | - A SHA1 digest of the file contents. - - name: sha256 - type: keyword - description: | - A SHA256 digest of the file contents. - - name: extracted - type: keyword - description: | - Local filename of extracted file. - - name: extracted_cutoff - type: boolean - description: | - Indicate whether the file being extracted was cut off hence not extracted completely. - - name: extracted_size - type: long - description: | - The number of bytes extracted to disk. - - name: entropy - type: double - description: | - The information density of the contents of the file. diff --git a/packages/zeek/2.1.0/data_stream/files/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/files/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/files/manifest.yml b/packages/zeek/2.1.0/data_stream/files/manifest.yml deleted file mode 100755 index b87633f651..0000000000 --- a/packages/zeek/2.1.0/data_stream/files/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek files logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of the files log file - multi: true - required: true - show_user: true - default: - - files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek files.log - description: Collect Zeek files logs - - input: httpjson - title: Zeek files logs via Splunk Enterprise REST API - description: Collect Zeek files logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"files-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ftp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ftp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ftp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ftp/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d9c6c67abe..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,233 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ftp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ftp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ftp - - dot_expander: - path: zeek.ftp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ftp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ftp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ftp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ftp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ftp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: user.name - copy_from: zeek.ftp.user - if: ctx?.zeek?.ftp?.user != null - - set: - field: event.action - copy_from: zeek.ftp.command - if: ctx?.zeek?.ftp?.command != null - - rename: - field: zeek.ftp.file_size - target_field: file.size - ignore_missing: true - - rename: - field: zeek.ftp.mime_type - target_field: file.mime_type - ignore_missing: true - - rename: - field: zeek.ftp.fuid - target_field: zeek.ftp.file.uid - ignore_missing: true - - rename: - field: zeek.ftp.reply_code - target_field: zeek.ftp.reply.code - ignore_missing: true - - rename: - field: zeek.ftp.reply_msg - target_field: zeek.ftp.reply.msg - ignore_missing: true - - dot_expander: - path: zeek.ftp - field: data_channel.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ftp - field: data_channel.resp_p - ignore_failure: true - - rename: - field: zeek.ftp.data_channel.orig_h - target_field: zeek.ftp.data_channel.originating_host - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.orig_p - target_field: zeek.ftp.data_channel.originating_port - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.resp_h - target_field: zeek.ftp.data_channel.response_host - ignore_missing: true - - rename: - field: zeek.ftp.data_channel.resp_p - target_field: zeek.ftp.data_channel.response_port - ignore_missing: true - - date: - field: zeek.ftp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ftp.ts - - dot_expander: - field: data_channel.passive - path: zeek.ftp - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ftp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/base-fields.yml deleted file mode 100755 index 96d39c2748..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ftp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/ecs.yml deleted file mode 100755 index 34fd3ef10a..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/ecs.yml +++ /dev/null @@ -1,181 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/fields.yml deleted file mode 100755 index ca17231e59..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: zeek.ftp - type: group - fields: - - name: user - type: keyword - description: | - User name for the current FTP session. - - name: password - type: keyword - description: | - Password for the current FTP session if captured. - - name: command - type: keyword - description: | - Command given by the client. - - name: arg - type: keyword - description: | - Argument for the command if one is given. - - name: file - type: group - fields: - - name: size - type: long - description: | - Size of the file if the command indicates a file transfer. - - name: mime_type - type: keyword - description: | - Sniffed mime type of file. - - name: fuid - type: keyword - description: | - (present if base/protocols/ftp/files.bro is loaded) - File unique ID. - - name: reply - type: group - fields: - - name: code - type: integer - description: | - Reply code from the server in response to the command. - - name: msg - type: keyword - description: | - Reply message from the server in response to the command. - - name: data_channel - type: group - fields: - - name: passive - type: boolean - description: | - Whether PASV mode is toggled for control channel. - - name: originating_host - type: ip - description: | - The host that will be initiating the data connection. - - name: response_host - type: ip - description: | - The host that will be accepting the data connection. - - name: response_port - type: integer - description: | - The port at which the acceptor is listening for the data connection. - - name: cwd - type: keyword - description: | - Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - - name: cmdarg - type: group - fields: - - name: cmd - type: keyword - description: | - Command. - - name: arg - type: keyword - description: | - Argument for the command if one was given. - - name: seq - type: integer - description: | - Counter to track how many commands have been executed. - - name: pending_commands - type: integer - description: | - Queue for commands that have been sent but not yet responded to are tracked here. - - name: passive - type: boolean - description: | - Indicates if the session is in active or passive mode. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: last_auth_requested - type: keyword - description: | - present if base/protocols/ftp/gridftp.bro is loaded. - Last authentication/security mechanism that was used. diff --git a/packages/zeek/2.1.0/data_stream/ftp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ftp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ftp/manifest.yml b/packages/zeek/2.1.0/data_stream/ftp/manifest.yml deleted file mode 100755 index 3b1974cbb3..0000000000 --- a/packages/zeek/2.1.0/data_stream/ftp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ftp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ftp log file - multi: true - required: true - show_user: true - default: - - ftp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ftp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ftp.log - description: Collect Zeek ftp logs - - input: httpjson - title: Zeek ftp logs via Splunk Enterprise REST API - description: Collect Zeek ftp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ftp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ftp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/http/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/http/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/http/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/http/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6890b37b9d..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,251 +0,0 @@ ---- -description: Pipeline for normalizing Zeek http.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.http - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: web - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - dot_expander: - path: zeek.http - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.http - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.http.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.http.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.http.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.http.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.http.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.http.method - target_field: http.request.method - ignore_missing: true - - rename: - field: zeek.http.referrer - target_field: http.request.referrer - ignore_missing: true - - rename: - field: zeek.http.status_code - target_field: http.response.status_code - ignore_missing: true - - rename: - field: zeek.http.version - target_field: http.version - ignore_missing: true - - rename: - field: zeek.http.request_body_len - target_field: http.request.body.bytes - ignore_missing: true - - rename: - field: zeek.http.response_body_len - target_field: http.response.body.bytes - ignore_missing: true - - uri_parts: - if: ctx?.zeek?.http?.uri != null - field: zeek.http.uri - on_failure: - - set: - field: url.original - copy_from: zeek.http.uri - ignore_failure: true - - append: - field: tags - value: _zeek_http_url_parse_failure - - remove: - field: zeek.http.uri - ignore_missing: true - - remove: - field: url.domain - ignore_missing: true - if: "ctx?.url?.domain == null || ctx?.url?.domain.isEmpty()" - - remove: - field: url.scheme - ignore_missing: true - if: "ctx?.url?.scheme == null || ctx?.url?.scheme.isEmpty()" - - rename: - field: zeek.http.host - target_field: url.domain - ignore_missing: true - - rename: - field: zeek.http.username - target_field: url.username - ignore_missing: true - - rename: - field: zeek.http.password - target_field: url.password - ignore_missing: true - - rename: - field: zeek.http.user_agent - target_field: user_agent.original - ignore_missing: true - - set: - field: event.action - copy_from: http.request.method - if: ctx?.http?.request?.method != null - - set: - field: user.name - copy_from: url.username - if: ctx?.url?.username != null - - date: - field: zeek.http.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.http.ts - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_missing: true - - set: - field: event.outcome - value: success - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" - - set: - field: event.outcome - value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{url.username}}" - if: "ctx?.url?.username != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.http.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/http/fields/agent.yml b/packages/zeek/2.1.0/data_stream/http/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/http/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/http/fields/base-fields.yml deleted file mode 100755 index 4d1ce81520..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.http -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/http/fields/beats.yml b/packages/zeek/2.1.0/data_stream/http/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/http/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index 12831d2d82..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,262 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Username of the request. - name: url.username - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/http/fields/fields.yml b/packages/zeek/2.1.0/data_stream/http/fields/fields.yml deleted file mode 100755 index f264ff0db9..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/fields.yml +++ /dev/null @@ -1,82 +0,0 @@ -- name: zeek.http - type: group - fields: - - name: trans_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: status_msg - type: keyword - description: | - Status message returned by the server. - - name: info_code - type: integer - description: | - Last seen 1xx informational reply code returned by the server. - - name: info_msg - type: keyword - description: | - Last seen 1xx informational reply message returned by the server. - - name: tags - type: keyword - description: | - A set of indicators of various attributes discovered and related to a particular - request/response pair. - - name: password - type: keyword - description: | - Password if basic-auth is performed for the request. - - name: captured_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: proxied - type: keyword - description: | - All of the headers that may indicate if the HTTP request was proxied. - - name: range_request - type: boolean - description: | - Indicates if this request can assume 206 partial content in response. - - name: client_header_names - type: keyword - description: | - The vector of HTTP header names sent by the client. No header values - are included here, just the header names. - - name: server_header_names - type: keyword - description: | - The vector of HTTP header names sent by the server. No header values - are included here, just the header names. - - name: orig_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the originator. - - name: orig_mime_types - type: keyword - description: | - An ordered vector of mime types from the originator. - - name: orig_filenames - type: keyword - description: | - An ordered vector of filenames from the originator. - - name: resp_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the responder. - - name: resp_mime_types - type: keyword - description: | - An ordered vector of mime types from the responder. - - name: resp_filenames - type: keyword - description: | - An ordered vector of filenames from the responder. - - name: orig_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP request message body. - - name: resp_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP response message body. diff --git a/packages/zeek/2.1.0/data_stream/http/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/http/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/http/manifest.yml b/packages/zeek/2.1.0/data_stream/http/manifest.yml deleted file mode 100755 index 6fae84056f..0000000000 --- a/packages/zeek/2.1.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek http logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of http log file - multi: true - required: true - show_user: true - default: - - http.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-http - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek http.log - description: Collect Zeek http logs - - input: httpjson - title: Zeek http logs via Splunk Enterprise REST API - description: Collect Zeek http logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"http-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-http - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/intel/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/intel/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/intel/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/intel/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9b6de052b2..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,217 +0,0 @@ ---- -description: Pipeline for normalizing Zeek intel.log. -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.intel - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: enrichment - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: threat - - append: - field: event.type - value: indicator - - dot_expander: - path: zeek.intel - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.intel - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.intel.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.intel.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.intel.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.intel.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.intel.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - dot_expander: - path: zeek.intel - field: seen.indicator - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.indicator_type - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.host - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.where - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.node - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.conn - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.uid - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.f - ignore_failure: true - - dot_expander: - path: zeek.intel - field: seen.fuid - ignore_failure: true - - date: - field: zeek.intel.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.intel.ts - # IP Geolocation Lookup - - geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true - properties: - - city_name - - continent_name - - country_iso_code - - country_name - - location - - region_iso_code - - region_name - - geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - properties: - - city_name - - continent_name - - country_iso_code - - country_name - - location - - region_iso_code - - region_name - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: "related.ip" - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: "related.ip" - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - rename: - field: message - target_field: event.original - ignore_missing: true - if: ctx?.event?.original == null - - remove: - field: - - zeek.intel.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/agent.yml b/packages/zeek/2.1.0/data_stream/intel/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/intel/fields/base-fields.yml deleted file mode 100755 index 9a9df3515f..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.intel -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/beats.yml b/packages/zeek/2.1.0/data_stream/intel/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/intel/fields/ecs.yml deleted file mode 100755 index 59d54363af..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/ecs.yml +++ /dev/null @@ -1,147 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/fields.yml b/packages/zeek/2.1.0/data_stream/intel/fields/fields.yml deleted file mode 100755 index 2d513fe45e..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: zeek.intel - type: group - fields: - - name: seen - type: group - fields: - - name: indicator - type: keyword - description: | - The intelligence indicator. - - name: indicator_type - type: keyword - description: | - The type of data the indicator represents. - - name: host - type: keyword - description: | - If the indicator type was Intel::ADDR, then this field will be present. - - name: conn - type: keyword - description: | - If the data was discovered within a connection, the connection record should go here to give context to the data. - - name: where - type: keyword - description: | - Where the data was discovered. - - name: node - type: keyword - description: | - The name of the node where the match was discovered. - - name: uid - type: keyword - description: | - If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - - name: f - type: object - description: | - If the data was discovered within a file, the file record should go here to provide context to the data. - - name: fuid - type: keyword - description: | - If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. - - name: matched - type: keyword - description: | - Event to represent a match in the intelligence data from data that was seen. - - name: sources - type: keyword - description: | - Sources which supplied data for this match. - - name: fuid - type: keyword - description: | - If a file was associated with this intelligence hit, this is the uid for the file. - - name: file_mime_type - type: keyword - description: | - A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - - name: file_desc - type: keyword - description: | - Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. diff --git a/packages/zeek/2.1.0/data_stream/intel/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/intel/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/intel/manifest.yml b/packages/zeek/2.1.0/data_stream/intel/manifest.yml deleted file mode 100755 index 723e99f395..0000000000 --- a/packages/zeek/2.1.0/data_stream/intel/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek intel logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of intel log file - multi: true - required: true - show_user: true - default: - - intel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-intel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek intel.log - description: Collect Zeek intel logs - - input: httpjson - title: Zeek intel logs via Splunk Enterprise REST API - description: Collect Zeek intel logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"intel-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-intel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/irc/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/irc/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/irc/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/irc/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7dab55e064..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,190 +0,0 @@ ---- -description: Pipeline for normalizing Zeek irc.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.irc - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: irc - - dot_expander: - path: zeek.irc - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.irc - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.irc.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.irc.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.irc.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.irc.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.irc.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.irc.dcc_file_name - target_field: file.name - ignore_missing: true - - rename: - field: zeek.irc.dcc_mime_type - target_field: file.mime_type - ignore_missing: true - - rename: - field: zeek.irc.dcc.file.size - target_field: file.size - ignore_missing: true - - rename: - field: zeek.irc.user - target_field: user.name - ignore_missing: true - - set: - field: event.action - copy_from: zeek.irc.command - if: ctx?.zeek?.irc?.command != null - - date: - field: zeek.irc.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.irc.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - - geoip: - field: source.ip - target_field: source.geo - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.irc.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/agent.yml b/packages/zeek/2.1.0/data_stream/irc/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/irc/fields/base-fields.yml deleted file mode 100755 index 97d9860af0..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.irc -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/beats.yml b/packages/zeek/2.1.0/data_stream/irc/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/irc/fields/ecs.yml deleted file mode 100755 index 7ee7c8a99a..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/ecs.yml +++ /dev/null @@ -1,184 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/fields.yml b/packages/zeek/2.1.0/data_stream/irc/fields/fields.yml deleted file mode 100755 index 532e0f8620..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/fields.yml +++ /dev/null @@ -1,49 +0,0 @@ -- name: zeek.irc - type: group - fields: - - name: nick - type: keyword - description: | - Nickname given for the connection. - - name: user - type: keyword - description: | - Username given for the connection. - - name: command - type: keyword - description: | - Command given by the client. - - name: value - type: keyword - description: | - Value for the command given by the client. - - name: addl - type: keyword - description: | - Any additional data for the command. - - name: dcc - type: group - fields: - - name: file - type: group - fields: - - name: name - type: keyword - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - DCC filename requested. - - name: size - type: long - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - Size of the DCC transfer as indicated by the sender. - - name: mime_type - type: keyword - description: | - present if base/protocols/irc/dcc-send.bro is loaded. - Sniffed mime type of the file. - - name: fuid - type: keyword - description: | - present if base/protocols/irc/files.bro is loaded. - File unique ID. diff --git a/packages/zeek/2.1.0/data_stream/irc/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/irc/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/irc/manifest.yml b/packages/zeek/2.1.0/data_stream/irc/manifest.yml deleted file mode 100755 index 42e693551e..0000000000 --- a/packages/zeek/2.1.0/data_stream/irc/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek irc logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of irc log file - multi: true - required: true - show_user: true - default: - - irc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-irc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek irc.log - description: Collect Zeek irc logs - - input: httpjson - title: Zeek irc logs via Splunk Enterprise REST API - description: Collect Zeek irc logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"irc-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-irc - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6833fe5a21..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,364 +0,0 @@ ---- -description: Pipeline for normalizing Zeek kerberos.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.kerberos - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: ["network", "authentication"] - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - append: - field: event.type - value: access - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: kerberos - - dot_expander: - path: zeek.kerberos - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.kerberos.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.kerberos.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.kerberos.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.kerberos.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.kerberos.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: client.address - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: server.address - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.kerberos.request_type - if: ctx?.zeek?.kerberos?.request_type != null - - rename: - field: zeek.kerberos.till - target_field: zeek.kerberos.valid.until - ignore_missing: true - - rename: - field: zeek.kerberos.from - target_field: zeek.kerberos.valid.from - ignore_missing: true - - rename: - field: zeek.kerberos.error_code - target_field: zeek.kerberos.error.code - ignore_missing: true - - rename: - field: zeek.kerberos.error_msg - target_field: zeek.kerberos.error.msg - ignore_missing: true - - dot_expander: - path: zeek.kerberos - field: cert.client - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.client_subject - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.client_fuid - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server_subject - ignore_failure: true - - dot_expander: - path: zeek.kerberos - field: cert.server_fuid - ignore_failure: true - - rename: - field: zeek.kerberos.cert.client - target_field: zeek.kerberos.cert.client.value - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client_subject - target_field: zeek.kerberos.cert.client.subject - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client_fuid - target_field: zeek.kerberos.cert.client.fuid - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server - target_field: zeek.kerberos.cert.server.value - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server_subject - target_field: zeek.kerberos.cert.server.subject - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server_fuid - target_field: zeek.kerberos.cert.server.fuid - ignore_missing: true - - rename: - field: zeek.kerberos.auth_ticket - target_field: zeek.kerberos.ticket.auth - ignore_missing: true - - rename: - field: zeek.kerberos.new_ticket - target_field: zeek.kerberos.ticket.new - ignore_missing: true - - dissect: - field: zeek.kerberos.client - pattern: "%{user.name}/%{user.domain}" - ignore_missing: true - if: ctx?.zeek?.kerberos?.client.contains('/') - - date: - field: zeek.kerberos.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.kerberos.ts - - script: - source: "ctx.zeek.kerberos.valid.days = Math.round( (ctx.zeek.kerberos.valid.until - ctx.zeek.kerberos.valid.from) / 86400 )" - if: "ctx.zeek.kerberos.valid?.from != null && ctx.zeek.kerberos.valid?.until != null" - - date: - field: zeek.kerberos.valid.until - target_field: zeek.kerberos.valid.until - formats: - - UNIX - - ISO8601 - if: ctx.zeek.kerberos.valid?.until != null - - date: - field: zeek.kerberos.valid.from - target_field: zeek.kerberos.valid.from - formats: - - UNIX - - ISO8601 - if: ctx.zeek.kerberos.valid?.from != null - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.kerberos?.success == true" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.kerberos?.success == false" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - gsub: - field: zeek.kerberos.cert.client.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.kerberos.cert.client.subject - field_split: "," - value_split: "=" - target_field: zeek.kerberos.cert.client.kv_sub - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.C - target_field: tls.client.x509.subject.country - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.CN - target_field: tls.client.x509.subject.common_name - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.L - target_field: tls.client.x509.subject.locality - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.O - target_field: tls.client.x509.subject.organization - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.OU - target_field: tls.client.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: zeek.kerberos.cert.client.kv_sub.ST - target_field: tls.client.x509.subject.state_or_province - ignore_missing: true - - remove: - field: zeek.kerberos.cert.client.kv_sub - ignore_missing: true - - gsub: - field: zeek.kerberos.cert.server.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.kerberos.cert.server.subject - field_split: "," - value_split: "=" - target_field: zeek.kerberos.cert.server.kv_sub - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.C - target_field: tls.server.x509.subject.country - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.CN - target_field: tls.server.x509.subject.common_name - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.L - target_field: tls.server.x509.subject.locality - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.O - target_field: tls.server.x509.subject.organization - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.OU - target_field: tls.server.x509.subject.organizational_unit - ignore_missing: true - - rename: - field: zeek.kerberos.cert.server.kv_sub.ST - target_field: tls.server.x509.subject.state_or_province - ignore_missing: true - - remove: - field: zeek.kerberos.cert.server.kv_sub - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - message - - json - - zeek.kerberos.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/agent.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/base-fields.yml deleted file mode 100755 index bb4e2c75f5..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.kerberos -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/beats.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/ecs.yml deleted file mode 100755 index 33685f85fb..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/ecs.yml +++ /dev/null @@ -1,232 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/fields.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/fields.yml deleted file mode 100755 index 7f5d5fcbb6..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/fields.yml +++ /dev/null @@ -1,101 +0,0 @@ -- name: zeek.kerberos - type: group - fields: - - name: request_type - type: keyword - description: | - Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - name: client - type: keyword - description: | - Client name. - - name: service - type: keyword - description: | - Service name. - - name: success - type: boolean - description: | - Request result. - - name: error - type: group - fields: - - name: code - type: integer - description: | - Error code. - - name: msg - type: keyword - description: | - Error message. - - name: valid - type: group - fields: - - name: from - type: date - description: | - Ticket valid from. - - name: until - type: date - description: | - Ticket valid until. - - name: days - type: integer - description: | - Number of days the ticket is valid for. - - name: cipher - type: keyword - description: | - Ticket encryption type. - - name: forwardable - type: boolean - description: | - Forwardable ticket requested. - - name: renewable - type: boolean - description: | - Renewable ticket requested. - - name: ticket - type: group - fields: - - name: auth - type: keyword - description: | - Hash of ticket used to authorize request/transaction. - - name: new - type: keyword - description: | - Hash of ticket returned by the KDC. - - name: cert - type: group - fields: - - name: client - type: group - fields: - - name: value - type: keyword - description: | - Client certificate. - - name: fuid - type: keyword - description: | - File unique ID of client cert. - - name: subject - type: keyword - description: | - Subject of client certificate. - - name: server - type: group - fields: - - name: value - type: keyword - description: | - Server certificate. - - name: fuid - type: keyword - description: | - File unique ID of server certificate. - - name: subject - type: keyword - description: | - Subject of server certificate. diff --git a/packages/zeek/2.1.0/data_stream/kerberos/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/kerberos/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/kerberos/manifest.yml b/packages/zeek/2.1.0/data_stream/kerberos/manifest.yml deleted file mode 100755 index 8de52255d5..0000000000 --- a/packages/zeek/2.1.0/data_stream/kerberos/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek kerberos logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of kerberos log file - multi: true - required: true - show_user: true - default: - - kerberos.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-kerberos - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek kerberos.log - description: Collect Zeek kerberos logs - - input: httpjson - title: Zeek kerberos logs via Splunk Enterprise REST API - description: Collect Zeek kerberos logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"kerberos-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-kerberos - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/modbus/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/modbus/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/modbus/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/modbus/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index eadf639295..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -description: Pipeline for normalizing Zeek modbus.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.modbus - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: modbus - - dot_expander: - path: zeek.modbus - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.modbus - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.modbus.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.modbus.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.modbus.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.modbus.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.modbus.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - rename: - field: zeek.modbus.func - target_field: zeek.modbus.function - ignore_missing: true - - set: - field: event.action - copy_from: zeek.modbus.function - if: ctx?.source?.address != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.outcome - value: failure - if: ctx?.zeek?.modbus?.exception != null - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - date: - field: zeek.modbus.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.modbus.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.modbus.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/agent.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/base-fields.yml deleted file mode 100755 index 6f2c2ac706..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.modbus -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/beats.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/ecs.yml deleted file mode 100755 index afd3e125fc..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/ecs.yml +++ /dev/null @@ -1,172 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/fields.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/fields.yml deleted file mode 100755 index 220bd043d7..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/fields.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: zeek.modbus - type: group - fields: - - name: function - type: keyword - description: | - The name of the function message that was sent. - - name: exception - type: keyword - description: | - The exception if the response was a failure. - - name: track_address - type: integer - description: | - Present if policy/protocols/modbus/track-memmap.bro is loaded. - Modbus track address. diff --git a/packages/zeek/2.1.0/data_stream/modbus/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/modbus/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/modbus/manifest.yml b/packages/zeek/2.1.0/data_stream/modbus/manifest.yml deleted file mode 100755 index eb770cf866..0000000000 --- a/packages/zeek/2.1.0/data_stream/modbus/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek modbus logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of modbus log file - multi: true - required: true - show_user: true - default: - - modbus.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-modbus - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek modbus.log - description: Collect Zeek modbus logs - - input: httpjson - title: Zeek modbus logs via Splunk Enterprise REST API - description: Collect Zeek modbus logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"modbus-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-modbus - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/mysql/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/mysql/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/mysql/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/mysql/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 73cc853ac0..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,203 +0,0 @@ ---- -description: Pipeline for normalizing Zeek mysql.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.mysql - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: database - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: mysql - - dot_expander: - path: zeek.mysql - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.mysql - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.mysql.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.mysql.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.mysql.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.mysql.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.mysql.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.mysql.cmd - if: ctx?.zeek?.mysql?.cmd != null - - set: - field: event.outcome - value: success - if: ctx?.zeek?.mysql?.success == true - - set: - field: event.outcome - value: failure - if: ctx?.event?.outcome == null - - date: - field: zeek.mysql.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.mysql.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: event.type - value: access - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" - - append: - field: event.type - value: change - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'init_db' || ctx.zeek.mysql.cmd == 'change_user' || ctx.zeek.mysql.cmd == 'set_option' || ctx.zeek.mysql.cmd == 'drop_db' || ctx.zeek.mysql.cmd == 'create_db' || ctx.zeek.mysql.cmd == 'process_kill' || ctx.zeek.mysql.cmd == 'delayed_insert')" - - append: - field: event.type - value: info - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd != 'init_db' && ctx.zeek.mysql.cmd != 'change_user' && ctx.zeek.mysql.cmd != 'set_option' && ctx.zeek.mysql.cmd != 'drop_db' && ctx.zeek.mysql.cmd != 'create_db' && ctx.zeek.mysql.cmd != 'process_kill' && ctx.zeek.mysql.cmd != 'delayed_insert' && ctx.zeek.mysql.cmd != 'connect' && ctx.zeek.mysql.cmd != 'connect_out'" - - append: - field: event.type - value: start - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect'" - - append: - field: event.type - value: end - if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'" - - append: - field: event.category - value: session - if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.mysql.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/agent.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/base-fields.yml deleted file mode 100755 index abbb37d349..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.mysql -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/beats.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index afd3e125fc..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,172 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/fields.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/fields.yml deleted file mode 100755 index 475a41bb53..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.mysql - type: group - fields: - - name: cmd - type: keyword - description: | - The command that was issued. - - name: arg - type: keyword - description: | - The argument issued to the command. - - name: success - type: boolean - description: | - Whether the command succeeded. - - name: rows - type: integer - description: | - The number of affected rows, if any. - - name: response - type: keyword - description: | - Server message, if any. diff --git a/packages/zeek/2.1.0/data_stream/mysql/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/mysql/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/mysql/manifest.yml b/packages/zeek/2.1.0/data_stream/mysql/manifest.yml deleted file mode 100755 index 9acee92a44..0000000000 --- a/packages/zeek/2.1.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek mysql logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of mysql log file - multi: true - required: true - show_user: true - default: - - mysql.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-mysql - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek mysql.log - description: Collect Zeek mysql logs - - input: httpjson - title: Zeek mysql logs via Splunk Enterprise REST API - description: Collect Zeek mysql logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"mysql-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-mysql - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/notice/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/notice/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/notice/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/notice/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0e1ff118bd..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,272 +0,0 @@ ---- -description: Pipeline for normalizing Zeek notice.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.notice - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: alert - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: intrusion_detection - - append: - field: event.type - value: info - - dot_expander: - path: zeek.notice - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.notice - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.notice.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.notice.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.notice.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.notice.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.notice.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - rename: - field: zeek.notice.src - target_field: source.address - ignore_missing: true - if: ctx?.source?.address == null - - remove: - field: zeek.notice.src - ignore_missing: true - if: ctx?.zeek?.notice?.src == ctx?.source?.address - - rename: - field: zeek.notice.dst - target_field: destination.address - ignore_missing: true - if: ctx?.destination?.address == null - - remove: - field: zeek.notice.dst - ignore_missing: true - if: ctx?.zeek?.notice?.dst == ctx?.destination?.address - - rename: - field: zeek.notice.p - target_field: destination.port - ignore_missing: true - if: ctx?.destination?.port == null - - remove: - field: zeek.notice.p - ignore_missing: true - if: ctx?.zeek?.notice?.p == ctx?.destination?.port - - rename: - field: zeek.notice.conn - target_field: zeek.notice.connnection_id - ignore_missing: true - - rename: - field: zeek.notice.iconn - target_field: zeek.notice.icmp_id - ignore_missing: true - - rename: - field: zeek.notice.proto - target_field: network.transport - ignore_missing: true - - dot_expander: - path: zeek.notice - field: f.id - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.parent_id - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.source - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.is_orig - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.seen_bytes - ignore_failure: true - - dot_expander: - path: zeek.notice - field: f.total_bytes - ignore_failure: true - - rename: - field: zeek.notice.f.id - target_field: zeek.notice.file.id - ignore_missing: true - - rename: - field: zeek.notice.f.parent_id - target_field: zeek.notice.file.parent_id - ignore_missing: true - - rename: - field: zeek.notice.f.source - target_field: zeek.notice.file.source - ignore_missing: true - - rename: - field: zeek.notice.f.is_orig - target_field: zeek.notice.file.is_orig - ignore_missing: true - - rename: - field: zeek.notice.f.seen_bytes - target_field: zeek.notice.file.seen_bytes - ignore_missing: true - - rename: - field: zeek.notice.f.total_bytes - target_field: zeek.notice.file.total_bytes - ignore_missing: true - - rename: - field: zeek.notice.file_mime_type - target_field: zeek.notice.file.mime_type - ignore_missing: true - - set: - field: file.size - copy_from: zeek.notice.file.total_bytes - if: ctx?.zeek?.notice?.file?.total_bytes != null - - set: - field: file.mime_type - copy_from: zeek.notice.file.mime_type - if: ctx?.zeek?.notice?.file?.mime_type != null - - set: - field: rule.name - copy_from: zeek.notice.note - if: ctx?.zeek?.notice?.note != null - - set: - field: rule.description - copy_from: zeek.notice.msg - if: ctx?.zeek?.notice?.msg != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.notice.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.notice.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: event.type - value: allowed - if: "ctx?.zeek?.notice?.dropped == false" - - append: - field: event.type - value: denied - if: "ctx?.zeek?.notice?.dropped == true" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.notice.action - - zeek.notice.remote_location - - zeek.notice.f - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/agent.yml b/packages/zeek/2.1.0/data_stream/notice/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/notice/fields/base-fields.yml deleted file mode 100755 index 0ac336f28c..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.notice -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/beats.yml b/packages/zeek/2.1.0/data_stream/notice/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/notice/fields/ecs.yml deleted file mode 100755 index fa38ceedee..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/ecs.yml +++ /dev/null @@ -1,168 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/fields.yml b/packages/zeek/2.1.0/data_stream/notice/fields/fields.yml deleted file mode 100755 index 52e50fa4da..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/fields.yml +++ /dev/null @@ -1,107 +0,0 @@ -- name: zeek.notice - type: group - fields: - - name: connection_id - type: keyword - description: | - Identifier of the related connection session. - - name: icmp_id - type: keyword - description: | - Identifier of the related ICMP session. - - name: file.id - type: keyword - description: | - An identifier associated with a single file that is related to this notice. - - name: file.parent_id - type: keyword - description: | - Identifier associated with a container file from which this one was extracted. - - name: file.source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: file.mime_type - type: keyword - description: | - A mime type if the notice is related to a file. - - name: file.is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: file.seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: ffile.total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: file.missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: file.overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: fuid - type: keyword - description: | - A file unique ID if this notice is related to a file. - - name: note - type: keyword - description: | - The type of the notice. - - name: msg - type: keyword - description: | - The human readable message for the notice. - - name: sub - type: keyword - description: | - The human readable sub-message. - - name: "n" - type: long - description: | - Associated count, or a status code. - - name: peer_name - type: keyword - description: | - Name of remote peer that raised this notice. - - name: peer_descr - type: text - description: | - Textual description for the peer that raised this notice. - - name: actions - type: keyword - description: | - The actions which have been applied to this notice. - - name: email_body_sections - type: text - description: | - By adding chunks of text into this element, other scripts can expand on notices - that are being emailed. - - name: email_delay_tokens - type: keyword - description: | - Adding a string token to this set will cause the built-in emailing functionality - to delay sending the email either the token has been removed or the email - has been delayed for the specified time duration. - - name: identifier - type: keyword - description: | - This field is provided when a notice is generated for the purpose of deduplicating notices. - - name: suppress_for - type: double - description: | - This field indicates the length of time that this unique notice should be suppressed. - - name: dropped - type: boolean - description: | - Indicate if the source IP address was dropped and denied network access. diff --git a/packages/zeek/2.1.0/data_stream/notice/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/notice/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/notice/manifest.yml b/packages/zeek/2.1.0/data_stream/notice/manifest.yml deleted file mode 100755 index 230a456c4b..0000000000 --- a/packages/zeek/2.1.0/data_stream/notice/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek notice logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of notice log file - multi: true - required: true - show_user: true - default: - - notice.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-notice - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek notice.log - description: Collect Zeek notice logs - - input: httpjson - title: Zeek notice logs via Splunk Enterprise REST API - description: Collect Zeek notice logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"notice-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-notice - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f9a9308341..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,206 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ntlm.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ntlm - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: authentication - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ntlm - - dot_expander: - path: zeek.ntlm - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ntlm - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ntlm.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ntlm.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ntlm.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ntlm.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ntlm.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.ntlm.domainname - target_field: zeek.ntlm.domain - ignore_missing: true - - rename: - field: zeek.ntlm.server_dns_computer_name - target_field: zeek.ntlm.server.name.dns - ignore_missing: true - - rename: - field: zeek.ntlm.server_nb_computer_name - target_field: zeek.ntlm.server.name.netbios - ignore_missing: true - - rename: - field: zeek.ntlm.server_tree_name - target_field: zeek.ntlm.server.name.tree - ignore_missing: true - - set: - field: user.name - copy_from: zeek.ntlm.username - if: ctx?.zeek?.ntlm?.username != null - - set: - field: user.domain - copy_from: zeek.ntlm.domain - if: ctx?.zeek?.ntlm?.domain != null - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.outcome - value: success - if: ctx?.zeek?.ntlm?.success == true - - set: - field: event.outcome - value: failure - if: ctx?.zeek?.ntlm?.success == false - - date: - field: zeek.ntlm.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ntlm.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - message - - json - - zeek.ntlm.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/base-fields.yml deleted file mode 100755 index c337a76049..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ntlm -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/ecs.yml deleted file mode 100755 index d8445a6053..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/ecs.yml +++ /dev/null @@ -1,187 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/fields.yml deleted file mode 100755 index 42c05921af..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/fields.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: zeek.ntlm - type: group - fields: - - name: domain - type: keyword - description: | - Domain name given by the client. - - name: hostname - type: keyword - description: | - Hostname given by the client. - - name: success - type: boolean - description: | - Indicate whether or not the authentication was successful. - - name: username - type: keyword - description: | - Username given by the client. - - name: server - type: group - fields: - - name: name - type: group - fields: - - name: dns - type: keyword - description: | - DNS name given by the server in a CHALLENGE. - - name: netbios - type: keyword - description: | - NetBIOS name given by the server in a CHALLENGE. - - name: tree - type: keyword - description: | - Tree name given by the server in a CHALLENGE. diff --git a/packages/zeek/2.1.0/data_stream/ntlm/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ntlm/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ntlm/manifest.yml b/packages/zeek/2.1.0/data_stream/ntlm/manifest.yml deleted file mode 100755 index 38c3afa8a3..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntlm/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ntlm logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ntlm log file - multi: true - required: true - show_user: true - default: - - ntlm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ntlm - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ntlm.log - description: Collect Zeek ntlm logs - - input: httpjson - title: Zeek ntlm logs via Splunk Enterprise REST API - description: Collect Zeek ntlm logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ntlm-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ntlm - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ntp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ntp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ntp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ntp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4c4b978b5f..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,193 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ntp - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - append: - field: event.type - value: - - connection - - protocol - - info - allow_duplicates: false - - dot_expander: - path: zeek.ntp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ntp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ntp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ntp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ntp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ntp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ntp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: ntp - - set: - field: network.type - value: ipv4 - if: ctx.source?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.source?.ip.contains(':') - - community_id: - ignore_missing: true - - date: - field: zeek.ntp.ts - formats: - - UNIX - - ISO8601 - - date: - field: zeek.ntp.ref_time - target_field: zeek.ntp.ref_time - formats: - - UNIX - - date: - field: zeek.ntp.org_time - target_field: zeek.ntp.org_time - formats: - - UNIX - - date: - field: zeek.ntp.rec_time - target_field: zeek.ntp.rec_time - formats: - - UNIX - - date: - field: zeek.ntp.xmt_time - target_field: zeek.ntp.xmt_time - formats: - - UNIX - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: - - zeek.ntp.id - - zeek.ntp.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/base-fields.yml deleted file mode 100755 index 048a36b4f4..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ntp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/ecs.yml deleted file mode 100755 index bae87bb48f..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/ecs.yml +++ /dev/null @@ -1,215 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/fields.yml deleted file mode 100755 index 022ae5dc50..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: zeek.ntp - type: group - default_field: false - description: > - Fields exported by the Zeek NTP log. - - fields: - - name: version - type: integer - description: > - The NTP version number (1, 2, 3, 4). - - - name: mode - type: integer - description: > - The NTP mode being used. - - - name: stratum - type: integer - description: > - The stratum (primary server, secondary server, etc.). - - - name: poll - type: double - description: > - The maximum interval between successive messages in seconds. - - - name: precision - type: double - description: > - The precision of the system clock in seconds. - - - name: root_delay - type: double - description: > - Total round-trip delay to the reference clock in seconds. - - - name: root_disp - type: double - description: > - Total dispersion to the reference clock in seconds. - - - name: ref_id - type: keyword - description: > - For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). - - - name: ref_time - type: date - description: > - Time when the system clock was last set or correct. - - - name: org_time - type: date - description: > - Time at the client when the request departed for the NTP server. - - - name: rec_time - type: date - description: > - Time at the server when the request arrived from the NTP client. - - - name: xmt_time - type: date - description: > - Time at the server when the response departed for the NTP client. - - - name: num_exts - type: integer - description: >- - Number of extension fields (which are not currently parsed). diff --git a/packages/zeek/2.1.0/data_stream/ntp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ntp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ntp/manifest.yml b/packages/zeek/2.1.0/data_stream/ntp/manifest.yml deleted file mode 100755 index 59b3e3bae5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ntp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ntp logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek conn.log - description: Collect Zeek ntp logs - vars: - - name: filenames - type: text - title: Filename of ntp log - multi: true - required: true - show_user: true - default: - - ntp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ntp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek ntp logs via Splunk Enterprise REST API - description: Collect Zeek ntp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ntp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ntp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a3623d5064..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ocsp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ocsp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - set: - field: network.transport - value: tcp - - rename: - field: zeek.ocsp.id - target_field: zeek.ocsp.file_id - ignore_missing: true - - rename: - field: zeek.ocsp.hashAlgorithm - target_field: zeek.ocsp.hash.algorithm - ignore_missing: true - - rename: - field: zeek.ocsp.issuerNameHash - target_field: zeek.ocsp.hash.issuer.name - ignore_missing: true - - rename: - field: zeek.ocsp.issuerKeyHash - target_field: zeek.ocsp.hash.issuer.key - ignore_missing: true - - rename: - field: zeek.ocsp.serialNumber - target_field: zeek.ocsp.serial_number - ignore_missing: true - - rename: - field: zeek.ocsp.certStatus - target_field: zeek.ocsp.status - ignore_missing: true - - rename: - field: zeek.ocsp.revoketime - target_field: zeek.ocsp.revoke.date - ignore_missing: true - - rename: - field: zeek.ocsp.revokereason - target_field: zeek.ocsp.revoke.reason - ignore_missing: true - - rename: - field: zeek.ocsp.thisUpdate - target_field: zeek.ocsp.update.this - ignore_missing: true - - rename: - field: zeek.ocsp.nextUpdate - target_field: zeek.ocsp.update.next - ignore_missing: true - - date: - field: zeek.ocsp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ocsp.ts - - date: - field: zeek.ocsp.revoke.date - target_field: zeek.ocsp.revoke.date - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.revoke?.date != null - - date: - field: zeek.ocsp.update.this - target_field: zeek.ocsp.update.this - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.update?.this != null - - date: - field: zeek.ocsp.update.next - target_field: zeek.ocsp.update.next - formats: - - UNIX - - ISO8601 - if: ctx.zeek.ocsp.update?.next != null - - append: - field: related.hash - value: "{{zeek.ocsp.issuerNameHash}}" - if: "ctx?.zeek?.ocsp?.issuerNameHash != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{zeek.ocsp.issuerKeyHash}}" - if: "ctx?.zeek?.ocsp?.issuerKeyHash != null" - allow_duplicates: false - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/base-fields.yml deleted file mode 100755 index 488e62b186..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ocsp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/ecs.yml deleted file mode 100755 index b5595b4ff6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/ecs.yml +++ /dev/null @@ -1,44 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/fields.yml deleted file mode 100755 index f2be6d1ba8..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/fields.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: zeek.ocsp - type: group - fields: - - name: file_id - type: keyword - description: | - File id of the OCSP reply. - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: | - Hash algorithm used to generate issuerNameHash and issuerKeyHash. - - name: issuer - type: group - fields: - - name: name - type: keyword - description: | - Hash of the issuer's distingueshed name. - - name: key - type: keyword - description: | - Hash of the issuer's public key. - - name: serial_number - type: keyword - description: | - Serial number of the affected certificate. - - name: status - type: keyword - description: | - Status of the affected certificate. - - name: revoke - type: group - fields: - - name: date - type: date - description: | - Time at which the certificate was revoked. - - name: reason - type: keyword - description: | - Reason for which the certificate was revoked. - - name: update - type: group - fields: - - name: this - type: date - description: | - The time at which the status being shows is known to have been correct. - - name: next - type: date - description: | - The latest time at which new information about the status of the certificate will be available. diff --git a/packages/zeek/2.1.0/data_stream/ocsp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ocsp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ocsp/manifest.yml b/packages/zeek/2.1.0/data_stream/ocsp/manifest.yml deleted file mode 100755 index 1066b168a8..0000000000 --- a/packages/zeek/2.1.0/data_stream/ocsp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ocsp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ocsp log file - multi: true - required: true - show_user: true - default: - - ocsp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ocsp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ocsp.log - description: Collect Zeek ocsp logs - - input: httpjson - title: Zeek ocsp logs via Splunk Enterprise REST API - description: Collect Zeek ocsp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ocsp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ocsp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/pe/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/pe/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/pe/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/pe/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d088ca43e6..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -description: Pipeline for normalizing Zeek pe.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.pe - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: file - - append: - field: event.type - value: info - - rename: - field: zeek.pe.compile_ts - target_field: zeek.pe.compile_time - ignore_missing: true - - date: - field: zeek.pe.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.pe.ts - - date: - field: zeek.pe.compile_time - target_field: zeek.pe.compile_time - formats: - - UNIX - - ISO8601 - if: ctx.zeek.pe.compile_time != null - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/agent.yml b/packages/zeek/2.1.0/data_stream/pe/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/pe/fields/base-fields.yml deleted file mode 100755 index 98af311efa..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.pe -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/beats.yml b/packages/zeek/2.1.0/data_stream/pe/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/pe/fields/ecs.yml deleted file mode 100755 index 151f229510..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/ecs.yml +++ /dev/null @@ -1,42 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/fields.yml b/packages/zeek/2.1.0/data_stream/pe/fields/fields.yml deleted file mode 100755 index f4d50fff0f..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/fields.yml +++ /dev/null @@ -1,71 +0,0 @@ -- name: zeek.pe - type: group - fields: - - name: client - type: keyword - description: | - The client's version string. - - name: id - type: keyword - description: | - File id of this portable executable file. - - name: machine - type: keyword - description: | - The target machine that the file was compiled for. - - name: compile_time - type: date - description: | - The time that the file was created at. - - name: os - type: keyword - description: | - The required operating system. - - name: subsystem - type: keyword - description: | - The subsystem that is required to run this file. - - name: is_exe - type: boolean - description: | - Is the file an executable, or just an object file? - - name: is_64bit - type: boolean - description: | - Is the file a 64-bit executable? - - name: uses_aslr - type: boolean - description: | - Does the file support Address Space Layout Randomization? - - name: uses_dep - type: boolean - description: | - Does the file support Data Execution Prevention? - - name: uses_code_integrity - type: boolean - description: | - Does the file enforce code integrity checks? - - name: uses_seh - type: boolean - description: | - Does the file use structured exception handing? - - name: has_import_table - type: boolean - description: | - Does the file have an import table? - - name: has_export_table - type: boolean - description: | - Does the file have an export table? - - name: has_cert_table - type: boolean - description: | - Does the file have an attribute certificate table? - - name: has_debug_data - type: boolean - description: | - Does the file have a debug table? - - name: section_names - type: keyword - description: | - The names of the sections, in order. diff --git a/packages/zeek/2.1.0/data_stream/pe/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/pe/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/pe/manifest.yml b/packages/zeek/2.1.0/data_stream/pe/manifest.yml deleted file mode 100755 index 7387997eba..0000000000 --- a/packages/zeek/2.1.0/data_stream/pe/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek pe logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of pe log file - multi: true - required: true - show_user: true - default: - - pe.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-pe - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek pe.log - description: Collect Zeek pe logs - - input: httpjson - title: Zeek pe logs via Splunk Enterprise REST API - description: Collect Zeek pe logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"pe-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-pe - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/radius/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/radius/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/radius/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/radius/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 68bc5af8ec..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,180 +0,0 @@ ---- -description: Pipeline for normalizing Zeek radius.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.radius - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: authentication - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: radius - - dot_expander: - path: zeek.radius - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.radius - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.radius.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.radius.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.radius.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.radius.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.radius.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: user.name - copy_from: zeek.radius.username - if: ctx?.zeek?.radius?.username != null - - set: - field: event.outcome - copy_from: zeek.radius.result - if: ctx?.zeek?.radius?.result != null - - date: - field: zeek.radius.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.radius.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.radius.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/agent.yml b/packages/zeek/2.1.0/data_stream/radius/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/radius/fields/base-fields.yml deleted file mode 100755 index a9e14f26e2..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.radius -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/beats.yml b/packages/zeek/2.1.0/data_stream/radius/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/radius/fields/ecs.yml deleted file mode 100755 index 526ce749c4..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/fields.yml b/packages/zeek/2.1.0/data_stream/radius/fields/fields.yml deleted file mode 100755 index bb2cfd38d0..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: zeek.radius - type: group - fields: - - name: username - type: keyword - description: | - The username, if present. - - name: mac - type: keyword - description: | - MAC address, if present. - - name: framed_addr - type: ip - description: | - The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - name: remote_ip - type: ip - description: | - Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - name: connect_info - type: keyword - description: | - Connect info, if present. - - name: reply_msg - type: keyword - description: | - Reply message from the server challenge. This is frequently shown to the user authenticating. - - name: result - type: keyword - description: | - Successful or failed authentication. - - name: ttl - type: integer - description: | - The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - name: logged - type: boolean - description: | - Whether this has already been logged and can be ignored. diff --git a/packages/zeek/2.1.0/data_stream/radius/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/radius/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/radius/manifest.yml b/packages/zeek/2.1.0/data_stream/radius/manifest.yml deleted file mode 100755 index 5ca5cd766b..0000000000 --- a/packages/zeek/2.1.0/data_stream/radius/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek radius logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of radius log file - multi: true - required: true - show_user: true - default: - - radius.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-radius - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek radius.log - description: Collect Zeek radius logs - - input: httpjson - title: Zeek radius logs via Splunk Enterprise REST API - description: Collect Zeek radius logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"radius-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-radius - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/rdp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/rdp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 27d1775b51..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/rdp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/rdp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0b9239802b..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,213 +0,0 @@ ---- -description: Pipeline for normalizing Zeek rdp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.rdp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: protocol - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: rdp - - dot_expander: - path: zeek.rdp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.rdp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.rdp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.rdp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.rdp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.rdp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.rdp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.rdp.client_build - target_field: zeek.rdp.client.build - ignore_missing: true - - rename: - field: zeek.rdp.client_name - target_field: zeek.rdp.client.name - ignore_missing: true - - rename: - field: zeek.rdp.client_dig_product_id - target_field: zeek.rdp.client.product_id - ignore_missing: true - - rename: - field: zeek.rdp.desktop_width - target_field: zeek.rdp.desktop.width - ignore_missing: true - - rename: - field: zeek.rdp.desktop_height - target_field: zeek.rdp.desktop.height - ignore_missing: true - - rename: - field: zeek.rdp.requested_color_depth - target_field: zeek.rdp.desktop.color_depth - ignore_missing: true - - rename: - field: zeek.rdp.cert_type - target_field: zeek.rdp.cert.type - ignore_missing: true - - rename: - field: zeek.rdp.cert_count - target_field: zeek.rdp.cert.count - ignore_missing: true - - rename: - field: zeek.rdp.cert_permanent - target_field: zeek.rdp.cert.permanent - ignore_missing: true - - rename: - field: zeek.rdp.encryption_level - target_field: zeek.rdp.encryption.level - ignore_missing: true - - rename: - field: zeek.rdp.encryption_method - target_field: zeek.rdp.encryption.method - ignore_missing: true - - date: - field: zeek.rdp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.rdp.ts - - convert: - field: zeek.rdp.ssl - target_field: tls.established - type: boolean - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.rdp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/base-fields.yml deleted file mode 100755 index 4fae2e698d..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.rdp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/ecs.yml deleted file mode 100755 index dfe713f5b7..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/ecs.yml +++ /dev/null @@ -1,162 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/fields.yml deleted file mode 100755 index 379d00eb00..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/fields.yml +++ /dev/null @@ -1,84 +0,0 @@ -- name: zeek.rdp - type: group - fields: - - name: cookie - type: keyword - description: | - Cookie value used by the client machine. This is typically a username. - - name: result - type: keyword - description: | - Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. - - name: security_protocol - type: keyword - description: | - Security protocol chosen by the server. - - name: keyboard_layout - type: keyword - description: | - Keyboard layout (language) of the client machine. - - name: client - type: group - fields: - - name: build - type: keyword - description: | - RDP client version used by the client machine. - - name: client_name - type: keyword - description: | - Name of the client machine. - - name: product_id - type: keyword - description: | - Product ID of the client machine. - - name: desktop - type: group - fields: - - name: width - type: integer - description: | - Desktop width of the client machine. - - name: height - type: integer - description: | - Desktop height of the client machine. - - name: color_depth - type: keyword - description: | - The color depth requested by the client in the high_color_depth field. - - name: cert - type: group - fields: - - name: type - type: keyword - description: | - If the connection is being encrypted with native RDP encryption, this is the type of cert being used. - - name: count - type: integer - description: | - The number of certs seen. X.509 can transfer an entire certificate chain. - - name: permanent - type: boolean - description: | - Indicates if the provided certificate or certificate chain is permanent or temporary. - - name: encryption - type: group - fields: - - name: level - type: keyword - description: | - Encryption level of the connection. - - name: method - type: keyword - description: | - Encryption method of the connection. - - name: done - type: boolean - description: | - Track status of logging RDP connections. - - name: ssl - type: boolean - description: | - (present if policy/protocols/rdp/indicate_ssl.bro is loaded) - Flag the connection if it was seen over SSL. diff --git a/packages/zeek/2.1.0/data_stream/rdp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/rdp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/rdp/manifest.yml b/packages/zeek/2.1.0/data_stream/rdp/manifest.yml deleted file mode 100755 index ba3f66a0e5..0000000000 --- a/packages/zeek/2.1.0/data_stream/rdp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek rdp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of rdp log file - multi: true - required: true - show_user: true - default: - - rdp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-rdp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek rdp.log - description: Collect Zeek rdp logs - - input: httpjson - title: Zeek rdp logs via Splunk Enterprise REST API - description: Collect Zeek rdp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"rdp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-rdp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/rfb/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/rfb/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/rfb/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/rfb/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d4a4066919..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,188 +0,0 @@ ---- -description: Pipeline for normalizing Zeek rfb.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.rfb - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: info - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: rfb - - dot_expander: - path: zeek.rfb - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.rfb - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.rfb.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.rfb.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.rfb.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.rfb.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.rfb.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.rfb.client_major_version - target_field: zeek.rfb.version.client.major - ignore_missing: true - - rename: - field: zeek.rfb.client_minor_version - target_field: zeek.rfb.version.client.minor - ignore_missing: true - - rename: - field: zeek.rfb.server_major_version - target_field: zeek.rfb.version.server.major - ignore_missing: true - - rename: - field: zeek.rfb.server_minor_version - target_field: zeek.rfb.version.server.minor - ignore_missing: true - - rename: - field: zeek.rfb.auth - target_field: zeek.rfb.auth.success - ignore_missing: true - - rename: - field: zeek.rfb.authentication_method - target_field: zeek.rfb.auth.method - ignore_missing: true - - date: - field: zeek.rfb.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.rfb.ts - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.rfb.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/agent.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/base-fields.yml deleted file mode 100755 index 0908f5c5ed..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.rfb -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/beats.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/ecs.yml deleted file mode 100755 index 414138039f..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/ecs.yml +++ /dev/null @@ -1,159 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/fields.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/fields.yml deleted file mode 100755 index 77fe1df108..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/fields.yml +++ /dev/null @@ -1,55 +0,0 @@ -- name: zeek.rfb - type: group - fields: - - name: version - type: group - fields: - - name: client - type: group - fields: - - name: major - type: keyword - description: | - Major version of the client. - - name: minor - type: keyword - description: | - Minor version of the client. - - name: server - type: group - fields: - - name: major - type: keyword - description: | - Major version of the server. - - name: minor - type: keyword - description: | - Minor version of the server. - - name: auth - type: group - fields: - - name: success - type: boolean - description: | - Whether or not authentication was successful. - - name: method - type: keyword - description: | - Identifier of authentication method used. - - name: share_flag - type: boolean - description: | - Whether the client has an exclusive or a shared session. - - name: desktop_name - type: keyword - description: | - Name of the screen that is being shared. - - name: width - type: integer - description: | - Width of the screen that is being shared. - - name: height - type: integer - description: | - Height of the screen that is being shared. diff --git a/packages/zeek/2.1.0/data_stream/rfb/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/rfb/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/rfb/manifest.yml b/packages/zeek/2.1.0/data_stream/rfb/manifest.yml deleted file mode 100755 index dc620d9e21..0000000000 --- a/packages/zeek/2.1.0/data_stream/rfb/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek rfb logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of rfb log file - multi: true - required: true - show_user: true - default: - - rfb.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-rfb - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek rfb.log - description: Collect Zeek rfb logs - - input: httpjson - title: Zeek rfb logs via Splunk Enterprise REST API - description: Collect Zeek rfb logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"rfb-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-rfb - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/signature/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/signature/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/signature/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/signature/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 496fef9987..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,149 +0,0 @@ ---- -description: Pipeline for normalizing Zeek conn.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.signature - ignore_failure: true - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: alert - - set: - field: event.category - value: network - - rename: - field: zeek.signature.src_addr - target_field: source.address - ignore_missing: true - - rename: - field: zeek.signature.src_port - target_field: source.port - ignore_missing: true - - rename: - field: zeek.signature.dst_addr - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.signature.dst_port - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.signature.uid - target_field: zeek.session_id - ignore_missing: true - - rename: - field: zeek.signature.sig_id - target_field: rule.id - ignore_missing: true - - rename: - field: zeek.signature.event_msg - target_field: rule.description - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.signature.ts - formats: - - UNIX - - ISO8601 - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: network.type - value: ipv4 - if: ctx.source?.ip.contains('.') - - set: - field: network.type - value: ipv6 - if: ctx.source?.ip.contains(':') - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: - - zeek.signature.ts - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/agent.yml b/packages/zeek/2.1.0/data_stream/signature/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/signature/fields/base-fields.yml deleted file mode 100755 index a1d0bd61fd..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.signature -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/beats.yml b/packages/zeek/2.1.0/data_stream/signature/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/signature/fields/ecs.yml deleted file mode 100755 index 033b7629f2..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/ecs.yml +++ /dev/null @@ -1,221 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/fields.yml b/packages/zeek/2.1.0/data_stream/signature/fields/fields.yml deleted file mode 100755 index 6b3043bf65..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/fields.yml +++ /dev/null @@ -1,36 +0,0 @@ -- name: zeek.signature - type: group - default_field: false - description: > - Fields exported by the Zeek Signature log. - - fields: - - name: note - type: keyword - description: > - Notice associated with signature event. - - - name: sig_id - type: keyword - description: > - The name of the signature that matched. - - - name: event_msg - type: keyword - description: > - A more descriptive message of the signature-matching event. - - - name: sub_msg - type: keyword - description: > - Extracted payload data or extra message. - - - name: sig_count - type: integer - description: > - Number of sigs, usually from summary count. - - - name: host_count - type: integer - description: >- - Number of hosts, from a summary count. diff --git a/packages/zeek/2.1.0/data_stream/signature/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/signature/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/signature/manifest.yml b/packages/zeek/2.1.0/data_stream/signature/manifest.yml deleted file mode 100755 index 355c10e5a0..0000000000 --- a/packages/zeek/2.1.0/data_stream/signature/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek signature logs -streams: - - input: logfile - template_path: log.yml.hbs - title: Zeek signature.log - description: Collect Zeek signature logs - vars: - - name: filenames - type: text - title: Filename of signature log - multi: true - required: true - show_user: true - default: - - signature.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-signature - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - title: Zeek signature logs via Splunk Enterprise REST API - description: Collect Zeek signature logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"signature-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-signature - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/sip/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/sip/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/sip/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/sip/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5715594d2b..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,240 +0,0 @@ ---- -description: Pipeline for normalizing Zeek sip.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.sip - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: sip - - dot_expander: - path: zeek.sip - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.sip - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.sip.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.sip.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.sip.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.sip.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.sip.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx.zeek.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.sip.trans_depth - target_field: zeek.sip.transaction_depth - ignore_missing: true - - rename: - field: zeek.sip.method - target_field: zeek.sip.sequence.method - ignore_missing: true - - rename: - field: zeek.sip.request_from - target_field: zeek.sip.request.from - ignore_missing: true - - rename: - field: zeek.sip.request_to - target_field: zeek.sip.request.to - ignore_missing: true - - rename: - field: zeek.sip.request_path - target_field: zeek.sip.request.path - ignore_missing: true - - rename: - field: zeek.sip.request_body_len - target_field: zeek.sip.request.body_length - ignore_missing: true - - rename: - field: zeek.sip.response_from - target_field: zeek.sip.response.from - ignore_missing: true - - rename: - field: zeek.sip.response_to - target_field: zeek.sip.response.to - ignore_missing: true - - rename: - field: zeek.sip.response_path - target_field: zeek.sip.response.path - ignore_missing: true - - rename: - field: zeek.sip.response_body_len - target_field: zeek.sip.response.body_length - ignore_missing: true - - rename: - field: zeek.sip.status_code - target_field: zeek.sip.status.code - ignore_missing: true - - rename: - field: zeek.sip.status_msg - target_field: zeek.sip.status.msg - ignore_missing: true - - set: - field: event.action - copy_from: zeek.sip.sequence.method - if: ctx?.zeek?.sip?.sequence?.method != null - - set: - field: url.full - copy_from: zeek.sip.uri - if: ctx?.zeek?.sip?.uri != null - - date: - field: zeek.sip.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.sip.ts - - grok: - field: zeek.sip.seq - patterns: - - "%{NUMBER:zeek.sip.sequence.number}" - ignore_missing: true - - remove: - field: zeek.sip.seq - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code < 400" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.sip.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/agent.yml b/packages/zeek/2.1.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/sip/fields/base-fields.yml deleted file mode 100755 index 7e5ed093a6..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.sip -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/beats.yml b/packages/zeek/2.1.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index eb4b63287e..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,178 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/fields.yml b/packages/zeek/2.1.0/data_stream/sip/fields/fields.yml deleted file mode 100755 index 399f7a09b1..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/fields.yml +++ /dev/null @@ -1,99 +0,0 @@ -- name: zeek.sip - type: group - fields: - - name: transaction_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: sequence - type: group - fields: - - name: method - type: keyword - description: | - Verb used in the SIP request (INVITE, REGISTER etc.). - - name: number - type: keyword - description: | - Contents of the CSeq: header from the client. - - name: uri - type: keyword - description: | - URI used in the request. - - name: date - type: keyword - description: | - Contents of the Date: header from the client. - - name: request - type: group - fields: - - name: from - type: keyword - description: | - Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to - type: keyword - description: | - Contents of the To: header. - - name: path - type: keyword - description: | - The client message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the client. - - name: response - type: group - fields: - - name: from - type: keyword - description: | - Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to - type: keyword - description: | - Contents of the response To: header. - - name: path - type: keyword - description: | - The server message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the server. - - name: reply_to - type: keyword - description: | - Contents of the Reply-To: header. - - name: call_id - type: keyword - description: | - Contents of the Call-ID: header from the client. - - name: subject - type: keyword - description: | - Contents of the Subject: header from the client. - - name: user_agent - type: keyword - description: | - Contents of the User-Agent: header from the client. - - name: status - type: group - fields: - - name: code - type: integer - description: | - Status code returned by the server. - - name: msg - type: keyword - description: | - Status message returned by the server. - - name: warning - type: keyword - description: | - Contents of the Warning: header. - - name: content_type - type: keyword - description: | - Contents of the Content-Type: header from the server. diff --git a/packages/zeek/2.1.0/data_stream/sip/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/sip/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/sip/manifest.yml b/packages/zeek/2.1.0/data_stream/sip/manifest.yml deleted file mode 100755 index 010396ae00..0000000000 --- a/packages/zeek/2.1.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek sip logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of sip log file - multi: true - required: true - show_user: true - default: - - sip.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-sip - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek sip.log - description: Collect Zeek sip logs - - input: httpjson - title: Zeek sip logs via Splunk Enterprise REST API - description: Collect Zeek sip logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"sip-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-sip - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 95e997eaaf..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,290 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_cmd.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_cmd - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.ts - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.resp_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.size - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.modified - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.accessed - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.created - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.times.changed - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.uid - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.action - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.name - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: referenced_file.path - ignore_failure: true - - remove: - field: - - zeek.smb_cmd.referenced_file.ts - - zeek.smb_cmd.referenced_file.id.orig_p - - zeek.smb_cmd.referenced_file.id.resp_p - - zeek.smb_cmd.referenced_file.size - - zeek.smb_cmd.referenced_file.times.modified - - zeek.smb_cmd.referenced_file.times.accessed - - zeek.smb_cmd.referenced_file.times.created - - zeek.smb_cmd.referenced_file.times.changed - ignore_missing: true - - remove: - field: - - zeek.smb_cmd.referenced_file.uid - - zeek.smb_cmd.referenced_file.id.orig_h - - zeek.smb_cmd.referenced_file.id.resp_h - ignore_missing: true - if: ctx?.zeek?.smb_cmd?.referenced_file?.action == null - - dot_expander: - path: zeek.smb_cmd - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_cmd - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_cmd.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_cmd.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_cmd.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.smb_cmd.referenced_file.uid - target_field: zeek.smb_cmd.file.uid - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.id.orig_h - target_field: zeek.smb_cmd.file.host.tx - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.id.resp_h - target_field: zeek.smb_cmd.file.host.rx - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.name - target_field: zeek.smb_cmd.file.name - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.path - target_field: zeek.smb_cmd.file.path - ignore_missing: true - - rename: - field: zeek.smb_cmd.referenced_file.action - target_field: zeek.smb_cmd.file.action - ignore_missing: true - - set: - field: event.action - copy_from: zeek.smb_cmd.command - if: ctx?.zeek?.smb_cmd?.command != null - - set: - field: user.name - copy_from: zeek.smb_cmd.username - if: ctx?.zeek?.smb_cmd?.username != null - - date: - field: zeek.smb_cmd.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_cmd.ts - - remove: - field: zeek.smb_cmd.referenced_file - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() == 'success'" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_cmd.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/agent.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/base-fields.yml deleted file mode 100755 index 2da0d47a43..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_cmd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/beats.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/ecs.yml deleted file mode 100755 index 9e84911efa..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/ecs.yml +++ /dev/null @@ -1,181 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/fields.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/fields.yml deleted file mode 100755 index 73c6a4b084..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/fields.yml +++ /dev/null @@ -1,75 +0,0 @@ -- name: zeek.smb_cmd - type: group - fields: - - name: command - type: keyword - description: | - The command sent by the client. - - name: sub_command - type: keyword - description: | - The subcommand sent by the client, if present. - - name: argument - type: keyword - description: | - Command argument sent by the client, if any. - - name: status - type: keyword - description: | - Server reply to the client's command. - - name: rtt - type: double - description: | - Round trip time from the request to the response. - - name: version - type: keyword - description: | - Version of SMB for the command. - - name: username - type: keyword - description: | - Authenticated username, if available. - - name: tree - type: keyword - description: | - If this is related to a tree, this is the tree that was used for the current command. - - name: tree_service - type: keyword - description: | - The type of tree (disk share, printer share, named pipe, etc.). - - name: file - type: group - fields: - - name: name - type: keyword - description: | - Filename if one was seen. - - name: action - type: keyword - description: | - Action this log record represents. - - name: uid - type: keyword - description: | - UID of the referenced file. - - name: host - type: group - fields: - - name: tx - type: ip - description: | - Address of the transmitting host. - - name: rx - type: ip - description: | - Address of the receiving host. - - name: smb1_offered_dialects - type: keyword - description: | - Present if base/protocols/smb/smb1-main.bro is loaded. - Dialects offered by the client. - - name: smb2_offered_dialects - type: integer - description: | - Present if base/protocols/smb/smb2-main.bro is loaded. - Dialects offered by the client. diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/smb_cmd/manifest.yml b/packages/zeek/2.1.0/data_stream/smb_cmd/manifest.yml deleted file mode 100755 index d8387b5cc8..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_cmd/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek smb_cmd logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_cmd log file - multi: true - required: true - show_user: true - default: - - smb_cmd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-smb-cmd - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smb_cmd.log - description: Collect Zeek smb_cmd logs - - input: httpjson - title: Zeek smb_cmd logs via Splunk Enterprise REST API - description: Collect Zeek smb_cmd logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_cmd-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smb-cmd - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b83f769498..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,256 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_files.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_files - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.category - value: file - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_files - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_files - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_files.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_files.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_files.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_files.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_files.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: event.action - copy_from: zeek.smb_files.action - if: ctx?.zeek?.smb_files?.action != null - - set: - field: file.name - copy_from: zeek.smb_files.name - if: ctx?.zeek?.smb_files?.name != null - - set: - field: file.size - copy_from: zeek.smb_files.size - if: ctx?.zeek?.smb_files?.size != null - - date: - field: zeek.smb_files.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_files.ts - - dot_expander: - field: times.accessed - path: zeek.smb_files - - dot_expander: - field: times.changed - path: zeek.smb_files - - dot_expander: - field: times.created - path: zeek.smb_files - - dot_expander: - field: times.modified - path: zeek.smb_files - - date: - field: zeek.smb_files.times.accessed - target_field: zeek.smb_files.times.accessed - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.accessed - value: "{{zeek.smb_files.times.accessed}}" - if: "ctx?.zeek?.smb_files?.times?.accessed != null" - - date: - field: zeek.smb_files.times.changed - target_field: zeek.smb_files.times.changed - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.ctime - value: "{{zeek.smb_files.times.changed}}" - if: "ctx?.zeek?.smb_files?.times?.changed != null" - - date: - field: zeek.smb_files.times.created - target_field: zeek.smb_files.times.created - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.created - value: "{{zeek.smb_files.times.created}}" - if: "ctx?.zeek?.smb_files?.times?.created != null" - - date: - field: zeek.smb_files.times.modified - target_field: zeek.smb_files.times.modified - formats: - - UNIX - - ISO8601 - if: ctx.zeek.smb_files.times?.accessed != null - - set: - field: file.mtime - value: "{{zeek.smb_files.times.modified}}" - if: "ctx?.zeek?.smb_files?.times?.modified != null" - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - set: - field: file.path - value: "{{zeek.smb_files.path}}\\{{zeek.smb_files.name}}" - if: "ctx?.zeek?.smb_files?.path != null && ctx?.zeek?.smb_files?.name != null" - - append: - field: event.type - value: deletion - if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_DELETE'" - - append: - field: event.type - value: change - if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_RENAME' || ctx?.zeek?.smb_files?.action == 'SMB::FILE_SET_ATTRIBUTE'" - - append: - field: event.type - value: info - if: "ctx?.zeek?.smb_files?.action != null && ctx.zeek.smb_files != 'SMB::FILE_DELETE' && ctx.zeek.smb_files != 'SMB::FILE_RENAME' && ctx.zeek.smb_files != 'SMB::FILE_SET_ATTRIBUTE'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_files.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/agent.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/base-fields.yml deleted file mode 100755 index 21aa2739e6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_files -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/beats.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/ecs.yml deleted file mode 100755 index 861cae6835..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/ecs.yml +++ /dev/null @@ -1,199 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Last time the file was accessed. - Note that not all filesystems keep track of access time. - name: file.accessed - type: date -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: |- - Last time the file attributes or metadata changed. - Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. - name: file.ctime - type: date -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/fields.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/fields.yml deleted file mode 100755 index 9a2bae33cb..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/fields.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: zeek.smb_files - type: group - fields: - - name: action - type: keyword - description: | - Action this log record represents. - - name: fid - type: integer - description: | - ID referencing this file. - - name: name - type: keyword - description: | - Filename if one was seen. - - name: path - type: keyword - description: | - Path pulled from the tree this file was transferred to or from. - - name: previous_name - type: keyword - description: | - If the rename action was seen, this will be the file's previous name. - - name: size - type: long - description: | - Byte size of the file. - - name: times - type: group - fields: - - name: accessed - type: date - description: | - The file's access time. - - name: changed - type: date - description: | - The file's change time. - - name: created - type: date - description: | - The file's create time. - - name: modified - type: date - description: | - The file's modify time. - - name: uuid - type: keyword - description: | - UUID referencing this file if DCE/RPC. diff --git a/packages/zeek/2.1.0/data_stream/smb_files/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/smb_files/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/smb_files/manifest.yml b/packages/zeek/2.1.0/data_stream/smb_files/manifest.yml deleted file mode 100755 index dcc309d2b6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_files/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek smb_files logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_files log file - multi: true - required: true - show_user: true - default: - - smb_files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-smb-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smb_files.log - description: Collect Zeek smb_files logs - - input: httpjson - title: Zeek smb_files logs via Splunk Enterprise REST API - description: Collect Zeek smb_files logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_files-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smb-files - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 16e5f99675..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smb_mapping.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smb_mapping - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smb - - dot_expander: - path: zeek.smb_mapping - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smb_mapping - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smb_mapping.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smb_mapping.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smb_mapping.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.smb_mapping.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smb_mapping.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smb_mapping.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/agent.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/base-fields.yml deleted file mode 100755 index b790ebf752..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smb_mapping -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/beats.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/ecs.yml deleted file mode 100755 index 6f21fee260..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/ecs.yml +++ /dev/null @@ -1,165 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/fields.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/fields.yml deleted file mode 100755 index 050d877b41..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: zeek.smb_mapping - type: group - fields: - - name: path - type: keyword - description: | - Name of the tree path. - - name: service - type: keyword - description: | - The type of resource of the tree (disk share, printer share, named pipe, etc.). - - name: native_file_system - type: keyword - description: | - File system of the tree. - - name: share_type - type: keyword - description: | - If this is SMB2, a share type will be included. For SMB1, the type of share - will be deduced and included as well. diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/smb_mapping/manifest.yml b/packages/zeek/2.1.0/data_stream/smb_mapping/manifest.yml deleted file mode 100755 index 65d967d3c5..0000000000 --- a/packages/zeek/2.1.0/data_stream/smb_mapping/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -type: logs -title: Zeek smb_mapping logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smb_mapping log file - multi: true - required: true - show_user: true - default: - - smb_mapping.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.smb_mapping - template_path: log.yml.hbs - title: Zeek smb_mapping.log - description: Collect Zeek smb_mapping logs - - input: httpjson - title: Zeek smb_mapping logs via Splunk Enterprise REST API - description: Collect Zeek smb_mapping logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smb_mapping-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded diff --git a/packages/zeek/2.1.0/data_stream/smtp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/smtp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smtp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/smtp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bb7b23af88..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,192 +0,0 @@ ---- -description: Pipeline for normalizing Zeek smtp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.smtp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: smtp - - dot_expander: - path: zeek.smtp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.smtp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.smtp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.smtp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.smtp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.smtp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.smtp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.smtp.trans_depth - target_field: zeek.smtp.transaction_depth - ignore_missing: true - - rename: - field: zeek.smtp.mailfrom - target_field: zeek.smtp.mail_from - ignore_missing: true - - rename: - field: zeek.smtp.rcptto - target_field: zeek.smtp.rcpt_to - ignore_missing: true - - convert: - field: zeek.smtp.tls - target_field: tls.established - type: boolean - if: ctx?.zeek?.smtp?.tls != null - - date: - field: zeek.smtp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.smtp.ts - - date: - field: zeek.smtp.date - target_field: zeek.smtp.date - formats: - - EEE, d MMM yyyy HH:mm:ss Z - if: ctx.zeek.smtp.date != null - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.smtp.fuids - ignore_missing: true - if: 'ctx?.zeek?.smtp?.fuids == null || ctx?.zeek?.smtp?.isEmpty()' - - remove: - field: - - zeek.smtp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/base-fields.yml deleted file mode 100755 index c3f1dee8ed..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.smtp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/ecs.yml deleted file mode 100755 index dfe713f5b7..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/ecs.yml +++ /dev/null @@ -1,162 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/fields.yml deleted file mode 100755 index 167b12eb1f..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/fields.yml +++ /dev/null @@ -1,96 +0,0 @@ -- name: zeek.smtp - type: group - fields: - - name: transaction_depth - type: integer - description: | - A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - - name: helo - type: keyword - description: | - Contents of the Helo header. - - name: mail_from - type: keyword - description: | - Email addresses found in the MAIL FROM header. - - name: rcpt_to - type: keyword - description: | - Email addresses found in the RCPT TO header. - - name: date - type: date - description: | - Contents of the Date header. - - name: from - type: keyword - description: | - Contents of the From header. - - name: to - type: keyword - description: | - Contents of the To header. - - name: cc - type: keyword - description: | - Contents of the CC header. - - name: reply_to - type: keyword - description: | - Contents of the ReplyTo header. - - name: msg_id - type: keyword - description: | - Contents of the MsgID header. - - name: in_reply_to - type: keyword - description: | - Contents of the In-Reply-To header. - - name: subject - type: keyword - description: | - Contents of the Subject header. - - name: x_originating_ip - type: keyword - description: | - Contents of the X-Originating-IP header. - - name: first_received - type: keyword - description: | - Contents of the first Received header. - - name: second_received - type: keyword - description: | - Contents of the second Received header. - - name: last_reply - type: keyword - description: | - The last message that the server sent to the client. - - name: path - type: ip - description: | - The message transmission path, as extracted from the headers. - - name: user_agent - type: keyword - description: | - Value of the User-Agent header from the client. - - name: tls - type: boolean - description: | - Indicates that the connection has switched to using TLS. - - name: process_received_from - type: boolean - description: | - Indicates if the "Received: from" headers should still be processed. - - name: has_client_activity - type: boolean - description: | - Indicates if client activity has been seen, but not yet logged. - - name: fuids - type: keyword - description: | - (present if base/protocols/smtp/files.bro is loaded) - An ordered vector of file unique IDs seen attached to the message. - - name: is_webmail - type: boolean - description: | - Indicates if the message was sent through a webmail interface. diff --git a/packages/zeek/2.1.0/data_stream/smtp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/smtp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/smtp/manifest.yml b/packages/zeek/2.1.0/data_stream/smtp/manifest.yml deleted file mode 100755 index f6c149387e..0000000000 --- a/packages/zeek/2.1.0/data_stream/smtp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek smtp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of smtp log file - multi: true - required: true - show_user: true - default: - - smtp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-smtp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek smtp.log - description: Collect Zeek smtp logs - - input: httpjson - title: Zeek smtp logs via Splunk Enterprise REST API - description: Collect Zeek smtp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"smtp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-smtp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/snmp/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/snmp/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/snmp/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/snmp/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dc178f2c1f..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -description: Pipeline for normalizing Zeek snmp.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.snmp - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: udp - - set: - field: network.protocol - value: snmp - - dot_expander: - path: zeek.snmp - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.snmp - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.snmp.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.snmp.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.snmp.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.snmp.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.snmp.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.snmp.get_requests - target_field: zeek.snmp.get.requests - ignore_missing: true - - rename: - field: zeek.snmp.get_bulk_requests - target_field: zeek.snmp.get.bulk_requests - ignore_missing: true - - rename: - field: zeek.snmp.get_responses - target_field: zeek.snmp.get.responses - ignore_missing: true - - rename: - field: zeek.snmp.set_requests - target_field: zeek.snmp.set.requests - ignore_missing: true - - date: - field: zeek.snmp.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.snmp.ts - - date: - field: zeek.snmp.up_since - target_field: zeek.snmp.up_since - formats: - - UNIX - - ISO8601 - if: ctx.zeek.snmp.up_since != null - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.snmp.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/agent.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/base-fields.yml deleted file mode 100755 index 604ea318eb..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.snmp -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/beats.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/ecs.yml deleted file mode 100755 index 414138039f..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/ecs.yml +++ /dev/null @@ -1,159 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/fields.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/fields.yml deleted file mode 100755 index f005e686aa..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: zeek.snmp - type: group - fields: - - name: duration - type: double - description: | - The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - name: version - type: keyword - description: | - The version of SNMP being used. - - name: community - type: keyword - description: | - The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - name: get - type: group - fields: - - name: requests - type: integer - description: | - The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - name: bulk_requests - type: integer - description: | - The number of variable bindings in GetBulkRequest PDUs seen for the session. - - name: responses - type: integer - description: | - The number of variable bindings in GetResponse/Response PDUs seen for the session. - - name: set - type: group - fields: - - name: requests - type: integer - description: | - The number of variable bindings in SetRequest PDUs seen for the session. - - name: display_string - type: keyword - description: | - A system description of the SNMP responder endpoint. - - name: up_since - type: date - description: | - The time at which the SNMP responder endpoint claims it's been up since. diff --git a/packages/zeek/2.1.0/data_stream/snmp/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/snmp/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/snmp/manifest.yml b/packages/zeek/2.1.0/data_stream/snmp/manifest.yml deleted file mode 100755 index ee4659f751..0000000000 --- a/packages/zeek/2.1.0/data_stream/snmp/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek snmp logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of snmp log file - multi: true - required: true - show_user: true - default: - - snmp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-snmp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek snmp.log - description: Collect Zeek snmp logs - - input: httpjson - title: Zeek snmp logs via Splunk Enterprise REST API - description: Collect Zeek snmp logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"snmp-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-snmp - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/socks/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/socks/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/socks/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/socks/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2550b213fa..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,204 +0,0 @@ ---- -description: Pipeline for normalizing Zeek socks.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.socks - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: socks - - dot_expander: - path: zeek.socks - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.socks - field: id.resp_p - ignore_failure: true - - dot_expander: - path: zeek.socks - field: request.name - ignore_failure: true - - rename: - field: zeek.socks.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.socks.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.socks.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.socks.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.socks.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.socks.request.name - target_field: zeek.socks.request.host - ignore_missing: true - - rename: - field: zeek.socks.request_p - target_field: zeek.socks.request.port - ignore_missing: true - - rename: - field: zeek.socks.bound_p - target_field: zeek.socks.bound.port - ignore_missing: true - - set: - field: user.name - copy_from: zeek.socks.user - if: ctx?.zeek?.socks?.user != null - - date: - field: zeek.socks.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.socks.ts - - dot_expander: - field: bound.host - path: zeek.socks - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.user - value: "{{user.name}}" - if: "ctx?.user?.name != null" - allow_duplicates: false - - append: - field: event.type - value: error - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.socks.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/agent.yml b/packages/zeek/2.1.0/data_stream/socks/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/socks/fields/base-fields.yml deleted file mode 100755 index 8363b20b60..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.socks -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/beats.yml b/packages/zeek/2.1.0/data_stream/socks/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/socks/fields/ecs.yml deleted file mode 100755 index 03692c2a60..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/ecs.yml +++ /dev/null @@ -1,173 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/fields.yml b/packages/zeek/2.1.0/data_stream/socks/fields/fields.yml deleted file mode 100755 index 05cdd644f4..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/fields.yml +++ /dev/null @@ -1,45 +0,0 @@ -- name: zeek.socks - type: group - fields: - - name: version - type: integer - description: | - Protocol version of SOCKS. - - name: user - type: keyword - description: | - Username used to request a login to the proxy. - - name: password - type: keyword - description: | - Password used to request a login to the proxy. - - name: status - type: keyword - description: | - Server status for the attempt at using the proxy. - - name: request - type: group - fields: - - name: host - type: keyword - description: | - Client requested SOCKS address. Could be an address, a name or both. - - name: port - type: integer - description: | - Client requested port. - - name: bound - type: group - fields: - - name: host - type: keyword - description: | - Server bound address. Could be an address, a name or both. - - name: port - type: integer - description: | - Server bound port. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. diff --git a/packages/zeek/2.1.0/data_stream/socks/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/socks/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/socks/manifest.yml b/packages/zeek/2.1.0/data_stream/socks/manifest.yml deleted file mode 100755 index b9e1f9af30..0000000000 --- a/packages/zeek/2.1.0/data_stream/socks/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek socks logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of socks log file - multi: true - required: true - show_user: true - default: - - socks.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-socks - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek socks.log - description: Collect Zeek socks logs - - input: httpjson - title: Zeek socks logs via Splunk Enterprise REST API - description: Collect Zeek socks logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"socks-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-socks - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ssh/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ssh/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ssh/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ssh/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 514d34d1d3..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,200 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ssh.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ssh - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - set: - field: network.protocol - value: ssh - - dot_expander: - path: zeek.ssh - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ssh - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ssh.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ssh.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ssh.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ssh.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ssh.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.ssh.auth_attempts - target_field: zeek.ssh.auth.attempts - ignore_missing: true - - rename: - field: zeek.ssh.auth_success - target_field: zeek.ssh.auth.success - ignore_missing: true - - rename: - field: zeek.ssh.cipher_alg - target_field: zeek.ssh.algorithm.cipher - ignore_missing: true - - rename: - field: zeek.ssh.mac_alg - target_field: zeek.ssh.algorithm.mac - ignore_missing: true - - rename: - field: zeek.ssh.compression_alg - target_field: zeek.ssh.algorithm.compression - ignore_missing: true - - rename: - field: zeek.ssh.kex_alg - target_field: zeek.ssh.algorithm.key_exchange - ignore_missing: true - - rename: - field: zeek.ssh.host_key_alg - target_field: zeek.ssh.algorithm.host_key - ignore_missing: true - - date: - field: zeek.ssh.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ssh.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - set: - field: event.outcome - value: failure - if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == false" - - set: - field: event.outcome - value: success - if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == true" - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ssh.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/base-fields.yml deleted file mode 100755 index 0f408feeb0..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ssh -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/ecs.yml deleted file mode 100755 index 77d8ae2a47..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/ecs.yml +++ /dev/null @@ -1,167 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/fields.yml deleted file mode 100755 index bc2f658f4b..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/fields.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: zeek.ssh - type: group - fields: - - name: client - type: keyword - description: | - The client's version string. - - name: direction - type: keyword - description: | - Direction of the connection. If the client was a local host logging into - an external host, this would be OUTBOUND. INBOUND would be set for the - opposite situation. - - name: host_key - type: keyword - description: | - The server's key thumbprint. - - name: server - type: keyword - description: | - The server's version string. - - name: version - type: integer - description: | - SSH major version (1 or 2). - - name: algorithm - type: group - fields: - - name: cipher - type: keyword - description: | - The encryption algorithm in use. - - name: compression - type: keyword - description: | - The compression algorithm in use. - - name: host_key - type: keyword - description: | - The server host key's algorithm. - - name: key_exchange - type: keyword - description: | - The key exchange algorithm in use. - - name: mac - type: keyword - description: | - The signing (MAC) algorithm in use. - - name: auth - type: group - fields: - - name: attempts - type: integer - description: | - The number of authentication attemps we observed. There's always at - least one, since some servers might support no authentication at all. - It's important to note that not all of these are failures, since some - servers require two-factor auth (e.g. password AND pubkey). - - name: success - type: boolean - description: | - Authentication result. diff --git a/packages/zeek/2.1.0/data_stream/ssh/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ssh/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ssh/manifest.yml b/packages/zeek/2.1.0/data_stream/ssh/manifest.yml deleted file mode 100755 index f01683502d..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssh/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ssh logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ssh log file - multi: true - required: true - show_user: true - default: - - ssh.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ssh - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ssh.log - description: Collect Zeek ssh logs - - input: httpjson - title: Zeek ssh logs via Splunk Enterprise REST API - description: Collect Zeek ssh logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ssh-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ssh - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/ssl/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/ssl/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ssl/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/ssl/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 449a24acde..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,535 +0,0 @@ ---- -description: Pipeline for normalizing Zeek ssl.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.ssl - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - append: - field: event.type - value: protocol - - set: - field: network.transport - value: tcp - - dot_expander: - path: zeek.ssl - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.ssl - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.ssl.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.ssl.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.ssl.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.ssl.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.ssl.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: client.address - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - set: - field: server.address - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.ssl.server_name - target_field: zeek.ssl.server.name - ignore_missing: true - - rename: - field: zeek.ssl.cert_chain - target_field: zeek.ssl.server.cert_chain - ignore_missing: true - - rename: - field: zeek.ssl.cert_chain_fuids - target_field: zeek.ssl.server.cert_chain_fuids - ignore_missing: true - - rename: - field: zeek.ssl.client_cert_chain - target_field: zeek.ssl.client.cert_chain - ignore_missing: true - - rename: - field: zeek.ssl.client_cert_chain_fuids - target_field: zeek.ssl.client.cert_chain_fuids - ignore_missing: true - - rename: - field: zeek.ssl.validation_status - target_field: zeek.ssl.validation.status - ignore_missing: true - - rename: - field: zeek.ssl.validation_code - target_field: zeek.ssl.validation.code - ignore_missing: true - - date: - field: zeek.ssl.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.ssl.ts - - rename: - field: zeek.ssl.not_valid_after - target_field: tls.server.not_after - ignore_missing: true - - rename: - field: zeek.ssl.not_valid_before - target_field: tls.server.not_before - ignore_missing: true - - date: - if: ctx.tls?.server?.not_before != null - field: tls.server.not_before - target_field: tls.server.not_before - formats: - - UNIX - - ISO8601 - - date: - if: ctx.tls?.server?.not_after != null - field: tls.server.not_after - target_field: tls.server.not_after - formats: - - UNIX - - ISO8601 - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - remove: - field: zeek.ssl.client.cert_chain_fuids - if: ctx.zeek.ssl.client?.cert_chain_fuids?.length == 0 - ignore_missing: true - - gsub: - field: zeek.ssl.issuer - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.issuer - field_split: "," - value_split: "=" - target_field: zeek.ssl.server.issuer - ignore_missing: true - - rename: - field: zeek.ssl.issuer - target_field: tls.server.issuer - ignore_missing: true - - rename: - field: zeek.ssl.server.issuer.C - target_field: zeek.ssl.server.issuer.country - ignore_missing: true - - rename: - field: zeek.ssl.resp_certificate_sha1 - target_field: tls.server.hash.sha1 - ignore_missing: true - - uppercase: - field: tls.server.hash.sha1 - ignore_missing: true - - set: - field: tls.server.x509.issuer.country - value: "{{zeek.ssl.server.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.CN - target_field: zeek.ssl.server.issuer.common_name - ignore_missing: true - - set: - field: tls.server.x509.issuer.common_name - value: "{{zeek.ssl.server.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.L - target_field: zeek.ssl.server.issuer.locality - ignore_missing: true - - set: - field: tls.server.x509.issuer.locality - value: "{{zeek.ssl.server.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.O - target_field: zeek.ssl.server.issuer.organization - ignore_missing: true - - set: - field: tls.server.x509.issuer.organization - value: "{{zeek.ssl.server.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.OU - target_field: zeek.ssl.server.issuer.organizational_unit - ignore_missing: true - - set: - field: tls.server.x509.issuer.organizational_unit - value: "{{zeek.ssl.server.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.issuer.ST - target_field: zeek.ssl.server.issuer.state - ignore_missing: true - - set: - field: tls.server.x509.issuer.state_or_province - value: "{{zeek.ssl.server.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.subject - field_split: "," - value_split: "=" - target_field: zeek.ssl.server.subject - ignore_missing: true - - rename: - field: zeek.ssl.subject - target_field: tls.server.subject - ignore_missing: true - - rename: - field: zeek.ssl.server.subject.C - target_field: zeek.ssl.server.subject.country - ignore_missing: true - - set: - field: tls.server.x509.subject.country - value: "{{zeek.ssl.server.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.CN - target_field: zeek.ssl.server.subject.common_name - ignore_missing: true - - set: - field: tls.server.x509.subject.common_name - value: "{{zeek.ssl.server.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.L - target_field: zeek.ssl.server.subject.locality - ignore_missing: true - - set: - field: tls.server.x509.subject.locality - value: "{{zeek.ssl.server.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.O - target_field: zeek.ssl.server.subject.organization - ignore_missing: true - - set: - field: tls.server.x509.subject.organization - value: "{{zeek.ssl.server.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.OU - target_field: zeek.ssl.server.subject.organizational_unit - ignore_missing: true - - set: - field: tls.server.x509.subject.organizational_unit - value: "{{zeek.ssl.server.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.server.subject.ST - target_field: zeek.ssl.server.subject.state - ignore_missing: true - - set: - field: tls.server.x509.subject.state_or_province - value: "{{zeek.ssl.server.subject.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.client_issuer - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.client_issuer - field_split: "," - value_split: "=" - target_field: zeek.ssl.client.issuer - ignore_missing: true - - rename: - field: zeek.ssl.client_issuer - target_field: tls.client.issuer - ignore_missing: true - - rename: - field: zeek.ssl.client.issuer.C - target_field: zeek.ssl.client.issuer.country - ignore_missing: true - - set: - field: tls.client.x509.issuer.country - value: "{{zeek.ssl.client.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.CN - target_field: zeek.ssl.client.issuer.common_name - ignore_missing: true - - set: - field: tls.client.x509.issuer.common_name - value: "{{zeek.ssl.client.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.L - target_field: zeek.ssl.client.issuer.locality - ignore_missing: true - - set: - field: tls.client.x509.issuer.locality - value: "{{zeek.ssl.client.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.O - target_field: zeek.ssl.client.issuer.organization - ignore_missing: true - - set: - field: tls.client.x509.issuer.organization - value: "{{zeek.ssl.client.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.OU - target_field: zeek.ssl.client.issuer.organizational_unit - ignore_missing: true - - set: - field: tls.client.x509.issuer.organizational_unit - value: "{{zeek.ssl.client.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.issuer.ST - target_field: zeek.ssl.client.issuer.state - ignore_missing: true - - set: - field: tls.client.x509.issuer.state_or_province - value: "{{zeek.ssl.client.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.ssl.client_subject - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.ssl.client_subject - field_split: "," - value_split: "=" - target_field: zeek.ssl.client.subject - ignore_missing: true - - remove: - field: zeek.ssl.client_subject - ignore_missing: true - - rename: - field: zeek.ssl.client.subject.C - target_field: zeek.ssl.client.subject.country - ignore_missing: true - - set: - field: tls.client.x509.subject.country - value: "{{zeek.ssl.client.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.CN - target_field: zeek.ssl.client.subject.common_name - ignore_missing: true - - set: - field: tls.client.x509.subject.common_name - value: "{{zeek.ssl.client.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.L - target_field: zeek.ssl.client.subject.locality - ignore_missing: true - - set: - field: tls.client.x509.subject.locality - value: "{{zeek.ssl.client.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.O - target_field: zeek.ssl.client.subject.organization - ignore_missing: true - - set: - field: tls.client.x509.subject.organization - value: "{{zeek.ssl.client.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.OU - target_field: zeek.ssl.client.subject.organizational_unit - ignore_missing: true - - set: - field: tls.client.x509.subject.organizational_unit - value: "{{zeek.ssl.client.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.ssl.client.subject.ST - target_field: zeek.ssl.client.subject.state - ignore_missing: true - - set: - field: tls.client.x509.subject.state_or_province - value: "{{zeek.ssl.client.subject.state}}" - ignore_empty_value: true - - set: - field: tls.cipher - value: "{{zeek.ssl.cipher}}" - if: ctx.zeek?.ssl?.cipher != null - - set: - field: tls.curve - value: "{{zeek.ssl.curve}}" - if: ctx.zeek?.ssl?.curve != null - - convert: - target_field: tls.established - field: zeek.ssl.established - type: boolean - ignore_missing: true - - convert: - target_field: tls.resumed - field: zeek.ssl.resumed - type: boolean - ignore_missing: true - - script: - lang: painless - if: ctx.zeek?.ssl?.version != null - source: >- - def parts = ctx.zeek.ssl.version.splitOnToken("v"); - if (parts.length != 2) { - return; - } - if (parts[0] == "SSL") { - ctx.tls.version = parts[1] + ".0"; - } else { - ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); - } - ctx.tls.version_protocol = parts[0].toLowerCase(); - - rename: - field: zeek.ssl.ja3 - target_field: tls.client.ja3 - ignore_missing: true - - rename: - field: zeek.ssl.ja3s - target_field: tls.server.ja3s - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - append: - field: related.hash - value: "{{tls.server.ja3s}}" - if: "ctx?.tls?.server?.ja3s != null" - - append: - field: related.hash - value: "{{tls.client.ja3}}" - if: "ctx?.tls?.client?.ja3 != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.ssl.client - ignore_missing: true - if: 'ctx?.zeek?.ssl?.client == null || ctx?.zeek?.ssl?.client.isEmpty()' - - remove: - field: - - zeek.ssl.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/agent.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/base-fields.yml deleted file mode 100755 index 762c6239d5..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.ssl -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/beats.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/ecs.yml deleted file mode 100755 index b65f427a41..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/ecs.yml +++ /dev/null @@ -1,269 +0,0 @@ -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/fields.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/fields.yml deleted file mode 100755 index 13d506136c..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/fields.yml +++ /dev/null @@ -1,178 +0,0 @@ -- name: zeek.ssl - type: group - fields: - - name: version - type: keyword - description: | - SSL/TLS version that was logged. - - name: cipher - type: keyword - description: | - SSL/TLS cipher suite that was logged. - - name: curve - type: keyword - description: | - Elliptic curve that was logged when using ECDH/ECDHE. - - name: resumed - type: boolean - description: | - Flag to indicate if the session was resumed reusing the key material exchanged in an - earlier connection. - - name: next_protocol - type: keyword - description: | - Next protocol the server chose using the application layer next protocol extension. - - name: established - type: boolean - description: | - Flag to indicate if this ssl session has been established successfully. - - name: validation - type: group - fields: - - name: status - type: keyword - description: | - Result of certificate validation for this connection. - - name: code - type: keyword - description: | - Result of certificate validation for this connection, given as OpenSSL validation code. - - name: last_alert - type: keyword - description: | - Last alert that was seen during the connection. - - name: server - type: group - fields: - - name: name - type: keyword - description: | - Value of the Server Name Indicator SSL/TLS extension. It indicates the server name - that the client was requesting. - - name: cert_chain - type: keyword - description: | - Chain of certificates offered by the server to validate its complete signing chain. - - name: cert_chain_fuids - type: keyword - description: | - An ordered vector of certificate file identifiers for the certificates offered by the server. - - name: issuer - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the server. - - name: subject - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the server. - - name: client - type: group - fields: - - name: cert_chain - type: keyword - description: | - Chain of certificates offered by the client to validate its complete signing chain. - - name: cert_chain_fuids - type: keyword - description: | - An ordered vector of certificate file identifiers for the certificates offered by the client. - - name: issuer - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the client. - - name: subject - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the client. diff --git a/packages/zeek/2.1.0/data_stream/ssl/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/ssl/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/ssl/manifest.yml b/packages/zeek/2.1.0/data_stream/ssl/manifest.yml deleted file mode 100755 index c9b7afdf92..0000000000 --- a/packages/zeek/2.1.0/data_stream/ssl/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek ssl logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of ssl log file - multi: true - required: true - show_user: true - default: - - ssl.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-ssl - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek ssl.log - description: Collect Zeek ssl logs - - input: httpjson - title: Zeek ssl logs via Splunk Enterprise REST API - description: Collect Zeek ssl logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"ssl-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-ssl - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/stats/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/stats/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/stats/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/stats/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cbff62956e..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,144 +0,0 @@ ---- -description: Pipeline for normalizing Zeek stats.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.stats - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: zeek.stats.mem - target_field: zeek.stats.memory - ignore_missing: true - - rename: - field: zeek.stats.pkts_proc - target_field: zeek.stats.packets.processed - ignore_missing: true - - rename: - field: zeek.stats.pkts_dropped - target_field: zeek.stats.packets.dropped - ignore_missing: true - - rename: - field: zeek.stats.pkts_link - target_field: zeek.stats.packets.received - ignore_missing: true - - rename: - field: zeek.stats.bytes_recv - target_field: zeek.stats.bytes.received - ignore_missing: true - - rename: - field: zeek.stats.tcp_conns - target_field: zeek.stats.connections.tcp.count - ignore_missing: true - - rename: - field: zeek.stats.active_tcp_conns - target_field: zeek.stats.connections.tcp.active - ignore_missing: true - - rename: - field: zeek.stats.udp_conns - target_field: zeek.stats.connections.udp.count - ignore_missing: true - - rename: - field: zeek.stats.active_udp_conns - target_field: zeek.stats.connections.udp.active - ignore_missing: true - - rename: - field: zeek.stats.icmp_conns - target_field: zeek.stats.connections.icmp.count - ignore_missing: true - - rename: - field: zeek.stats.active_icmp_conns - target_field: zeek.stats.connections.icmp.active - ignore_missing: true - - rename: - field: zeek.stats.events_proc - target_field: zeek.stats.events.processed - ignore_missing: true - - rename: - field: zeek.stats.events_queued - target_field: zeek.stats.events.queued - ignore_missing: true - - rename: - field: zeek.stats.timers - target_field: zeek.stats.timers.count - ignore_missing: true - - rename: - field: zeek.stats.active_timers - target_field: zeek.stats.timers.active - ignore_missing: true - - rename: - field: zeek.stats.files - target_field: zeek.stats.files.count - ignore_missing: true - - rename: - field: zeek.stats.active_files - target_field: zeek.stats.files.active - ignore_missing: true - - rename: - field: zeek.stats.dns_requests - target_field: zeek.stats.dns_requests.count - ignore_missing: true - - rename: - field: zeek.stats.active_dns_requests - target_field: zeek.stats.dns_requests.active - ignore_missing: true - - rename: - field: zeek.stats.reassem_tcp_size - target_field: zeek.stats.reassembly_size.tcp - ignore_missing: true - - rename: - field: zeek.stats.reassem_file_size - target_field: zeek.stats.reassembly_size.file - ignore_missing: true - - rename: - field: zeek.stats.reassem_frag_size - target_field: zeek.stats.reassembly_size.frag - ignore_missing: true - - rename: - field: zeek.stats.reassem_unknown_size - target_field: zeek.stats.reassembly_size.unknown - ignore_missing: true - - rename: - field: zeek.stats.pkt_lag - target_field: zeek.stats.timestamp_lag - ignore_missing: true - - date: - field: zeek.stats.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.stats.ts - - set: - field: event.kind - value: metric - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/agent.yml b/packages/zeek/2.1.0/data_stream/stats/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/stats/fields/base-fields.yml deleted file mode 100755 index ea7cc2e519..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.stats -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/beats.yml b/packages/zeek/2.1.0/data_stream/stats/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/stats/fields/ecs.yml deleted file mode 100755 index 7661eb5a75..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/ecs.yml +++ /dev/null @@ -1,30 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/fields.yml b/packages/zeek/2.1.0/data_stream/stats/fields/fields.yml deleted file mode 100755 index 95fb318c92..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/fields.yml +++ /dev/null @@ -1,136 +0,0 @@ -- name: zeek.stats - type: group - fields: - - name: peer - type: keyword - description: | - Peer that generated this log. Mostly for clusters. - - name: memory - type: integer - description: | - Amount of memory currently in use in MB. - - name: packets - type: group - fields: - - name: processed - type: long - description: | - Number of packets processed since the last stats interval. - - name: dropped - type: long - description: | - Number of packets dropped since the last stats interval if reading live traffic. - - name: received - type: long - description: | - Number of packets seen on the link since the last stats interval if reading live traffic. - - name: bytes - type: group - fields: - - name: received - type: long - description: | - Number of bytes received since the last stats interval if reading live traffic. - - name: connections - type: group - fields: - - name: tcp - type: group - fields: - - name: active - type: integer - description: | - TCP connections currently in memory. - - name: count - type: integer - description: | - TCP connections seen since last stats interval. - - name: udp - type: group - fields: - - name: active - type: integer - description: | - UDP connections currently in memory. - - name: count - type: integer - description: | - UDP connections seen since last stats interval. - - name: icmp - type: group - fields: - - name: active - type: integer - description: | - ICMP connections currently in memory. - - name: count - type: integer - description: | - ICMP connections seen since last stats interval. - - name: events - type: group - fields: - - name: processed - type: integer - description: | - Number of events processed since the last stats interval. - - name: queued - type: integer - description: | - Number of events that have been queued since the last stats interval. - - name: timers - type: group - fields: - - name: count - type: integer - description: | - Number of timers scheduled since last stats interval. - - name: active - type: integer - description: | - Current number of scheduled timers. - - name: files - type: group - fields: - - name: count - type: integer - description: | - Number of files seen since last stats interval. - - name: active - type: integer - description: | - Current number of files actively being seen. - - name: dns_requests - type: group - fields: - - name: count - type: integer - description: | - Number of DNS requests seen since last stats interval. - - name: active - type: integer - description: | - Current number of DNS requests awaiting a reply. - - name: reassembly_size - type: group - fields: - - name: tcp - type: integer - description: | - Current size of TCP data in reassembly. - - name: file - type: integer - description: | - Current size of File data in reassembly. - - name: frag - type: integer - description: | - Current size of packet fragment data in reassembly. - - name: unknown - type: integer - description: | - Current size of unknown data in reassembly (this is only PIA buffer right now). - - name: timestamp_lag - type: integer - description: | - Lag between the wall clock and packet timestamps if reading live traffic. diff --git a/packages/zeek/2.1.0/data_stream/stats/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/stats/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/stats/manifest.yml b/packages/zeek/2.1.0/data_stream/stats/manifest.yml deleted file mode 100755 index 215920bc6d..0000000000 --- a/packages/zeek/2.1.0/data_stream/stats/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek stats logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of stats log file - multi: true - required: true - show_user: true - default: - - stats.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-stats - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek stats.log - description: Collect Zeek stats logs - - input: httpjson - title: Zeek stats logs via Splunk Enterprise REST API - description: Collect Zeek stats logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"stats-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-stats - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/syslog/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/syslog/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/syslog/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/syslog/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 43bc9bfc50..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for normalizing Zeek syslog.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.syslog - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - set: - field: network.protocol - value: syslog - - dot_expander: - path: zeek.syslog - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.syslog - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.syslog.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.syslog.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.syslog.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.syslog.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.syslog.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.syslog.proto - target_field: network.transport - ignore_missing: true - - rename: - field: zeek.syslog.message - target_field: zeek.syslog.msg - ignore_missing: true - - set: - field: message - copy_from: zeek.syslog.msg - ignore_empty_value: true - - set: - field: log.syslog.facility.name - copy_from: zeek.syslog.facility - if: ctx?.zeek?.syslog?.facility != null - - set: - field: log.syslog.severity.name - copy_from: zeek.syslog.severity - if: ctx?.zeek?.syslog?.severity != null - - date: - field: zeek.syslog.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.syslog.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/agent.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/base-fields.yml deleted file mode 100755 index 1bd5bc9258..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.syslog -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/beats.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/ecs.yml deleted file mode 100755 index c12401ff2b..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/ecs.yml +++ /dev/null @@ -1,161 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Host ip addresses. - name: host.ip - type: ip -- description: The Syslog text-based facility of the log event, if available. - name: log.syslog.facility.name - type: keyword -- description: |- - The Syslog numeric severity of the log event, if available. - If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - name: log.syslog.severity.name - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/fields.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/fields.yml deleted file mode 100755 index 7f72b52f24..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/fields.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: zeek.syslog - type: group - fields: - - name: facility - type: keyword - description: | - Syslog facility for the message. - - name: severity - type: keyword - description: | - Syslog severity for the message. - - name: msg - type: keyword - description: | - The plain text message. diff --git a/packages/zeek/2.1.0/data_stream/syslog/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/syslog/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/syslog/manifest.yml b/packages/zeek/2.1.0/data_stream/syslog/manifest.yml deleted file mode 100755 index f3f6db4679..0000000000 --- a/packages/zeek/2.1.0/data_stream/syslog/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek syslog logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of syslog log file - multi: true - required: true - show_user: true - default: - - syslog.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-syslog - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek syslog.log - description: Collect Zeek syslog logs - - input: httpjson - title: Zeek syslog logs via Splunk Enterprise REST API - description: Collect Zeek syslog logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"syslog-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-syslog - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 0f3451e304..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,126 +0,0 @@ ---- -description: Pipeline for normalizing Zeek traceroute.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.traceroute - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: info - - rename: - field: zeek.traceroute.src - target_field: source.address - ignore_missing: true - - rename: - field: zeek.traceroute.dst - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.traceroute.proto - target_field: network.transport - ignore_missing: true - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - date: - field: zeek.traceroute.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.traceroute.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - remove: - field: - - zeek.traceroute - ignore_missing: true - if: 'ctx?.zeek?.traceroute == null || ctx?.zeek?.traceroute.isEmpty()' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/traceroute/fields/agent.yml b/packages/zeek/2.1.0/data_stream/traceroute/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/traceroute/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/traceroute/fields/base-fields.yml deleted file mode 100755 index 9168f187a4..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.traceroute -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/traceroute/fields/beats.yml b/packages/zeek/2.1.0/data_stream/traceroute/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/traceroute/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/traceroute/fields/ecs.yml deleted file mode 100755 index 05f5009acf..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/fields/ecs.yml +++ /dev/null @@ -1,140 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/traceroute/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/traceroute/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/traceroute/manifest.yml b/packages/zeek/2.1.0/data_stream/traceroute/manifest.yml deleted file mode 100755 index d445252670..0000000000 --- a/packages/zeek/2.1.0/data_stream/traceroute/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek traceroute logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of traceroute log file - multi: true - required: true - show_user: true - default: - - traceroute.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-traceroute - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek traceroute.log - description: Collect Zeek traceroute logs - - input: httpjson - title: Zeek traceroute logs via Splunk Enterprise REST API - description: Collect Zeek traceroute logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"traceroute-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-traceroute - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/log.yml.hbs deleted file mode 100755 index 30e7049925..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d118d8f285..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- -description: Pipeline for normalizing Zeek tunnel.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.tunnel - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: connection - - dot_expander: - path: zeek.tunnel - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.tunnel - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.tunnel.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.tunnel.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.tunnel.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.tunnel.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.tunnel.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.tunnel.tunnel_type - target_field: zeek.tunnel.type - ignore_missing: true - - set: - field: event.action - copy_from: zeek.tunnel.action - if: ctx?.zeek?.tunnel?.action != null - - date: - field: zeek.tunnel.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.tunnel.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - community_id: - target_field: network.community_id - - remove: - field: - - zeek.tunnel.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/agent.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/base-fields.yml deleted file mode 100755 index 215a69fc48..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.tunnel -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/beats.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/ecs.yml deleted file mode 100755 index 6c56dfe034..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/ecs.yml +++ /dev/null @@ -1,149 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/fields.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/fields.yml deleted file mode 100755 index 576ddac9a3..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/fields.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: zeek.tunnel - type: group - fields: - - name: type - type: keyword - description: | - The type of tunnel. - - name: action - type: keyword - description: | - The type of activity that occurred. diff --git a/packages/zeek/2.1.0/data_stream/tunnel/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/tunnel/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/tunnel/manifest.yml b/packages/zeek/2.1.0/data_stream/tunnel/manifest.yml deleted file mode 100755 index 575db110ba..0000000000 --- a/packages/zeek/2.1.0/data_stream/tunnel/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek tunnel logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of tunnel log file - multi: true - required: true - show_user: true - default: - - tunnel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek tunnel.log - description: Collect Zeek tunnel logs - - input: httpjson - title: Zeek tunnel logs via Splunk Enterprise REST API - description: Collect Zeek tunnel logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"tunnel-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/weird/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/weird/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/weird/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/weird/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7d2b1edcf3..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -description: Pipeline for normalizing Zeek weird.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.weird - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.category - value: network - - append: - field: event.type - value: info - - dot_expander: - path: zeek.weird - field: id.orig_p - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.orig_h - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.resp_h - ignore_failure: true - - dot_expander: - path: zeek.weird - field: id.resp_p - ignore_failure: true - - rename: - field: zeek.weird.id.orig_h - target_field: source.address - ignore_missing: true - - rename: - field: zeek.weird.id.orig_p - target_field: source.port - ignore_missing: true - - rename: - field: zeek.weird.id.resp_h - target_field: destination.address - ignore_missing: true - - rename: - field: zeek.weird.id.resp_p - target_field: destination.port - ignore_missing: true - - rename: - field: zeek.weird.uid - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - set: - field: source.ip - copy_from: source.address - if: ctx?.source?.address != null - - set: - field: destination.ip - copy_from: destination.address - if: ctx?.destination?.address != null - - rename: - field: zeek.weird.addl - target_field: zeek.weird.additional_info - ignore_missing: true - - set: - field: rule.name - copy_from: zeek.weird.name - if: ctx?.weird?.name != null - - date: - field: zeek.weird.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.weird.ts - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{source.ip}}" - if: "ctx?.source?.ip != null" - allow_duplicates: false - - append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" - allow_duplicates: false - - remove: - field: - - zeek.weird.id - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/agent.yml b/packages/zeek/2.1.0/data_stream/weird/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/weird/fields/base-fields.yml deleted file mode 100755 index 1a19d17062..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.weird -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/beats.yml b/packages/zeek/2.1.0/data_stream/weird/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/weird/fields/ecs.yml deleted file mode 100755 index 532bad7de9..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/fields.yml b/packages/zeek/2.1.0/data_stream/weird/fields/fields.yml deleted file mode 100755 index 96b9438808..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: zeek.weird - type: group - fields: - - name: name - type: keyword - description: | - The name of the weird that occurred. - - name: additional_info - type: keyword - description: | - Additional information accompanying the weird if any. - - name: notice - type: boolean - description: | - Indicate if this weird was also turned into a notice. - - name: peer - type: keyword - description: | - The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - - name: identifier - type: keyword - description: | - This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. diff --git a/packages/zeek/2.1.0/data_stream/weird/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/weird/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/weird/manifest.yml b/packages/zeek/2.1.0/data_stream/weird/manifest.yml deleted file mode 100755 index d8ec7ea27f..0000000000 --- a/packages/zeek/2.1.0/data_stream/weird/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek weird logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of weird log file - multi: true - required: true - show_user: true - default: - - weird.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-weird - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek weird.log - description: Collect Zeek weird logs - - input: httpjson - title: Zeek weird logs via Splunk Enterprise REST API - description: Collect Zeek weird logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"weird-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-weird - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/data_stream/x509/agent/stream/httpjson.yml.hbs b/packages/zeek/2.1.0/data_stream/x509/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 33f251e7d6..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,63 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#unless token}} -{{#if username}} -{{#if password}} -auth.basic.user: {{username}} -auth.basic.password: {{password}} -{{/if}} -{{/if}} -{{/unless}} -cursor: - index_earliest: - value: '[[.last_event.result.max_indextime]]' -request.url: {{url}}/services/search/jobs/export -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: POST -request.transforms: - - set: - target: url.params.search - value: {{search}} | streamstats max(_indextime) AS max_indextime - - set: - target: url.params.output_mode - value: "json" - - set: - target: url.params.index_earliest - value: '[[ .cursor.index_earliest ]]' - default: '[[(now (parseDuration "-{{interval}}")).Unix]]' - - set: - target: url.params.index_latest - value: '[[(now).Unix]]' - - set: - target: header.Content-Type - value: application/x-www-form-urlencoded -{{#unless username}} -{{#unless password}} -{{#if token}} - - set: - target: header.Authorization - value: {{token}} -{{/if}} -{{/unless}} -{{/unless}} -response.decode_as: application/x-ndjson -response.split: - target: body.result._raw - type: string - delimiter: "\n" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/x509/agent/stream/log.yml.hbs b/packages/zeek/2.1.0/data_stream/x509/agent/stream/log.yml.hbs deleted file mode 100755 index 9dd9f724a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/agent/stream/log.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -paths: -{{#each base_paths}} - {{#each ../filenames}} - - {{../this}}/{{this}} - {{/each}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ddaa08d64b..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,421 +0,0 @@ ---- -description: Pipeline for normalizing Zeek x509.log -processors: - - rename: - field: message - target_field: event.original - - json: - field: event.original - target_field: _temp_ - - pipeline: - if: ctx?._temp_?.result != null - name: '{{ IngestPipeline "third-party" }}' - - drop: - description: Drop if no timestamp (invalid json) - if: 'ctx?._temp_?.ts == null' - - rename: - field: _temp_ - target_field: zeek.x509 - -# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - - set: - field: event.created - copy_from: "@timestamp" - - set: - field: event.kind - value: event - - set: - field: ecs.version - value: '8.2.0' - - append: - field: event.type - value: info - - dot_expander: - path: zeek.x509 - field: certificate.version - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.serial - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.subject - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.issuer - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.not_valid_before - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.not_valid_after - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_alg - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.sig_alg - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_type - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.key_length - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.exponent - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: certificate.cn - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: zeek.x509.basic_constraints.ca - ignore_failure: true - - dot_expander: - path: zeek.x509 - field: basic_constraints.path_len - ignore_failure: true - - rename: - field: zeek.x509.id - target_field: zeek.session_id - ignore_missing: true - - set: - field: event.id - copy_from: zeek.session_id - if: ctx?.zeek?.session_id != null - - rename: - field: zeek.x509.certificate.not_valid_before - target_field: zeek.x509.certificate.valid.from - ignore_missing: true - - rename: - field: zeek.x509.certificate.not_valid_after - target_field: zeek.x509.certificate.valid.until - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.ca - target_field: zeek.x509.basic_constraints.certificate_authority - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.path_len - target_field: zeek.x509.basic_constraints.path_length - ignore_missing: true - - rename: - field: zeek.x509.basic_constraints.path_len - target_field: zeek.x509.basic_constraints.path_length - ignore_missing: true - - rename: - field: zeek.x509.certificate.cn - target_field: zeek.x509.certificate.common_name - ignore_missing: true - - rename: - field: zeek.x509.certificate.issuer - target_field: zeek.x509.certificate.iss - ignore_missing: true - - rename: - field: zeek.x509.certificate.subject - target_field: zeek.x509.certificate.sub - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_alg - target_field: zeek.x509.certificate.key.algorithm - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_length - target_field: zeek.x509.certificate.key.length - ignore_missing: true - - rename: - field: zeek.x509.certificate.key_type - target_field: zeek.x509.certificate.key.type - ignore_missing: true - - rename: - field: zeek.x509.certificate.sig_alg - target_field: zeek.x509.certificate.signature_algorithm - ignore_missing: true - - rename: - field: zeek.x509.logcert - target_field: zeek.x509.log_cert - ignore_missing: true - - date: - field: zeek.x509.ts - formats: - - UNIX - - ISO8601 - - remove: - field: zeek.x509.ts - - set: - field: event.id - value: "{{zeek.session_id}}" - if: ctx.zeek.session_id != null - - set: - field: file.x509.signature_algorithm - value: "{{zeek.x509.certificate.signature_algorithm}}" - ignore_empty_value: true - - script: - lang: painless - params: - "md2WithRSAEncryption": MD2-RSA - "md5WithRSAEncryption": MD5-RSA - "sha-1WithRSAEncryption": SHA1-RSA - "sha256WithRSAEncryption": SHA256-RSA - "sha384WithRSAEncryption": SHA384-RSA - "sha512WithRSAEncryption": SHA512-RSA - "dsaWithSha1": DSA-SHA1 - "dsaWithSha256": DSA-SHA256 - "ecdsa-with-SHA1": ECDSA-SHA1 - "ecdsa-with-SHA256": ECDSA-SHA256 - "ecdsa-with-SHA384": ECDSA-SHA384 - "ecdsa-with-SHA512": ECDSA-SHA512 - "id-Ed25519": Ed25519 - source: | - String algo = params.get(ctx.file.x509.signature_algorithm); - if (algo != null) { - ctx.file.x509.signature_algorithm = algo; - } - if: ctx?.file?.x509?.signature_algorithm != null - - set: - field: file.x509.public_key_algorithm - value: "{{zeek.x509.certificate.key.algorithm}}" - ignore_empty_value: true - - convert: - field: zeek.x509.certificate.key.length - target_field: file.x509.public_key_size - type: long - ignore_missing: true - - dot_expander: - field: certificate.exponent - path: zeek.x509 - - convert: - field: zeek.x509.certificate.exponent - target_field: file.x509.public_key_exponent - type: long - ignore_missing: true - - dot_expander: - field: certificate.serial - path: zeek.x509 - - set: - field: file.x509.serial_number - value: "{{zeek.x509.certificate.serial}}" - ignore_empty_value: true - - dot_expander: - field: certificate.version - path: zeek.x509 - - set: - field: file.x509.version_number - value: "{{zeek.x509.certificate.version}}" - ignore_empty_value: true - - dot_expander: - field: san.dns - path: zeek.x509 - - foreach: - field: zeek.x509.san.dns - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.uri - path: zeek.x509 - - foreach: - field: zeek.x509.san.uri - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.email - path: zeek.x509 - - foreach: - field: zeek.x509.san.email - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.ip - path: zeek.x509 - - foreach: - field: zeek.x509.san.ip - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - dot_expander: - field: san.other_fields - path: zeek.x509 - - foreach: - field: zeek.x509.san.other_fields - ignore_missing: true - processor: - append: - field: file.x509.alternative_names - value: "{{_ingest._value}}" - - date: - field: zeek.x509.certificate.valid.from - target_field: zeek.x509.certificate.valid.from - formats: - - UNIX - - ISO8601 - if: ctx.zeek.x509.certificate?.valid?.from != null - - set: - field: file.x509.not_before - value: "{{zeek.x509.certificate.valid.from}}" - ignore_empty_value: true - - date: - field: zeek.x509.certificate.valid.until - target_field: zeek.x509.certificate.valid.until - formats: - - UNIX - - ISO8601 - if: ctx.zeek.x509.certificate?.valid?.until != null - - set: - field: file.x509.not_after - value: "{{zeek.x509.certificate.valid.until}}" - ignore_empty_value: true - - gsub: - field: zeek.x509.certificate.iss - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.x509.certificate.iss - field_split: "," - value_split: "=" - target_field: zeek.x509.certificate.issuer - ignore_missing: true - - remove: - field: zeek.x509.certificate.iss - ignore_missing: true - - rename: - field: zeek.x509.certificate.issuer.C - target_field: zeek.x509.certificate.issuer.country - ignore_missing: true - - set: - field: file.x509.issuer.country - value: "{{zeek.x509.certificate.issuer.country}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.CN - target_field: zeek.x509.certificate.issuer.common_name - ignore_missing: true - - set: - field: file.x509.issuer.common_name - value: "{{zeek.x509.certificate.issuer.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.L - target_field: zeek.x509.certificate.issuer.locality - ignore_missing: true - - set: - field: file.x509.issuer.locality - value: "{{zeek.x509.certificate.issuer.locality}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.O - target_field: zeek.x509.certificate.issuer.organization - ignore_missing: true - - set: - field: file.x509.issuer.organization - value: "{{zeek.x509.certificate.issuer.organization}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.OU - target_field: zeek.x509.certificate.issuer.organizational_unit - ignore_missing: true - - set: - field: file.x509.issuer.organizational_unit - value: "{{zeek.x509.certificate.issuer.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.issuer.ST - target_field: zeek.x509.certificate.issuer.state - ignore_missing: true - - set: - field: file.x509.issuer.state_or_province - value: "{{zeek.x509.certificate.issuer.state}}" - ignore_empty_value: true - - gsub: - field: zeek.x509.certificate.sub - pattern: \\, - replacement: "" - ignore_missing: true - - kv: - field: zeek.x509.certificate.sub - field_split: "," - value_split: "=" - target_field: zeek.x509.certificate.subject - ignore_missing: true - - remove: - field: zeek.x509.certificate.sub - ignore_missing: true - - rename: - field: zeek.x509.certificate.subject.C - target_field: zeek.x509.certificate.subject.country - ignore_missing: true - - set: - field: file.x509.subject.country - value: "{{zeek.x509.certificate.subject.country}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.CN - target_field: zeek.x509.certificate.subject.common_name - ignore_missing: true - - set: - field: file.x509.subject.common_name - value: "{{zeek.x509.certificate.subject.common_name}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.L - target_field: zeek.x509.certificate.subject.locality - ignore_missing: true - - set: - field: file.x509.subject.locality - value: "{{zeek.x509.certificate.subject.locality}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.O - target_field: zeek.x509.certificate.subject.organization - ignore_missing: true - - set: - field: file.x509.subject.organization - value: "{{zeek.x509.certificate.subject.organization}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.OU - target_field: zeek.x509.certificate.subject.organizational_unit - ignore_missing: true - - set: - field: file.x509.subject.organizational_unit - value: "{{zeek.x509.certificate.subject.organizational_unit}}" - ignore_empty_value: true - - rename: - field: zeek.x509.certificate.subject.ST - target_field: zeek.x509.certificate.subject.state - ignore_missing: true - - set: - field: file.x509.subject.state_or_province - value: "{{zeek.x509.certificate.subject.state}}" - ignore_empty_value: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{_ingest.on_failure_message}}" diff --git a/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml b/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml deleted file mode 100755 index 5bc2247db2..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/elasticsearch/ingest_pipeline/third-party.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for parsing Zeek logs from third party api -processors: - - fingerprint: - fields: - - _temp_.result._cd - - _temp_.result._indextime - - _temp_.result._raw - - _temp_.result._time - - _temp_.result.host - - _temp_.result.source - target_field: '_id' - ignore_missing: true - - set: - field: event.original - copy_from: _temp_.result._raw - ignore_empty_value: true - - set: - field: host.name - copy_from: _temp_.result.host - ignore_empty_value: true - - set: - copy_from: _temp_.result.source - field: log.file.path - ignore_empty_value: true - - remove: - field: _temp_ - ignore_missing: true - - json: - field: event.original - target_field: _temp_ -on_failure: - - append: - field: error.message - value: >- - error in third party api pipeline: - error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} - with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} - {{ _ingest.on_failure_message }} diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/agent.yml b/packages/zeek/2.1.0/data_stream/x509/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/base-fields.yml b/packages/zeek/2.1.0/data_stream/x509/fields/base-fields.yml deleted file mode 100755 index 3a93a8353e..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: zeek -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zeek.x509 -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/beats.yml b/packages/zeek/2.1.0/data_stream/x509/fields/beats.yml deleted file mode 100755 index 470f5fae48..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/beats.yml +++ /dev/null @@ -1,23 +0,0 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword -- description: Type of Filebeat input. - name: input.type - type: keyword -- description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - name: log.file.path - type: keyword -- description: Flags for the log file. - name: log.flags - type: keyword -- description: Offset of the entry in the log file. - name: log.offset - type: long -- description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - name: tags - type: keyword diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/ecs.yml b/packages/zeek/2.1.0/data_stream/x509/fields/ecs.yml deleted file mode 100755 index 6acbdd88a5..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/ecs.yml +++ /dev/null @@ -1,113 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: file.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: file.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: file.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: file.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: file.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: file.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: file.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: file.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: file.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: file.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: file.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: file.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: file.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: file.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: file.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: file.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: file.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: file.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: file.x509.version_number - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/fields.yml b/packages/zeek/2.1.0/data_stream/x509/fields/fields.yml deleted file mode 100755 index 7f79ef0720..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/fields.yml +++ /dev/null @@ -1,153 +0,0 @@ -- name: zeek.x509 - type: group - fields: - - name: id - type: keyword - description: | - File id of this certificate. - - name: certificate - type: group - fields: - - name: version - type: integer - description: | - Version number. - - name: serial - type: keyword - description: | - Serial number. - - name: subject - type: group - fields: - - name: country - type: keyword - description: | - Country provided in the certificate subject. - - name: common_name - type: keyword - description: | - Common name provided in the certificate subject. - - name: locality - type: keyword - description: | - Locality provided in the certificate subject. - - name: organization - type: keyword - description: | - Organization provided in the certificate subject. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate subject. - - name: state - type: keyword - description: | - State or province provided in the certificate subject. - - name: issuer - type: group - fields: - - name: country - type: keyword - description: | - Country provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Common name provided in the certificate issuer field. - - name: locality - type: keyword - description: | - Locality provided in the certificate issuer field. - - name: organization - type: keyword - description: | - Organization provided in the certificate issuer field. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate issuer field. - - name: state - type: keyword - description: | - State or province provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Last (most specific) common name. - - name: valid - type: group - fields: - - name: from - type: date - description: | - Timestamp before when certificate is not valid. - - name: until - type: date - description: | - Timestamp after when certificate is not valid. - - name: key - type: group - fields: - - name: algorithm - type: keyword - description: | - Name of the key algorithm. - - name: type - type: keyword - description: | - Key type, if key parseable by openssl (either rsa, dsa or ec). - - name: length - type: integer - description: | - Key length in bits. - - name: signature_algorithm - type: keyword - description: | - Name of the signature algorithm. - - name: exponent - type: keyword - description: | - Exponent, if RSA-certificate. - - name: curve - type: keyword - description: | - Curve, if EC-certificate. - - name: san - type: group - fields: - - name: dns - type: keyword - description: | - List of DNS entries in SAN. - - name: uri - type: keyword - description: | - List of URI entries in SAN. - - name: email - type: keyword - description: | - List of email entries in SAN. - - name: ip - type: ip - description: | - List of IP entries in SAN. - - name: other_fields - type: boolean - description: | - True if the certificate contained other, not recognized or parsed name fields. - - name: basic_constraints - type: group - fields: - - name: certificate_authority - type: boolean - description: | - CA flag set or not. - - name: path_length - type: integer - description: | - Maximum path length. - - name: log_cert - type: boolean - description: | - Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded - Logging of certificate is suppressed if set to F. diff --git a/packages/zeek/2.1.0/data_stream/x509/fields/package-fields.yml b/packages/zeek/2.1.0/data_stream/x509/fields/package-fields.yml deleted file mode 100755 index 4d6d6ea170..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/fields/package-fields.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: zeek - type: group - fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session diff --git a/packages/zeek/2.1.0/data_stream/x509/manifest.yml b/packages/zeek/2.1.0/data_stream/x509/manifest.yml deleted file mode 100755 index 98bc3c67d3..0000000000 --- a/packages/zeek/2.1.0/data_stream/x509/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -type: logs -title: Zeek x509 logs -streams: - - input: logfile - vars: - - name: filenames - type: text - title: Filename of x509 log file - multi: true - required: true - show_user: true - default: - - x509.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - zeek-x509 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: log.yml.hbs - title: Zeek x509.log - description: Collect Zeek x509 logs - - input: httpjson - title: Zeek x509 logs via Splunk Enterprise REST API - description: Collect Zeek x509 logs via Splunk Enterprise REST API - enabled: false - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval to query Splunk Enterprise REST API - description: Go Duration syntax (eg. 10s) - show_user: true - required: true - default: 10s - - name: search - type: text - title: Splunk search string - show_user: true - required: true - default: "search sourcetype=\"x509-*\"" - - name: tags - type: text - title: Tags - multi: true - show_user: false - default: - - forwarded - - zeek-x509 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zeek/2.1.0/docs/README.md b/packages/zeek/2.1.0/docs/README.md deleted file mode 100755 index 2eb6815922..0000000000 --- a/packages/zeek/2.1.0/docs/README.md +++ /dev/null @@ -1,4157 +0,0 @@ -# Zeek Integration - -This is an integration for [Zeek](https://www.zeek.org/), which was formerly -named Bro. Zeek is a passive, open-source network traffic analyzer. This -integrations ingests the logs Zeek produces about the network traffic that it -analyzes. - -Zeek logs must be output in JSON format. This is normally done by appending the -[json-logs policy](https://docs.zeek.org/en/lts/scripts/policy/tuning/json-logs.zeek.html) -to your `local.zeek` file. Add this line to your `local.zeek`. - -`@load policy/tuning/json-logs.zeek` - -## Compatibility -This module has been developed against Zeek 2.6.1, but is expected to work with -other versions of Zeek. - -Zeek requires a Unix-like platform, and it currently supports Linux, -FreeBSD, and Mac OS X. - -## Logs -### capture_loss - -The `capture_loss` dataset collects the Zeek capture_loss.log file, -which contains packet loss rate data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.capture_loss.acks | Total number of ACKs seen in the previous measurement interval. | integer | -| zeek.capture_loss.gaps | Number of missed ACKs from the previous measurement interval. | integer | -| zeek.capture_loss.peer | In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. | keyword | -| zeek.capture_loss.percent_lost | Percentage of ACKs seen where the data being ACKed wasn't seen. | double | -| zeek.capture_loss.ts_delta | The time delay between this measurement and the last. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### connection - -The `connection` dataset collects the Zeek conn.log file, which -contains TCP/UDP/ICMP connection data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.connection.history | Flags indicating the history of the session. | keyword | -| zeek.connection.icmp.code | ICMP message code. | integer | -| zeek.connection.icmp.type | ICMP message type. | integer | -| zeek.connection.inner_vlan | VLAN identifier. | integer | -| zeek.connection.local_orig | Indicates whether the session is originated locally. | boolean | -| zeek.connection.local_resp | Indicates whether the session is responded locally. | boolean | -| zeek.connection.missed_bytes | Missed bytes for the session. | long | -| zeek.connection.state | Code indicating the state of the session. | keyword | -| zeek.connection.state_message | The state of the session. | keyword | -| zeek.connection.vlan | VLAN identifier. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dce_rpc - -The `dce_rpc` dataset collects the Zeek dce_rpc.log file, which -contains Distributed Computing Environment/RPC data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dce_rpc.endpoint | Endpoint name looked up from the uuid. | keyword | -| zeek.dce_rpc.named_pipe | Remote pipe name. | keyword | -| zeek.dce_rpc.operation | Operation seen in the call. | keyword | -| zeek.dce_rpc.rtt | Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dhcp - -The `dhcp` dataset collects the Zeek dhcp.log file, which contains -DHCP lease data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.name | Name given by operators to sections of their network. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dhcp.address.assigned | IP address assigned by the server. | ip | -| zeek.dhcp.address.client | IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address. | ip | -| zeek.dhcp.address.mac | Client's hardware address. | keyword | -| zeek.dhcp.address.requested | IP address requested by the client. | ip | -| zeek.dhcp.address.server | IP address of the DHCP server. | ip | -| zeek.dhcp.client_fqdn | FQDN given by client in Client FQDN option 81. | keyword | -| zeek.dhcp.domain | Domain given by the server in option 15. | keyword | -| zeek.dhcp.duration | Duration of the DHCP session representing the time from the first message to the last, in seconds. | double | -| zeek.dhcp.hostname | Name given by client in Hostname option 12. | keyword | -| zeek.dhcp.id.circuit | (present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number. | keyword | -| zeek.dhcp.id.remote_agent | (present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit. | keyword | -| zeek.dhcp.id.subscriber | (present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected. | keyword | -| zeek.dhcp.lease_time | IP address lease interval in seconds. | integer | -| zeek.dhcp.msg.client | Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address. | keyword | -| zeek.dhcp.msg.origin | (present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field. | ip | -| zeek.dhcp.msg.server | Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request. | keyword | -| zeek.dhcp.msg.types | List of DHCP message types seen in this exchange. | keyword | -| zeek.dhcp.software.client | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. | keyword | -| zeek.dhcp.software.server | (present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dnp3 - -The `dnp3` dataset collects the Zeek dnp3.log file which contains DNP3 -requests and replies. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dnp3.function.reply | The name of the function message in the reply. | keyword | -| zeek.dnp3.function.request | The name of the function message in the request. | keyword | -| zeek.dnp3.id | The response's internal indication number. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dns - -The `dns` dataset collects the Zeek dns.log file which contains DNS -activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dns.AA | The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. | boolean | -| zeek.dns.RA | The Recursion Available bit in a response message indicates that the name server supports recursive queries. | boolean | -| zeek.dns.RD | The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. | boolean | -| zeek.dns.TC | The Truncation bit specifies that the message was truncated. | boolean | -| zeek.dns.TTLs | The caching intervals of the associated RRs described by the answers field. | double | -| zeek.dns.answers | The set of resource descriptions in the query answer. | keyword | -| zeek.dns.qclass | The QCLASS value specifying the class of the query. | long | -| zeek.dns.qclass_name | A descriptive name for the class of the query. | keyword | -| zeek.dns.qtype | A QTYPE value specifying the type of the query. | long | -| zeek.dns.qtype_name | A descriptive name for the type of the query. | keyword | -| zeek.dns.query | The domain name that is the subject of the DNS query. | keyword | -| zeek.dns.rcode | The response code value in DNS response messages. | long | -| zeek.dns.rcode_name | A descriptive name for the response code value. | keyword | -| zeek.dns.rejected | Indicates whether the DNS query was rejected by the server. | boolean | -| zeek.dns.rtt | Round trip time for the query and response. | double | -| zeek.dns.saw_query | Whether the full DNS query has been seen. | boolean | -| zeek.dns.saw_reply | Whether the full DNS reply has been seen. | boolean | -| zeek.dns.total_answers | The total number of resource records in the reply. | integer | -| zeek.dns.total_replies | The total number of resource records in the reply message. | integer | -| zeek.dns.trans_id | DNS transaction identifier. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### dpd - -The `dpd` dataset collects the Zeek dpd.log, which contains dynamic -protocol detection failures. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.dpd.analyzer | The analyzer that generated the violation. | keyword | -| zeek.dpd.failure_reason | The textual reason for the analysis failure. | keyword | -| zeek.dpd.packet_segment | (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### files - -The `files` dataset collects the Zeek files.log file, which contains -file analysis results. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| zeek.files.analyzers | A set of analysis types done during the file analysis. | keyword | -| zeek.files.depth | A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection. | long | -| zeek.files.duration | The duration the file was analyzed for. Not the duration of the session. | double | -| zeek.files.entropy | The information density of the contents of the file. | double | -| zeek.files.extracted | Local filename of extracted file. | keyword | -| zeek.files.extracted_cutoff | Indicate whether the file being extracted was cut off hence not extracted completely. | boolean | -| zeek.files.extracted_size | The number of bytes extracted to disk. | long | -| zeek.files.filename | Name of the file if available. | keyword | -| zeek.files.fuid | A file unique identifier. | keyword | -| zeek.files.is_orig | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. | boolean | -| zeek.files.local_orig | If the source of this file is a network connection, this field indicates if the data originated from the local network or not. | boolean | -| zeek.files.md5 | An MD5 digest of the file contents. | keyword | -| zeek.files.mime_type | Mime type of the file. | keyword | -| zeek.files.missing_bytes | The number of bytes in the file stream that were completely missed during the process of analysis. | long | -| zeek.files.overflow_bytes | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. | long | -| zeek.files.parent_fuid | Identifier associated with a container file from which this one was extracted as part of the file analysis. | keyword | -| zeek.files.rx_host | The host that received the file. | ip | -| zeek.files.seen_bytes | Number of bytes provided to the file analysis engine for the file. | long | -| zeek.files.session_ids | The sessions that have this file. | keyword | -| zeek.files.sha1 | A SHA1 digest of the file contents. | keyword | -| zeek.files.sha256 | A SHA256 digest of the file contents. | keyword | -| zeek.files.source | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. | keyword | -| zeek.files.timedout | Whether the file analysis timed out at least once for the file. | boolean | -| zeek.files.total_bytes | Total number of bytes that are supposed to comprise the full file. | long | -| zeek.files.tx_host | The host that transferred the file. | ip | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ftp - -The `ftp` dataset collects the Zeek ftp.log file, which contains FTP -activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.ftp.arg | Argument for the command if one is given. | keyword | -| zeek.ftp.capture_password | Determines if the password will be captured for this request. | boolean | -| zeek.ftp.cmdarg.arg | Argument for the command if one was given. | keyword | -| zeek.ftp.cmdarg.cmd | Command. | keyword | -| zeek.ftp.cmdarg.seq | Counter to track how many commands have been executed. | integer | -| zeek.ftp.command | Command given by the client. | keyword | -| zeek.ftp.cwd | Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. | keyword | -| zeek.ftp.data_channel.originating_host | The host that will be initiating the data connection. | ip | -| zeek.ftp.data_channel.passive | Whether PASV mode is toggled for control channel. | boolean | -| zeek.ftp.data_channel.response_host | The host that will be accepting the data connection. | ip | -| zeek.ftp.data_channel.response_port | The port at which the acceptor is listening for the data connection. | integer | -| zeek.ftp.file.fuid | (present if base/protocols/ftp/files.bro is loaded) File unique ID. | keyword | -| zeek.ftp.file.mime_type | Sniffed mime type of file. | keyword | -| zeek.ftp.file.size | Size of the file if the command indicates a file transfer. | long | -| zeek.ftp.last_auth_requested | present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used. | keyword | -| zeek.ftp.passive | Indicates if the session is in active or passive mode. | boolean | -| zeek.ftp.password | Password for the current FTP session if captured. | keyword | -| zeek.ftp.pending_commands | Queue for commands that have been sent but not yet responded to are tracked here. | integer | -| zeek.ftp.reply.code | Reply code from the server in response to the command. | integer | -| zeek.ftp.reply.msg | Reply message from the server in response to the command. | keyword | -| zeek.ftp.user | User name for the current FTP session. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### http - -The `http` dataset collects the Zeek http.log file, which contains -HTTP requests and replies. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.username | Username of the request. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| zeek.http.captured_password | Determines if the password will be captured for this request. | boolean | -| zeek.http.client_header_names | The vector of HTTP header names sent by the client. No header values are included here, just the header names. | keyword | -| zeek.http.info_code | Last seen 1xx informational reply code returned by the server. | integer | -| zeek.http.info_msg | Last seen 1xx informational reply message returned by the server. | keyword | -| zeek.http.orig_filenames | An ordered vector of filenames from the originator. | keyword | -| zeek.http.orig_fuids | An ordered vector of file unique IDs from the originator. | keyword | -| zeek.http.orig_mime_depth | Current number of MIME entities in the HTTP request message body. | integer | -| zeek.http.orig_mime_types | An ordered vector of mime types from the originator. | keyword | -| zeek.http.password | Password if basic-auth is performed for the request. | keyword | -| zeek.http.proxied | All of the headers that may indicate if the HTTP request was proxied. | keyword | -| zeek.http.range_request | Indicates if this request can assume 206 partial content in response. | boolean | -| zeek.http.resp_filenames | An ordered vector of filenames from the responder. | keyword | -| zeek.http.resp_fuids | An ordered vector of file unique IDs from the responder. | keyword | -| zeek.http.resp_mime_depth | Current number of MIME entities in the HTTP response message body. | integer | -| zeek.http.resp_mime_types | An ordered vector of mime types from the responder. | keyword | -| zeek.http.server_header_names | The vector of HTTP header names sent by the server. No header values are included here, just the header names. | keyword | -| zeek.http.status_msg | Status message returned by the server. | keyword | -| zeek.http.tags | A set of indicators of various attributes discovered and related to a particular request/response pair. | keyword | -| zeek.http.trans_depth | Represents the pipelined depth into the connection of this request/response transaction. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### intel - -The `intel` dataset collects the Zeek intel.log file, which contains -intelligence data matches. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.intel.file_desc | Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. | keyword | -| zeek.intel.file_mime_type | A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. | keyword | -| zeek.intel.fuid | If a file was associated with this intelligence hit, this is the uid for the file. | keyword | -| zeek.intel.matched | Event to represent a match in the intelligence data from data that was seen. | keyword | -| zeek.intel.seen.conn | If the data was discovered within a connection, the connection record should go here to give context to the data. | keyword | -| zeek.intel.seen.f | If the data was discovered within a file, the file record should go here to provide context to the data. | object | -| zeek.intel.seen.fuid | If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. | keyword | -| zeek.intel.seen.host | If the indicator type was Intel::ADDR, then this field will be present. | keyword | -| zeek.intel.seen.indicator | The intelligence indicator. | keyword | -| zeek.intel.seen.indicator_type | The type of data the indicator represents. | keyword | -| zeek.intel.seen.node | The name of the node where the match was discovered. | keyword | -| zeek.intel.seen.uid | If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. | keyword | -| zeek.intel.seen.where | Where the data was discovered. | keyword | -| zeek.intel.sources | Sources which supplied data for this match. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### irc - -The `irc` dataset collects the Zeek irc.log file, which contains IRC -commands and responses. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.irc.addl | Any additional data for the command. | keyword | -| zeek.irc.command | Command given by the client. | keyword | -| zeek.irc.dcc.file.name | Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested. | keyword | -| zeek.irc.dcc.file.size | Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender. | long | -| zeek.irc.dcc.mime_type | present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file. | keyword | -| zeek.irc.fuid | present if base/protocols/irc/files.bro is loaded. File unique ID. | keyword | -| zeek.irc.nick | Nickname given for the connection. | keyword | -| zeek.irc.user | Username given for the connection. | keyword | -| zeek.irc.value | Value for the command given by the client. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### kerberos - -The `kerberos` dataset collects the Zeek kerberos.log file, which -contains kerberos data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.kerberos.cert.client.fuid | File unique ID of client cert. | keyword | -| zeek.kerberos.cert.client.subject | Subject of client certificate. | keyword | -| zeek.kerberos.cert.client.value | Client certificate. | keyword | -| zeek.kerberos.cert.server.fuid | File unique ID of server certificate. | keyword | -| zeek.kerberos.cert.server.subject | Subject of server certificate. | keyword | -| zeek.kerberos.cert.server.value | Server certificate. | keyword | -| zeek.kerberos.cipher | Ticket encryption type. | keyword | -| zeek.kerberos.client | Client name. | keyword | -| zeek.kerberos.error.code | Error code. | integer | -| zeek.kerberos.error.msg | Error message. | keyword | -| zeek.kerberos.forwardable | Forwardable ticket requested. | boolean | -| zeek.kerberos.renewable | Renewable ticket requested. | boolean | -| zeek.kerberos.request_type | Request type - Authentication Service (AS) or Ticket Granting Service (TGS). | keyword | -| zeek.kerberos.service | Service name. | keyword | -| zeek.kerberos.success | Request result. | boolean | -| zeek.kerberos.ticket.auth | Hash of ticket used to authorize request/transaction. | keyword | -| zeek.kerberos.ticket.new | Hash of ticket returned by the KDC. | keyword | -| zeek.kerberos.valid.days | Number of days the ticket is valid for. | integer | -| zeek.kerberos.valid.from | Ticket valid from. | date | -| zeek.kerberos.valid.until | Ticket valid until. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### modbus - -The `modbus` dataset collects the Zeek modbus.log file, which contains -modbus commands and responses. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.modbus.exception | The exception if the response was a failure. | keyword | -| zeek.modbus.function | The name of the function message that was sent. | keyword | -| zeek.modbus.track_address | Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### mysql - -The `mysql` dataset collects the Zeek mysql.log file, which contains -MySQL data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.mysql.arg | The argument issued to the command. | keyword | -| zeek.mysql.cmd | The command that was issued. | keyword | -| zeek.mysql.response | Server message, if any. | keyword | -| zeek.mysql.rows | The number of affected rows, if any. | integer | -| zeek.mysql.success | Whether the command succeeded. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### notice - -The `notice` dataset collects the Zeek notice.log file, which contains -Zeek notices. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.description | The description of the rule generating the event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.notice.actions | The actions which have been applied to this notice. | keyword | -| zeek.notice.connection_id | Identifier of the related connection session. | keyword | -| zeek.notice.dropped | Indicate if the source IP address was dropped and denied network access. | boolean | -| zeek.notice.email_body_sections | By adding chunks of text into this element, other scripts can expand on notices that are being emailed. | text | -| zeek.notice.email_delay_tokens | Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration. | keyword | -| zeek.notice.ffile.total_bytes | Total number of bytes that are supposed to comprise the full file. | long | -| zeek.notice.file.id | An identifier associated with a single file that is related to this notice. | keyword | -| zeek.notice.file.is_orig | If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. | boolean | -| zeek.notice.file.mime_type | A mime type if the notice is related to a file. | keyword | -| zeek.notice.file.missing_bytes | The number of bytes in the file stream that were completely missed during the process of analysis. | long | -| zeek.notice.file.overflow_bytes | The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled. | long | -| zeek.notice.file.parent_id | Identifier associated with a container file from which this one was extracted. | keyword | -| zeek.notice.file.seen_bytes | Number of bytes provided to the file analysis engine for the file. | long | -| zeek.notice.file.source | An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. | keyword | -| zeek.notice.fuid | A file unique ID if this notice is related to a file. | keyword | -| zeek.notice.icmp_id | Identifier of the related ICMP session. | keyword | -| zeek.notice.identifier | This field is provided when a notice is generated for the purpose of deduplicating notices. | keyword | -| zeek.notice.msg | The human readable message for the notice. | keyword | -| zeek.notice.n | Associated count, or a status code. | long | -| zeek.notice.note | The type of the notice. | keyword | -| zeek.notice.peer_descr | Textual description for the peer that raised this notice. | text | -| zeek.notice.peer_name | Name of remote peer that raised this notice. | keyword | -| zeek.notice.sub | The human readable sub-message. | keyword | -| zeek.notice.suppress_for | This field indicates the length of time that this unique notice should be suppressed. | double | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ntp - -The `ntp` dataset collects the Zeek ntp.log file, which contains -NTP data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.ntp.mode | The NTP mode being used. | integer | -| zeek.ntp.num_exts | Number of extension fields (which are not currently parsed). | integer | -| zeek.ntp.org_time | Time at the client when the request departed for the NTP server. | date | -| zeek.ntp.poll | The maximum interval between successive messages in seconds. | double | -| zeek.ntp.precision | The precision of the system clock in seconds. | double | -| zeek.ntp.rec_time | Time at the server when the request arrived from the NTP client. | date | -| zeek.ntp.ref_id | For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). | keyword | -| zeek.ntp.ref_time | Time when the system clock was last set or correct. | date | -| zeek.ntp.root_delay | Total round-trip delay to the reference clock in seconds. | double | -| zeek.ntp.root_disp | Total dispersion to the reference clock in seconds. | double | -| zeek.ntp.stratum | The stratum (primary server, secondary server, etc.). | integer | -| zeek.ntp.version | The NTP version number (1, 2, 3, 4). | integer | -| zeek.ntp.xmt_time | Time at the server when the response departed for the NTP client. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ntlm - -The `ntlm` dataset collects the Zeek ntlm.log file, which contains NT -LAN Manager(NTLM) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.ntlm.domain | Domain name given by the client. | keyword | -| zeek.ntlm.hostname | Hostname given by the client. | keyword | -| zeek.ntlm.server.name.dns | DNS name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.server.name.netbios | NetBIOS name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.server.name.tree | Tree name given by the server in a CHALLENGE. | keyword | -| zeek.ntlm.success | Indicate whether or not the authentication was successful. | boolean | -| zeek.ntlm.username | Username given by the client. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### ocsp - -The `ocsp` dataset collects the Zeek ocsp.log file, which contains -Online Certificate Status Protocol (OCSP) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| tags | List of keywords used to tag each event. | keyword | -| zeek.ocsp.file_id | File id of the OCSP reply. | keyword | -| zeek.ocsp.hash.algorithm | Hash algorithm used to generate issuerNameHash and issuerKeyHash. | keyword | -| zeek.ocsp.hash.issuer.key | Hash of the issuer's public key. | keyword | -| zeek.ocsp.hash.issuer.name | Hash of the issuer's distingueshed name. | keyword | -| zeek.ocsp.revoke.date | Time at which the certificate was revoked. | date | -| zeek.ocsp.revoke.reason | Reason for which the certificate was revoked. | keyword | -| zeek.ocsp.serial_number | Serial number of the affected certificate. | keyword | -| zeek.ocsp.status | Status of the affected certificate. | keyword | -| zeek.ocsp.update.next | The latest time at which new information about the status of the certificate will be available. | date | -| zeek.ocsp.update.this | The time at which the status being shows is known to have been correct. | date | -| zeek.session_id | A unique identifier of the session | keyword | - - -### pe - -The `pe` dataset collects the Zeek pe.log file, which contains -portable executable data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.pe.client | The client's version string. | keyword | -| zeek.pe.compile_time | The time that the file was created at. | date | -| zeek.pe.has_cert_table | Does the file have an attribute certificate table? | boolean | -| zeek.pe.has_debug_data | Does the file have a debug table? | boolean | -| zeek.pe.has_export_table | Does the file have an export table? | boolean | -| zeek.pe.has_import_table | Does the file have an import table? | boolean | -| zeek.pe.id | File id of this portable executable file. | keyword | -| zeek.pe.is_64bit | Is the file a 64-bit executable? | boolean | -| zeek.pe.is_exe | Is the file an executable, or just an object file? | boolean | -| zeek.pe.machine | The target machine that the file was compiled for. | keyword | -| zeek.pe.os | The required operating system. | keyword | -| zeek.pe.section_names | The names of the sections, in order. | keyword | -| zeek.pe.subsystem | The subsystem that is required to run this file. | keyword | -| zeek.pe.uses_aslr | Does the file support Address Space Layout Randomization? | boolean | -| zeek.pe.uses_code_integrity | Does the file enforce code integrity checks? | boolean | -| zeek.pe.uses_dep | Does the file support Data Execution Prevention? | boolean | -| zeek.pe.uses_seh | Does the file use structured exception handing? | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### radius - -The `radius` dataset collects the Zeek radius.log file, which contains -RADIUS authentication attempts. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.radius.connect_info | Connect info, if present. | keyword | -| zeek.radius.framed_addr | The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. | ip | -| zeek.radius.logged | Whether this has already been logged and can be ignored. | boolean | -| zeek.radius.mac | MAC address, if present. | keyword | -| zeek.radius.remote_ip | Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. | ip | -| zeek.radius.reply_msg | Reply message from the server challenge. This is frequently shown to the user authenticating. | keyword | -| zeek.radius.result | Successful or failed authentication. | keyword | -| zeek.radius.ttl | The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. | integer | -| zeek.radius.username | The username, if present. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### rdp - -The `rdp` dataset collects the Zeek rdp.log file, which contains RDP -data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| zeek.rdp.cert.count | The number of certs seen. X.509 can transfer an entire certificate chain. | integer | -| zeek.rdp.cert.permanent | Indicates if the provided certificate or certificate chain is permanent or temporary. | boolean | -| zeek.rdp.cert.type | If the connection is being encrypted with native RDP encryption, this is the type of cert being used. | keyword | -| zeek.rdp.client.build | RDP client version used by the client machine. | keyword | -| zeek.rdp.client.client_name | Name of the client machine. | keyword | -| zeek.rdp.client.product_id | Product ID of the client machine. | keyword | -| zeek.rdp.cookie | Cookie value used by the client machine. This is typically a username. | keyword | -| zeek.rdp.desktop.color_depth | The color depth requested by the client in the high_color_depth field. | keyword | -| zeek.rdp.desktop.height | Desktop height of the client machine. | integer | -| zeek.rdp.desktop.width | Desktop width of the client machine. | integer | -| zeek.rdp.done | Track status of logging RDP connections. | boolean | -| zeek.rdp.encryption.level | Encryption level of the connection. | keyword | -| zeek.rdp.encryption.method | Encryption method of the connection. | keyword | -| zeek.rdp.keyboard_layout | Keyboard layout (language) of the client machine. | keyword | -| zeek.rdp.result | Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. | keyword | -| zeek.rdp.security_protocol | Security protocol chosen by the server. | keyword | -| zeek.rdp.ssl | (present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | - - -### rfb - -The `rfb` dataset collects the Zeek rfb.log file, which contains -Remote Framebuffer (RFB) data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.rfb.auth.method | Identifier of authentication method used. | keyword | -| zeek.rfb.auth.success | Whether or not authentication was successful. | boolean | -| zeek.rfb.desktop_name | Name of the screen that is being shared. | keyword | -| zeek.rfb.height | Height of the screen that is being shared. | integer | -| zeek.rfb.share_flag | Whether the client has an exclusive or a shared session. | boolean | -| zeek.rfb.version.client.major | Major version of the client. | keyword | -| zeek.rfb.version.client.minor | Minor version of the client. | keyword | -| zeek.rfb.version.server.major | Major version of the server. | keyword | -| zeek.rfb.version.server.minor | Minor version of the server. | keyword | -| zeek.rfb.width | Width of the screen that is being shared. | integer | -| zeek.session_id | A unique identifier of the session | keyword | - - -### signature - -The `signature` dataset collects the Zeek signature.log file, which contains -Zeek signature matches. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.signature.event_msg | A more descriptive message of the signature-matching event. | keyword | -| zeek.signature.host_count | Number of hosts, from a summary count. | integer | -| zeek.signature.note | Notice associated with signature event. | keyword | -| zeek.signature.sig_count | Number of sigs, usually from summary count. | integer | -| zeek.signature.sig_id | The name of the signature that matched. | keyword | -| zeek.signature.sub_msg | Extracted payload data or extra message. | keyword | - - -### sip - -The `sip` dataset collects the Zeek sip.log file, which contains SIP -data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.sip.call_id | Contents of the Call-ID: header from the client. | keyword | -| zeek.sip.content_type | Contents of the Content-Type: header from the server. | keyword | -| zeek.sip.date | Contents of the Date: header from the client. | keyword | -| zeek.sip.reply_to | Contents of the Reply-To: header. | keyword | -| zeek.sip.request.body_length | Contents of the Content-Length: header from the client. | long | -| zeek.sip.request.from | Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. | keyword | -| zeek.sip.request.path | The client message transmission path, as extracted from the headers. | keyword | -| zeek.sip.request.to | Contents of the To: header. | keyword | -| zeek.sip.response.body_length | Contents of the Content-Length: header from the server. | long | -| zeek.sip.response.from | Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. | keyword | -| zeek.sip.response.path | The server message transmission path, as extracted from the headers. | keyword | -| zeek.sip.response.to | Contents of the response To: header. | keyword | -| zeek.sip.sequence.method | Verb used in the SIP request (INVITE, REGISTER etc.). | keyword | -| zeek.sip.sequence.number | Contents of the CSeq: header from the client. | keyword | -| zeek.sip.status.code | Status code returned by the server. | integer | -| zeek.sip.status.msg | Status message returned by the server. | keyword | -| zeek.sip.subject | Contents of the Subject: header from the client. | keyword | -| zeek.sip.transaction_depth | Represents the pipelined depth into the connection of this request/response transaction. | integer | -| zeek.sip.uri | URI used in the request. | keyword | -| zeek.sip.user_agent | Contents of the User-Agent: header from the client. | keyword | -| zeek.sip.warning | Contents of the Warning: header. | keyword | - - -### smb_cmd - -The `smb_cmd` dataset collects the Zeek smb_cmd.log file, which -contains SMB commands. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_cmd.argument | Command argument sent by the client, if any. | keyword | -| zeek.smb_cmd.command | The command sent by the client. | keyword | -| zeek.smb_cmd.file.action | Action this log record represents. | keyword | -| zeek.smb_cmd.file.host.rx | Address of the receiving host. | ip | -| zeek.smb_cmd.file.host.tx | Address of the transmitting host. | ip | -| zeek.smb_cmd.file.name | Filename if one was seen. | keyword | -| zeek.smb_cmd.file.uid | UID of the referenced file. | keyword | -| zeek.smb_cmd.rtt | Round trip time from the request to the response. | double | -| zeek.smb_cmd.smb1_offered_dialects | Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client. | keyword | -| zeek.smb_cmd.smb2_offered_dialects | Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client. | integer | -| zeek.smb_cmd.status | Server reply to the client's command. | keyword | -| zeek.smb_cmd.sub_command | The subcommand sent by the client, if present. | keyword | -| zeek.smb_cmd.tree | If this is related to a tree, this is the tree that was used for the current command. | keyword | -| zeek.smb_cmd.tree_service | The type of tree (disk share, printer share, named pipe, etc.). | keyword | -| zeek.smb_cmd.username | Authenticated username, if available. | keyword | -| zeek.smb_cmd.version | Version of SMB for the command. | keyword | - - -### smb_files - -The `smb_files` dataset collects the Zeek smb_files.log file, which -contains SMB file data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | -| file.mtime | Last time the file content was modified. | date | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_files.action | Action this log record represents. | keyword | -| zeek.smb_files.fid | ID referencing this file. | integer | -| zeek.smb_files.name | Filename if one was seen. | keyword | -| zeek.smb_files.path | Path pulled from the tree this file was transferred to or from. | keyword | -| zeek.smb_files.previous_name | If the rename action was seen, this will be the file's previous name. | keyword | -| zeek.smb_files.size | Byte size of the file. | long | -| zeek.smb_files.times.accessed | The file's access time. | date | -| zeek.smb_files.times.changed | The file's change time. | date | -| zeek.smb_files.times.created | The file's create time. | date | -| zeek.smb_files.times.modified | The file's modify time. | date | -| zeek.smb_files.uuid | UUID referencing this file if DCE/RPC. | keyword | - - -### smb_mapping - -The `smb_mapping` dataset collects the Zeek smb_mapping.log file, -which contains SMB trees. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smb_mapping.native_file_system | File system of the tree. | keyword | -| zeek.smb_mapping.path | Name of the tree path. | keyword | -| zeek.smb_mapping.service | The type of resource of the tree (disk share, printer share, named pipe, etc.). | keyword | -| zeek.smb_mapping.share_type | If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well. | keyword | - - -### smtp - -The `smtp` dataset collects the Zeek smtp.log file, which contains -SMTP transactions.. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.smtp.cc | Contents of the CC header. | keyword | -| zeek.smtp.date | Contents of the Date header. | date | -| zeek.smtp.first_received | Contents of the first Received header. | keyword | -| zeek.smtp.from | Contents of the From header. | keyword | -| zeek.smtp.fuids | (present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message. | keyword | -| zeek.smtp.has_client_activity | Indicates if client activity has been seen, but not yet logged. | boolean | -| zeek.smtp.helo | Contents of the Helo header. | keyword | -| zeek.smtp.in_reply_to | Contents of the In-Reply-To header. | keyword | -| zeek.smtp.is_webmail | Indicates if the message was sent through a webmail interface. | boolean | -| zeek.smtp.last_reply | The last message that the server sent to the client. | keyword | -| zeek.smtp.mail_from | Email addresses found in the MAIL FROM header. | keyword | -| zeek.smtp.msg_id | Contents of the MsgID header. | keyword | -| zeek.smtp.path | The message transmission path, as extracted from the headers. | ip | -| zeek.smtp.process_received_from | Indicates if the "Received: from" headers should still be processed. | boolean | -| zeek.smtp.rcpt_to | Email addresses found in the RCPT TO header. | keyword | -| zeek.smtp.reply_to | Contents of the ReplyTo header. | keyword | -| zeek.smtp.second_received | Contents of the second Received header. | keyword | -| zeek.smtp.subject | Contents of the Subject header. | keyword | -| zeek.smtp.tls | Indicates that the connection has switched to using TLS. | boolean | -| zeek.smtp.to | Contents of the To header. | keyword | -| zeek.smtp.transaction_depth | A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. | integer | -| zeek.smtp.user_agent | Value of the User-Agent header from the client. | keyword | -| zeek.smtp.x_originating_ip | Contents of the X-Originating-IP header. | keyword | - - -### snmp - -The `snmp` dataset collects the Zeek snmp.log file, which contains -SNMP messages. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.snmp.community | The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. | keyword | -| zeek.snmp.display_string | A system description of the SNMP responder endpoint. | keyword | -| zeek.snmp.duration | The amount of time between the first packet beloning to the SNMP session and the latest one seen. | double | -| zeek.snmp.get.bulk_requests | The number of variable bindings in GetBulkRequest PDUs seen for the session. | integer | -| zeek.snmp.get.requests | The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. | integer | -| zeek.snmp.get.responses | The number of variable bindings in GetResponse/Response PDUs seen for the session. | integer | -| zeek.snmp.set.requests | The number of variable bindings in SetRequest PDUs seen for the session. | integer | -| zeek.snmp.up_since | The time at which the SNMP responder endpoint claims it's been up since. | date | -| zeek.snmp.version | The version of SNMP being used. | keyword | - - -### socks - -The `socks` dataset collects the Zeek socks.log file, which contains -SOCKS proxy requests. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.socks.bound.host | Server bound address. Could be an address, a name or both. | keyword | -| zeek.socks.bound.port | Server bound port. | integer | -| zeek.socks.capture_password | Determines if the password will be captured for this request. | boolean | -| zeek.socks.password | Password used to request a login to the proxy. | keyword | -| zeek.socks.request.host | Client requested SOCKS address. Could be an address, a name or both. | keyword | -| zeek.socks.request.port | Client requested port. | integer | -| zeek.socks.status | Server status for the attempt at using the proxy. | keyword | -| zeek.socks.user | Username used to request a login to the proxy. | keyword | -| zeek.socks.version | Protocol version of SOCKS. | integer | - - -### ssh - -The `ssh` dataset collects the Zeek ssh.log file, which contains SSH -connection data. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.ssh.algorithm.cipher | The encryption algorithm in use. | keyword | -| zeek.ssh.algorithm.compression | The compression algorithm in use. | keyword | -| zeek.ssh.algorithm.host_key | The server host key's algorithm. | keyword | -| zeek.ssh.algorithm.key_exchange | The key exchange algorithm in use. | keyword | -| zeek.ssh.algorithm.mac | The signing (MAC) algorithm in use. | keyword | -| zeek.ssh.auth.attempts | The number of authentication attemps we observed. There's always at least one, since some servers might support no authentication at all. It's important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). | integer | -| zeek.ssh.auth.success | Authentication result. | boolean | -| zeek.ssh.client | The client's version string. | keyword | -| zeek.ssh.direction | Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation. | keyword | -| zeek.ssh.host_key | The server's key thumbprint. | keyword | -| zeek.ssh.server | The server's version string. | keyword | -| zeek.ssh.version | SSH major version (1 or 2). | integer | - - -### ssl - -The `ssl` dataset collects the Zeek ssl.log file, which contains -SSL/TLS handshake info. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.ssl.cipher | SSL/TLS cipher suite that was logged. | keyword | -| zeek.ssl.client.cert_chain | Chain of certificates offered by the client to validate its complete signing chain. | keyword | -| zeek.ssl.client.cert_chain_fuids | An ordered vector of certificate file identifiers for the certificates offered by the client. | keyword | -| zeek.ssl.client.issuer.common_name | Common name of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.country | Country code of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.locality | Locality of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.organization | Organization of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.organizational_unit | Organizational unit of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.issuer.state | State or province name of the signer of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.common_name | Common name of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.country | Country code of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.locality | Locality of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.organization | Organization of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.organizational_unit | Organizational unit of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.client.subject.state | State or province name of the X.509 certificate offered by the client. | keyword | -| zeek.ssl.curve | Elliptic curve that was logged when using ECDH/ECDHE. | keyword | -| zeek.ssl.established | Flag to indicate if this ssl session has been established successfully. | boolean | -| zeek.ssl.last_alert | Last alert that was seen during the connection. | keyword | -| zeek.ssl.next_protocol | Next protocol the server chose using the application layer next protocol extension. | keyword | -| zeek.ssl.resumed | Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection. | boolean | -| zeek.ssl.server.cert_chain | Chain of certificates offered by the server to validate its complete signing chain. | keyword | -| zeek.ssl.server.cert_chain_fuids | An ordered vector of certificate file identifiers for the certificates offered by the server. | keyword | -| zeek.ssl.server.issuer.common_name | Common name of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.country | Country code of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.locality | Locality of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.organization | Organization of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.organizational_unit | Organizational unit of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.issuer.state | State or province name of the signer of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.name | Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting. | keyword | -| zeek.ssl.server.subject.common_name | Common name of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.country | Country code of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.locality | Locality of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.organization | Organization of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.organizational_unit | Organizational unit of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.server.subject.state | State or province name of the X.509 certificate offered by the server. | keyword | -| zeek.ssl.validation.code | Result of certificate validation for this connection, given as OpenSSL validation code. | keyword | -| zeek.ssl.validation.status | Result of certificate validation for this connection. | keyword | -| zeek.ssl.version | SSL/TLS version that was logged. | keyword | - - -### stats - -The `stats` dataset collects the Zeek stats.log file, which contains -memory/event/packet/lag statistics. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.stats.bytes.received | Number of bytes received since the last stats interval if reading live traffic. | long | -| zeek.stats.connections.icmp.active | ICMP connections currently in memory. | integer | -| zeek.stats.connections.icmp.count | ICMP connections seen since last stats interval. | integer | -| zeek.stats.connections.tcp.active | TCP connections currently in memory. | integer | -| zeek.stats.connections.tcp.count | TCP connections seen since last stats interval. | integer | -| zeek.stats.connections.udp.active | UDP connections currently in memory. | integer | -| zeek.stats.connections.udp.count | UDP connections seen since last stats interval. | integer | -| zeek.stats.dns_requests.active | Current number of DNS requests awaiting a reply. | integer | -| zeek.stats.dns_requests.count | Number of DNS requests seen since last stats interval. | integer | -| zeek.stats.events.processed | Number of events processed since the last stats interval. | integer | -| zeek.stats.events.queued | Number of events that have been queued since the last stats interval. | integer | -| zeek.stats.files.active | Current number of files actively being seen. | integer | -| zeek.stats.files.count | Number of files seen since last stats interval. | integer | -| zeek.stats.memory | Amount of memory currently in use in MB. | integer | -| zeek.stats.packets.dropped | Number of packets dropped since the last stats interval if reading live traffic. | long | -| zeek.stats.packets.processed | Number of packets processed since the last stats interval. | long | -| zeek.stats.packets.received | Number of packets seen on the link since the last stats interval if reading live traffic. | long | -| zeek.stats.peer | Peer that generated this log. Mostly for clusters. | keyword | -| zeek.stats.reassembly_size.file | Current size of File data in reassembly. | integer | -| zeek.stats.reassembly_size.frag | Current size of packet fragment data in reassembly. | integer | -| zeek.stats.reassembly_size.tcp | Current size of TCP data in reassembly. | integer | -| zeek.stats.reassembly_size.unknown | Current size of unknown data in reassembly (this is only PIA buffer right now). | integer | -| zeek.stats.timers.active | Current number of scheduled timers. | integer | -| zeek.stats.timers.count | Number of timers scheduled since last stats interval. | integer | -| zeek.stats.timestamp_lag | Lag between the wall clock and packet timestamps if reading live traffic. | integer | - - -### syslog - -The `syslog` dataset collects the Zeek syslog.log file which contains -syslog messages. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.syslog.facility | Syslog facility for the message. | keyword | -| zeek.syslog.msg | The plain text message. | keyword | -| zeek.syslog.severity | Syslog severity for the message. | keyword | - - -### traceroute - -The `traceroute` dataset collects the Zeek traceroute.log file, which -contains traceroute detections. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | - - -### tunnel - -The `tunnel` dataset collects the Zeek tunnel.log file, which contains -tunneling protocol events. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.tunnel.action | The type of activity that occurred. | keyword | -| zeek.tunnel.type | The type of tunnel. | keyword | - - -### weird - -The `weird` dataset collects the Zeek weird.log file, which contains -unexpected network-level activity. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.weird.additional_info | Additional information accompanying the weird if any. | keyword | -| zeek.weird.identifier | This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. | keyword | -| zeek.weird.name | The name of the weird that occurred. | keyword | -| zeek.weird.notice | Indicate if this weird was also turned into a notice. | boolean | -| zeek.weird.peer | The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. | keyword | - - -### x509 - -The `x509` dataset collects the Zeek x509.log file, which contains -X.509 certificate info. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.issuer.country | List of country (C) codes | keyword | -| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| file.x509.issuer.locality | List of locality names (L) | keyword | -| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| file.x509.public_key_size | The size of the public key space in bits. | long | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| file.x509.subject.country | List of country (C) code | keyword | -| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| file.x509.subject.locality | List of locality names (L) | keyword | -| file.x509.subject.organization | List of organizations (O) of subject. | keyword | -| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.version_number | Version of x509 format. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| tags | List of keywords used to tag each event. | keyword | -| zeek.session_id | A unique identifier of the session | keyword | -| zeek.x509.basic_constraints.certificate_authority | CA flag set or not. | boolean | -| zeek.x509.basic_constraints.path_length | Maximum path length. | integer | -| zeek.x509.certificate.common_name | Last (most specific) common name. | keyword | -| zeek.x509.certificate.curve | Curve, if EC-certificate. | keyword | -| zeek.x509.certificate.exponent | Exponent, if RSA-certificate. | keyword | -| zeek.x509.certificate.issuer.common_name | Common name provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.country | Country provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.locality | Locality provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.organization | Organization provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.organizational_unit | Organizational unit provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.issuer.state | State or province provided in the certificate issuer field. | keyword | -| zeek.x509.certificate.key.algorithm | Name of the key algorithm. | keyword | -| zeek.x509.certificate.key.length | Key length in bits. | integer | -| zeek.x509.certificate.key.type | Key type, if key parseable by openssl (either rsa, dsa or ec). | keyword | -| zeek.x509.certificate.serial | Serial number. | keyword | -| zeek.x509.certificate.signature_algorithm | Name of the signature algorithm. | keyword | -| zeek.x509.certificate.subject.common_name | Common name provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.country | Country provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.locality | Locality provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.organization | Organization provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.organizational_unit | Organizational unit provided in the certificate subject. | keyword | -| zeek.x509.certificate.subject.state | State or province provided in the certificate subject. | keyword | -| zeek.x509.certificate.valid.from | Timestamp before when certificate is not valid. | date | -| zeek.x509.certificate.valid.until | Timestamp after when certificate is not valid. | date | -| zeek.x509.certificate.version | Version number. | integer | -| zeek.x509.id | File id of this certificate. | keyword | -| zeek.x509.log_cert | Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded Logging of certificate is suppressed if set to F. | boolean | -| zeek.x509.san.dns | List of DNS entries in SAN. | keyword | -| zeek.x509.san.email | List of email entries in SAN. | keyword | -| zeek.x509.san.ip | List of IP entries in SAN. | ip | -| zeek.x509.san.other_fields | True if the certificate contained other, not recognized or parsed name fields. | boolean | -| zeek.x509.san.uri | List of URI entries in SAN. | keyword | - diff --git a/packages/zeek/2.1.0/img/kibana-zeek.png b/packages/zeek/2.1.0/img/kibana-zeek.png deleted file mode 100755 index 20aea6164f..0000000000 Binary files a/packages/zeek/2.1.0/img/kibana-zeek.png and /dev/null differ diff --git a/packages/zeek/2.1.0/img/zeek.svg b/packages/zeek/2.1.0/img/zeek.svg deleted file mode 100755 index 0e346f98c7..0000000000 --- a/packages/zeek/2.1.0/img/zeek.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 8d5a16ff0b..0000000000 --- a/packages/zeek/2.1.0/kibana/dashboard/zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Overview of Zeek", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":16,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":16,\"x\":16,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"88dc4f7d-0197-4fbe-98b2-910ba90cfd2d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d8bacd97-be31-4300-b5f7-7689d528b9ae\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Destination Geo [Logs Zeek]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"c3374e39-902e-4cc5-90c5-b6a1a3ebfdf2\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo [Logs Zeek]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":3.3505,\"lon\":10.89865,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"4e6959b3-e0d0-40dc-aca0-b40adcd088bb\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4e6959b3-e0d0-40dc-aca0-b40adcd088bb\",\"type\":\"map\",\"version\":\"8.0.0\"}]", - "timeRestore": false, - "title": "[Logs Zeek] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-7cbb5410-3700-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "zeek-466e5850-370d-11e9-aa6d-ff445a78330c", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "zeek-649acd40-370d-11e9-aa6d-ff445a78330c", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "zeek-9436c270-370d-11e9-aa6d-ff445a78330c", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "zeek-e042fda0-370d-11e9-aa6d-ff445a78330c", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "zeek-f8c40810-370d-11e9-aa6d-ff445a78330c", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4e6959b3-e0d0-40dc-aca0-b40adcd088bb:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index d37e28de1b..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Transport [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Transport [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-1df7ea80-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index c80921c34f..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-466e5850-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Protocols [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Protocols [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-466e5850-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index e465c8b637..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-649acd40-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Network Traffic Direction [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.direction\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Network Traffic Direction [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-649acd40-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 88a7ac664c..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-9436c270-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top DNS Domains [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zeek.dns.query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top DNS Domains [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-9436c270-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 3b47e2805c..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top URL Domains [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top URL Domains [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-bec2f0e0-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 3c90d1037d..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-e042fda0-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Top SSL Servers [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zeek.ssl.server.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Top SSL Servers [Logs Zeek]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-e042fda0-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-f469f230-370c-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-f469f230-370c-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 0dd58c8809..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-f469f230-370c-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"(data_stream.dataset:zeek.capture_loss OR data_stream.dataset:zeek.connection OR data_stream.dataset:zeek.dce_rpc OR data_stream.dataset:zeek.dhcp OR data_stream.dataset:zeek.dnp3 OR data_stream.dataset:zeek.dns OR data_stream.dataset:zeek.dpd OR data_stream.dataset:zeek.files OR data_stream.dataset:zeek.ftp OR data_stream.dataset:zeek.http OR data_stream.dataset:zeek.intel OR data_stream.dataset:zeek.irc OR data_stream.dataset:zeek.kerberos OR data_stream.dataset:zeek.modbus OR data_stream.dataset:zeek.mysql OR data_stream.dataset:zeek.notice OR data_stream.dataset:zeek.ntlm OR data_stream.dataset:zeek.ocsp OR data_stream.dataset:zeek.pe OR data_stream.dataset:zeek.radius OR data_stream.dataset:zeek.rdp OR data_stream.dataset:zeek.rfb OR data_stream.dataset:zeek.sip OR data_stream.dataset:zeek.smb_cmd OR data_stream.dataset:zeek.smb_files OR data_stream.dataset:zeek.smb_mapping OR data_stream.dataset:zeek.smtp OR data_stream.dataset:zeek.snmp OR data_stream.dataset:zeek.socks OR data_stream.dataset:zeek.ssh OR data_stream.dataset:zeek.ssl OR data_stream.dataset:zeek.stats OR data_stream.dataset:zeek.syslog OR data_stream.dataset:zeek.traceroute OR data_stream.dataset:zeek.tunnel OR data_stream.dataset:zeek.weird OR data_stream.dataset:zeek.x509)\"}}" - }, - "title": "Destination Geo [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"isFilteredByCollar\":true,\"mapCenter\":[0,0],\"mapZoom\":2,\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"dimensions\":{\"geocentroid\":null,\"geohash\":null,\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}},\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Scaled Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"title\":\"Destination Geo [Logs Zeek]\",\"type\":\"tile_map\"}" - }, - "id": "zeek-f469f230-370c-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "7.8.0" - }, - "namespaces": [ - "default" - ], - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/2.1.0/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json deleted file mode 100755 index 90b14febbe..0000000000 --- a/packages/zeek/2.1.0/kibana/visualization/zeek-f8c40810-370d-11e9-aa6d-ff445a78330c.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{}" - }, - "title": "Number of Sessions Overtime [Logs Zeek]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Number of Sessions Overtime [Logs Zeek]\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "8.0.0", - "id": "zeek-f8c40810-370d-11e9-aa6d-ff445a78330c", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zeek/2.1.0/manifest.yml b/packages/zeek/2.1.0/manifest.yml deleted file mode 100755 index 4f66bdcf7f..0000000000 --- a/packages/zeek/2.1.0/manifest.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: zeek -title: Zeek Logs -version: 2.1.0 -release: ga -description: Collect and parse logs from Zeek network security with Elastic Agent. -type: integration -icons: - - src: /img/zeek.svg - title: zeek - size: 214x203 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, monitoring, security] -conditions: - kibana.version: ^8.0.0 -screenshots: - - src: /img/kibana-zeek.png - title: kibana zeek - size: 3530x2414 - type: image/png -policy_templates: - - name: zeek - title: Zeek logs - description: Collect logs from Zeek instances - inputs: - - type: logfile - title: "Collect Zeek logs" - description: "Collects logs from Zeek instances. Supported logs include: capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ntp, ocsp, pe, radius, rdp, rfb, signature, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509" - vars: - - name: base_paths - required: true - show_user: true - title: Base Path - description: Base paths to zeek log files (eg. /var/log/bro/current) - type: text - multi: true - default: - - /var/log/bro/current - - /opt/zeek/logs/current - - /usr/local/var/spool/zeek - - type: httpjson - title: Collect logs from third-party REST API (experimental) - description: Collect logs from third-party REST API (experimental) - vars: - - name: url - type: text - title: URL of Splunk Enterprise Server - description: i.e. scheme://host:port, path is automatic - show_user: true - required: true - default: https://server.example.com:8089 - - name: username - type: text - title: Splunk REST API Username - show_user: true - required: false - - name: password - type: password - title: Splunk REST API Password - show_user: true - required: false - - name: token - type: password - title: Splunk Authorization Token - description: | - Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." - or "Splunk 192fd3e...". Cannot be used with username - and password. - show_user: true - required: false - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations